Date: Fri, 24 Nov 2000 16:51:38 +0100 (MET) From: Roman Drahtmueller draht@suse.de To: suse-security-announce@suse.de Subject: [suse-security-announce] SuSE Security Announcement: openssh/ssh (SuSE-SA:2000:47) ______________________________________________________________________________ SuSE Security Announcement Package: openssh/ssh Announcement-ID: SuSE-SA:2000:47 Date: Friday, November 24th, 2000 16:30 MET Affected SuSE versions: 6.4, 7.0 Vulnerability Type: clientside remote vulnerability Severity (1-10): 6 SuSE default package: yes Other affected systems: systems w/ openssh versions before 2.3.0 Content of this advisory: 1) security vulnerability resolved: openssh problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information openssh is an implementation of the secure shell protocol, available under the BSD license, primarily maintained by the OpenBSD Project. Many vulnerabilities have been found in the openssh package, along with a compilation problem in the openssh and ssh packages in the SuSE-7.0 distribution: An openssh client (the ssh program) can accept X11- or ssh-agent forwarding requests even though these forwarding capabilities have not been requested by the client side after successful authentication. Using these weaknesses, an attacker could gain access to the authentication agent which may hold multiple user-owned authentification identities, or to the X-server on the client side as if requested by the user. These problems have been found/reported by Markus Friedl and Jacob Langseth. A problem in the configure script in both the openssh and ssh package on the SuSE-7.0 distribution caused the sshd programs to not be linked against the tcp-wrapper library. By consequence, access rules for the sshd server-side service as configured in /etc/hosts.allow and /etc/hosts.deny were ignored. This has been reported to us by Lutz Pressle. We thank these individuals for their contribution. Sebastian Krahmer found a small tmp file handling problem in the perl script `make-ssh-known-hosts. A (local) attacker could trick the perl program to follow symbolic links and thereby overwriting files with the privileges of the user calling make-ssh-known-hosts. The solution for the first three problems (agent+X11-forwarding, missing libwrap support) is an upgrade to a newer package. The tmp file problem can be easily solved by hand. Please see the special install instructions below. Note: Upon public request, we also provide update packages for the SuSE-6.3 Intel distribution, even though the openssh packages was not included in this distribution. special install instructions: ===================================== To find out which package (ssh or openssh) you use, please use the command `rpm -qf /usr/bin/ssh. __ case openssh: Please follow the instructions below to download and install the update package. Afterwards, restart the sshd daemon: `rcsshd restart. __ case ssh: before SuSE-7.0 (excluding 7.0): In the file /usr/bin/make-ssh-known-hosts, please change the line (around line 102) $private_ssh_known_hosts = "/tmp/ssh_known_hosts$$"; to read $private_ssh_known_hosts = "~/ssh_known_hosts$$"; and you are done. SuSE-7.0: Please follow the instructions below to download and install the update package. Afterwards, restart the sshd daemon: `rcsshd restart Please choose the update package(s) for your distribution from the URLs listed below and download the necessary rpm files. Then, install the package using the command `rpm -Uhv file.rpm. rpm packages have an internal md5 checksum that protects against file corruption. You can verify this checksum using the command (independently from the md5 signatures below) `rpm --checksig --nogpg file.rpm', The md5 sums under each package are to prove the package authenticity, independently from the md5 checksums in the rpm package format. i386 Intel Platform: SuSE-7.0 ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/openssh-2.3.0p1-0.i386.rpm 3c7b9044ffb64f9f74c904eb2b278eb2 source rpm: ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm aebcda19518208497671e752bbdfaeb8 SuSE-6.4 ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/openssh-2.3.0p1-0.i386.rpm 04c17b0eba99c798ae401fb9aafbc7e4 source rpm: ftp://ftp.suse.de/pub/suse/i386/update/6.4/zq1/openssh-2.3.0p1-0.src.rpm 2003ab41cfa32ef39b11b4977ef4cd1f SuSE-6.3 ftp://ftp.suse.de/pub/suse/i386/update/6.3/sec1/openssh-2.3.0p1-0.i386.rpm 04c17b0eba99c798ae401fb9aafbc7e4 source rpm: ftp://ftp.suse.de/pub/suse/i386/update/6.3/zq1/openssh-2.3.0p1-0.src.rpm 2003ab41cfa32ef39b11b4977ef4cd1f Sparc Platform: SuSE-7.0 ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/openssh-2.3.0p1-0.sparc.rpm 898aaaacee88777429496f1a5658076f source rpm: ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm 97868b04de04a0baafcee69ebbbe6079 AXP Alpha Platform: SuSE-7.0 ftp://ftp.suse.de/pub/suse/axp/update/7.0/sec1/openssh-2.3.0p1-0.alpha.rpm dd12c60b2744455780c976b115b26f27 source rpm: ftp://ftp.suse.de/pub/suse/axp/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm 6df5af1a88fda4d8fc1a493e4d10bc01 SuSE-6.4 ftp://ftp.suse.de/pub/suse/axp/update/6.4/sec1/openssh-2.3.0p1-0.alpha.rpm 99de4bb6f183be1b69a610744f4566bc source rpm: ftp://ftp.suse.de/pub/suse/axp/update/6.4/zq1/openssh-2.3.0p1-0.src.rpm aa56e311205ba58478c815760452367e PPC Power PC Platform: SuSE-7.0 ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/openssh-2.3.0p1-0.ppc.rpm 72f7c339991e54a476585012423dda62 source rpm: ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/openssh-2.3.0p1-0.src.rpm 749ccc55396944ad43c1977e55903958 SuSE-6.4 ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/openssh-2.3.0p1-0.ppc.rpm 59727fa055e5d835bc4e455302b1ef49 source rpm: ftp://ftp.suse.de/pub/suse/ppc/update/6.4/zq1/openssh-2.3.0p1-0.src.rpm 7e42dbad4e50a2ad9156e94cf2a93955 ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: Clarification: In my message (Subject: "SuSE: miscellaneous"), dated Wed, 15 Nov 2000, concerning the paragraph about runtime linking problems in gs (GhostScript) , I have stated that the problem will be fixed in future versions of the SuSE distribution. This does not touch the fact that we will of course provide fixes for the older distributions. - pine The packages (version 4.30) are on our ftp server and can be downloaded. The SuSE security announcement is pending. - netscape Michal Zalewski has reported a buffer overflow in Netscape's html parser code. A specially crafted html document may cause the browser to execute arbitrary code as the user calling the netscape program. The packages are available for download on ftp.suse.com. A security announcement is on the way to address the issue. - gs (ghostscript) Two vulnerabilities have been found in the ghostscript package as shipped with SuSE distributions: Insecure temporary file handling and a linker problem that could make gs runtime-link against ./libc.so.6. We're currently working on update packages. In the meanwhile, it is advised to not run gs or applications that call gs from within a world- writeable directory. - jed The text editor jed saves files in /tmp upon emergency termination in an insecure way. This problem was fixed with the release of SuSE-6.3 after a SuSE-internal code audit by Thomas Biege thomas@suse.de. The information about the existence of this bug was not communicated to the public because the editor was not very widely used at that time. We will provide update packages for the SuSE releases 6.0, 6.1 and 6.2 shortly. ______________________________________________________________________________ 3) standard appendix: SuSE runs two security mailing lists to which any interested party may subscribe: suse-security@suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to mailto:suse-security-subscribe@suse.com suse-security-announce@suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, send an email to suse-security-announce-subscribe@suse.com. For general information or the frequently asked questions (faq) send mail to: suse-security-info@suse.com or suse-security-faq@suse.com respectively. =============================================== SuSE's security contact is security@suse.com. ===============================================