Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0

From: Thomas Roessler (roessler@does-not-exist.org)
Date: Mon Jul 23 2001 - 08:42:12 PDT

  • Next message: Crispin Cowan: "Timely Patching (was: Full analysis of the .ida "Code Red" worm.)" 

    On 2001-07-22 10:03:31 +0200, Florian Weimer wrote:

>A quick glance at the source code suggests that SSH 2.3.0 and 
>2.4.0 have the same problem.  Is this true?

I suppose we are talking about this section of ssh 2.4.0's
sshunixuser.c:

   940
   941	  /* Authentication is accepted if the encrypted passwords are identical. */
   942	#ifdef HAVE_HPUX_TCB_AUTH
   943	  return strncmp(encrypted_password, correct_passwd,
   944	                 strlen(correct_passwd)) == 0;
   945	#else /* HAVE_HPUX_TCB_AUTH */
   946	  return strcmp(encrypted_password, correct_passwd) == 0;
   947	#endif /* HAVE_HPUX_TCB_AUTH */

If I read this correctly, it's certainly not a problem unless ssh is 
compiled with HAVE_HPUX_TCB_AUTH defined.  In that case, it may or 
may not be a problem.

-- 
Thomas Roessler                        http://log.does-not-exist.org/

    This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 08:58:18 PDT