Bug 756370 (CVE-2011-5000) - VUL-1: CVE-2011-5000: openssh: memory exhaustion in gssapi
Summary: VUL-1: CVE-2011-5000: openssh: memory exhaustion in gssapi
Status: RESOLVED DUPLICATE of bug 709782
Alias: CVE-2011-5000
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Deadline: 2012-07-11
Assignee: Petr Cerny
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle10-sp3:48694 maint:...
Keywords:
Depends on:
Blocks:
 
Reported: 2012-04-10 08:17 UTC by Matthias Weckbecker
Modified: 2019-10-24 14:54 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2012-04-10 08:17:32 UTC 
Adam Zabrocki has discovered, that it is possible to use any arbitrary value
in the xmalloc() wrapper function which can be exploited to trigger a memory
exhaustion condition. More detailed information can be found in his advisory
at:

http://site.pi3.com.pl/adv/ssh_1.txt
Comment 1 Matthias Weckbecker 2012-04-10 08:20:01 UTC 
revision 1.25
date: 2011/08/05 20:16:46;  author: djm;  state: Exp;  lines: +3 -1
   - markus@cvs.openbsd.org 2011/08/01 19:18:15
     [gss-serv.c]
     prevent post-auth resource exhaustion (int overflow leading to 4GB malloc);
     report Adam Zabrock; ok djm@, deraadt@
--- src/usr.bin/ssh/gss-serv.c	2008/05/08 13:02:23	1.22
+++ src/usr.bin/ssh/gss-serv.c	2011/08/01 20:18:15	1.23
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -225,6 +225,8 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t enam
 	name->length = get_u32(tok+offset);
 	offset += 4;
 
+	if (UINT_MAX - offset < name->length)
+		return GSS_S_FAILURE;
 	if (ename->length < offset+name->length)
 		return GSS_S_FAILURE;
Comment 4 Swamp Workflow Management 2012-06-13 14:53:12 UTC 
The SWAMPID for this issue is 47840.
This issue was rated as low.
Please submit fixed packages until 2012-07-11.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 5 Petr Cerny 2012-08-02 13:49:33 UTC 
Duplicate of bug 709782

*** This bug has been marked as a duplicate of bug 709782 ***
Comment 6 Marcus Meissner 2012-08-27 08:07:59 UTC 
released
Comment 7 Swamp Workflow Management 2012-08-27 09:08:41 UTC 
Update released for: openssh, openssh-askpass, openssh-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 8 Swamp Workflow Management 2012-08-27 10:59:01 UTC 
Update released for: openssh, openssh-askpass, openssh-debuginfo
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 9 Swamp Workflow Management 2012-08-27 11:08:43 UTC 
Update released for: openssh, openssh-askpass
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 10 Swamp Workflow Management 2012-08-27 12:13:29 UTC 
Update released for: openssh, openssh-askpass, openssh-debuginfo, openssh-debugsource
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-DESKTOP 11-SP1-FOR-SP2 (i386, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)