Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7)

From: drow () FALSE ORG (Daniel Jacobowitz)
Date: Tue, 16 Nov 1999 13:54:24 -0500

On Tue, Nov 16, 1999 at 11:30:16AM +0100, Oystein Viggen wrote:

Blue Boar wrote:


<SNIP>
Debian is immune for the (somewhat messy) reasons that they do not link
ssh to rsaref, last time that I checked.
<SNIP>


Does the fact that the international version of ssh from replay.com uses
"internal rsaref" instead of the "external rsaref" in the US version make
it immune to this attack too?

The version is at least not as far as I can see externally linked to any
rsaref library:


As far as I can tell from the spec file, the -5i version is never
configured with --with-rsaref, and the guilty code in rsaglue.c is
never reached.

Dan

/--------------------------------\  /--------------------------------\
|       Daniel Jacobowitz        |__|        SCS Class of 2002       |
|   Debian GNU/Linux Developer    __    Carnegie Mellon University   |
|         dan () debian org         |  |       dmj+ () andrew cmu edu      |
\--------------------------------/  \--------------------------------/
Previous By Date Next
Previous By Thread Next

Current thread: