[21814] in bugtraq
RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
daemon@ATHENA.MIT.EDU (Sports)
Tue Jul 24 14:47:48 2001
Reply-To: <madboo@gwu.edu>
From: "Sports" <madboo@gwu.edu>
To: "'Thomas Roessler'" <roessler@does-not-exist.org>,
"'Florian Weimer'" <Florian.Weimer@RUS.Uni-Stuttgart.DE>
Cc: <BUGTRAQ@securityfocus.com>, <customer.service@ssh.com>
Date: Mon, 23 Jul 2001 15:17:26 -0400
Message-ID: <001101c113ac$1c4b8ae0$1200a8c0@com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
In-reply-to: <20010723174212.A2219@sobolev.does-not-exist.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
What about 2.9?
- -----Original Message-----
From: Thomas Roessler [mailto:roessler@does-not-exist.org]
Sent: Monday, July 23, 2001 11:42 AM
To: Florian Weimer
Cc: BUGTRAQ@SECURITYFOCUS.COM; customer.service@ssh.com
Subject: Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
On 2001-07-22 10:03:31 +0200, Florian Weimer wrote:
>A quick glance at the source code suggests that SSH 2.3.0 and
>2.4.0 have the same problem. Is this true?
I suppose we are talking about this section of ssh 2.4.0's
sshunixuser.c:
940
941 /* Authentication is accepted if the encrypted passwords are
identical. */
942 #ifdef HAVE_HPUX_TCB_AUTH
943 return strncmp(encrypted_password, correct_passwd,
944 strlen(correct_passwd)) == 0;
945 #else /* HAVE_HPUX_TCB_AUTH */
946 return strcmp(encrypted_password, correct_passwd) == 0;
947 #endif /* HAVE_HPUX_TCB_AUTH */
If I read this correctly, it's certainly not a problem unless ssh is
compiled with HAVE_HPUX_TCB_AUTH defined. In that case, it may or
may not be a problem.
- --
Thomas Roessler http://log.does-not-exist.org/
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBO1x4RXuovSIevPCzEQJgrACg7nG4kHVms/VV/fjKZPcT9OV0JRIAn2pG
Aqs6zdkLUaAYXceFoA3ydrLI
=8e4m
-----END PGP SIGNATURE-----
