[ale] OpenSSH root vulnerability

John Mills jmmills at telocity.com
Fri Mar 8 12:42:23 EST 2002 

Bob -

Thanks for posting this. I'having a little trouble with the installation,
however.

Setup: RH 6.2, gcc-2.91.66 ('vanilla' RH-6.2)

Only some mirrors have any source of 'portable' openssh-3.1 - I downloaded
what I found: 'openssh-3.1p1.tar.gz' and unpacked it. 'configure' ran OK,
but 'make' crashed on:
*************************************************************************
 ...
gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized
-I. -I. -I/usr/local/ssl/include
-DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_PIDDIR=\"/var/run\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H
-c cipher.c
cipher.c: In function `cipher_init':
cipher.c:200: void value not ignored as it ought to be
cipher.c:206: warning: implicit declaration of function
`EVP_CIPHER_CTX_set_key_length'
cipher.c:210: void value not ignored as it ought to be
cipher.c: In function `cipher_crypt':
cipher.c:220: void value not ignored as it ought to be
cipher.c: In function `cipher_cleanup':

 [... lots more blood over 'cipher.c' ...]

cipher.c:497: structure has no member named `flags'
cipher.c:497: `EVP_CIPH_CBC_MODE' undeclared (first use in this function)
cipher.c:497: `EVP_CIPH_VARIABLE_LENGTH' undeclared (first use in this
function)
cipher.c:498: `EVP_CIPH_ALWAYS_CALL_INIT' undeclared (first use in this
function)
make: *** [cipher.o] Error 1
*************************************************************************

Crashed in the same place when I build in a separate directory or in the
sources, with or without '--with-pam'

Any suggestions?

Thanks.

 - John Mills


On Thu, 7 Mar 2002, Transam wrote:

> Recent versions of OpenSSH -- including the newest -- have a just reported
> vulnerability that allow local users to make themselves root.  If one uses
> OpenSSH to connect into a malevolent or compromised SSH server then root
> access to the client system can be gained as well.  The possibility of
> a remote root vulnerability on any OpenSSH server system has not been
> ruled out.

> This problem has been patched in OpenSSH 3.1, which has been released
> today (March 7, 2002).  It appears that neither Red Hat nor Slackware
> have yet integrated this patch into their trees.


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list