From owner-doc-jp-work@jp.FreeBSD.org Fri Mar  8 05:13:22 2002
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) id g27KDMJ20065;
	Fri, 8 Mar 2002 05:13:22 +0900 (JST)
	(envelope-from owner-doc-jp-work@jp.FreeBSD.org)
Received: from mail4.nec.com (dns4.nec.com [131.241.15.4])
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) with ESMTP/inet id g27KDLP20059
	for <doc-jp-work@jp.FreeBSD.org>; Fri, 8 Mar 2002 05:13:22 +0900 (JST)
	(envelope-from hino@ccrl.sj.nec.com)
Received: from netkeeper2.sj.nec.com (netkeeper2.sj.nec.com [131.241.31.10])
	by mail4.nec.com (/) with ESMTP id g27KCTe13099
	for <doc-jp-work@jp.FreeBSD.org>; Thu, 7 Mar 2002 12:12:29 -0800 (PST)
Received: from ccrl.sj.nec.com (localhost [127.0.0.1])
	by netkeeper2.sj.nec.com (8.9.1a/8.9.1) with ESMTP id MAA16321
	for <doc-jp-work@jp.FreeBSD.org>; Thu, 7 Mar 2002 12:12:23 -0800 (PST)
Received: from localhost (alfa [131.241.79.205])
	by ccrl.sj.nec.com (8.9.3/8.9.2) with ESMTP id MAA26911
	for <doc-jp-work@jp.FreeBSD.org>; Thu, 7 Mar 2002 12:12:24 -0800 (PST)
Date: Thu, 07 Mar 2002 12:12:24 -0800 (PST)
Message-Id: <20020307.121224.81925309.hino@ccrl.sj.nec.com>
To: doc-jp-work@jp.FreeBSD.org
From: Koji Hino <hino@ccrl.sj.nec.com>
In-Reply-To: <20020308.040725.85412228.hrs@eos.ocn.ne.jp>
References: <200203071459.g27ExnB68056@freefall.freebsd.org>
	<20020308.040725.85412228.hrs@eos.ocn.ne.jp>
Organization: C&C Research Laboratories (CCRL), NEC USA, Inc.
X-Mailer: Mew version 2.2rc2 on Emacs 21.1 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Reply-To: doc-jp-work@jp.FreeBSD.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+011218
X-Sequence: doc-jp-work 283
Subject: [doc-jp-work 283] Re: ANNOUNCE: FreeBSD Security Advisory
 FreeBSD-SA-02:13.openssh
Errors-To: owner-doc-jp-work@jp.FreeBSD.org
Sender: owner-doc-jp-work@jp.FreeBSD.org
X-Originator: hino@ccrl.sj.nec.com

From: Hiroki Sato <hrs@eos.ocn.ne.jp>
 Subject: [doc-jp-work 282] Re: ANNOUNCE: FreeBSD Security Advisory
FreeBSD-SA-02:13.openssh
 Date: Fri, 08 Mar 2002 04:07:25 +0900 (JST)

:> $B%H%T%C%/(B:	OpenSSH $B$K4^$^$l$k0-MQ2DG=$J!V0l$D0c$$!W%P%0$NLdBj(B
:> 		(OpenSSH contains exploitable off-by-one bug)

$B$&$&$`!"$=$&$$$($P(Boff by one error$B$NLu8l$C$F$_$?$3$H$J$$$h$&$J!D(B
$B!V0l$D0c$$!W$@$H!"4V0c$C$F$$$k$H$3$m$,0l%+=j$"$k!"$_$?$$$J8l46$G$9$M!D(B
$B!V0l$D$:$l!W!V0l$:$l!W!D$3$l$b$$$^$$$A!D(B


:> 1) The FreeBSD malloc implementation can be configured to overwrite
:>    or `junk' memory that is returned to the malloc arena.  Due to the
:>    details of exploiting this bug, configuring malloc to junk memory
:>    will thwart the attack.
:> 
:>    FreeBSD $B$N(B malloc $B<BAu$G$O!"(Bmalloc $B%"%j!<%J$KJV$5$l$k%a%b%j$r(B
:>    $B>e=q$-!"$b$7$/$O$=$NFbMF$rGK4~$9$k$h$&$K@_Dj$9$k$3$H$,2DG=$G$9!#(B
:>    $B:#2s$N%P%0$r0-MQ$9$k>l9g$O$3$NItJ,$rMxMQ$9$k$?$a!"%a%b%jFbMF$r(B
:>    $BGK4~$9$k$h$&$K(B malloc $B$r@_Dj$9$k$3$H$G!"967b$KBP93$9$k$3$H$,$G$-$^$9!#(B
:> 
:>     == $BLuCm(B: malloc $B%"%j!<%J(B (malloc arena) $B$H$O!"(Bbrk(2) $B$d(B sbrk(2) $B$K$h$C$F(B
:>     ==       $B%W%m%;%9$K3d$jEv$F$i$l!"(Bmalloc(3) $B$K$h$C$F;HMQ$5$l$k(B
:>     ==       $B%a%b%j6u4V$N$3$H$G$9!#(B

$B!V(Bmalloc$B$N4IM}NN0h!W!V(Bmalloc$B$,4IM}$9$kNN0h!W!V(Bmalloc$B$N>80.NN0h!W$J$I$N(B
$B$[$&$,LuCm$rF~$l$J$/$F$bD>46E*$KJ,$+$k$h$&$J5$$,$7$^$9!#(B

$B!t(B OpenBSD$B$N(B 'Four years without a remote hole in the default install'
$B!t(B $B$b$@$a$K$J$j$^$7$?$M(B (^^;

$BF|Ln(B
