Bugtraq mailing list archives
Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7)
From: drow () FALSE ORG (Daniel Jacobowitz)
Date: Tue, 16 Nov 1999 13:54:24 -0500
On Tue, Nov 16, 1999 at 11:30:16AM +0100, Oystein Viggen wrote:
Blue Boar wrote:<SNIP> Debian is immune for the (somewhat messy) reasons that they do not link ssh to rsaref, last time that I checked. <SNIP>Does the fact that the international version of ssh from replay.com uses "internal rsaref" instead of the "external rsaref" in the US version make it immune to this attack too? The version is at least not as far as I can see externally linked to any rsaref library:
As far as I can tell from the spec file, the -5i version is never configured with --with-rsaref, and the guilty code in rsaglue.c is never reached. Dan /--------------------------------\ /--------------------------------\ | Daniel Jacobowitz |__| SCS Class of 2002 | | Debian GNU/Linux Developer __ Carnegie Mellon University | | dan () debian org | | dmj+ () andrew cmu edu | \--------------------------------/ \--------------------------------/
Current thread:
- ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Blue Boar (Nov 13)
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Theo de Raadt (Nov 13)
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Szilveszter Adam (Nov 14)
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Brian Fundakowski Feldman (Nov 14)
- BIND 8.2.2-P5 release announcement Roger Fajman (Nov 13)
- <Possible follow-ups>
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Oystein Viggen (Nov 16)
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Daniel Jacobowitz (Nov 16)
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Jochen Bauer (Nov 16)
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Nick Craig-Wood (Nov 18)
- ProFTPd - mod_sqlpw.c Todd C. Campbell (Nov 19)
- Pandora v4 Beta 2 Software Simple Nomad (Nov 19)
- Remote D.o.S Attack in G6 FTP Server v2.0 (beta 4/5) Vulnerability Ussr Labs (Nov 16)
- Re: Remote D.o.S Attack in G6 FTP Server v2.0 (beta 4/5) Vulnerability Seth R Arnold (Nov 17)
- Re: Remote D.o.S Attack in G6 FTP Server v2.0 (beta 4/5) Vulnerability Marc (Nov 17)
- SuSE Security Announcement - syslogd (a1) Thomas Biege (Nov 18)
- local users can panic linux kernel (was: SuSE syslogd advisory) Mixter (Nov 18)
- Re: local users can panic linux kernel (was: SuSE syslogd advisory) Alan Cox (Nov 19)
- Re: ssh-1.2.27 remote buffer overflow - exploitable (VD#7) Theo de Raadt (Nov 13)