From owner-doc-jp-work@jp.FreeBSD.org Fri Mar  8 11:08:32 2002
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) id g2828WB16576;
	Fri, 8 Mar 2002 11:08:32 +0900 (JST)
	(envelope-from owner-doc-jp-work@jp.FreeBSD.org)
Received: from smtp02.246.ne.jp (smtp02.246.ne.jp [210.253.192.36])
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) with SMTP/inet id g2828WP16571
	for <doc-jp-work@jp.FreeBSD.org>; Fri, 8 Mar 2002 11:08:32 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Received: (qmail 22653 invoked by alias); 8 Mar 2002 11:08:31 +0900
Received: (qmail 22640 invoked from network); 8 Mar 2002 11:08:30 +0900
Received: from unknown (HELO localhost) (210.253.193.19)
  by tpne002 with SMTP; 8 Mar 2002 11:08:30 +0900
Date: Fri, 08 Mar 2002 11:08:19 +0900 (JST)
Message-Id: <20020308.110818.21359114.y-koga@jp.FreeBSD.org>
To: doc-jp-work@jp.FreeBSD.org
From: Koga Youichirou <y-koga@jp.FreeBSD.org>
In-Reply-To: <20020308.040725.85412228.hrs@eos.ocn.ne.jp>
References: <200203071459.g27ExnB68056@freefall.freebsd.org>
	<20020308.040725.85412228.hrs@eos.ocn.ne.jp>
X-Mailer: Mew version 3.0.54 on Emacs 21.1 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Reply-To: doc-jp-work@jp.FreeBSD.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+011218
X-Sequence: doc-jp-work 285
Subject: [doc-jp-work 285] Re: ANNOUNCE: FreeBSD Security Advisory
 FreeBSD-SA-02:13.openssh
Errors-To: owner-doc-jp-work@jp.FreeBSD.org
Sender: owner-doc-jp-work@jp.FreeBSD.org
X-Originator: y-koga@jp.FreeBSD.org

Hiroki Sato <hrs@eos.ocn.ne.jp>:
>  02:13 $B$G$9!#$I$&$b$$$^$$$A$JLu$J$N$G!"C!$$$F$/$@$5$$$J!#(B

> I.   $BGX7J(B - Background
- snip -
> `ssh' is the client application,
> while `sshd' is the server.
> $B%/%i%$%"%s%H%"%W%j%1!<%7%g%s$O(B `ssh'$B!"%5!<%P$O(B `sshd' $B$H(B
> $B8F$P$l$F$$$^$9!#(B 

$B$3$3$OAGD>$K!"(B
`ssh' $B$,%/%i%$%"%s%H%"%W%j%1!<%7%g%s$G!"(B`sshd' $B$,%5!<%P$G$9!#(B

> II.  $BLdBj$N>\:Y(B - Problem Description
> 
> OpenSSH multiplexes `channels' over a single TCP connection in order
> to implement X11, TCP, and agent forwarding.
> OpenSSH $B$O(B X11 $B$d(B TCP, $B%(!<%8%'%s%H$NE>Aw$r<BAu$9$k$?$a!"(B
> $BC10l$N(B TCP $B@\B3$KBP$7$FJ#?t$N!V%A%c%M%k(B (channels)$B!W$rB?=E2=$7$^$9!#(B

over $B$r!V$KBP$7$F!W$K$9$k$N$O$$$^$$$A$+$J!#!V>e$G!W$G$h$5$=$&!#(B

> An off-by-one error in
> the code which manages channels can result in a reference to memory
> beyond that allocated for channels.
> $B$7$+$7!"$3$N%A%c%M%k$r4IM}$9$k%3!<%I$K$O0l$D0c$$(B (off-by-one) $B%(%i!<$,(B
> $B4^$^$l$F$*$j!"%A%c%M%kMQ$K3NJ]$5$l$?%a%b%j$G$O$J$$>l=j$r;2>H$9$k(B
> $B2DG=@-$,$"$j$^$9!#(B

$B!V$7$+$7!"!W$OITMW$G$7$g$&!#(B

> IV.  $B2sHrJ}K!(B - Workaround
- snip -
> 1) The FreeBSD malloc implementation can be configured to overwrite
>    or `junk' memory that is returned to the malloc arena.
>    FreeBSD $B$N(B malloc $B<BAu$G$O!"(Bmalloc $B%"%j!<%J$KJV$5$l$k%a%b%j$r(B
>    $B>e=q$-!"$b$7$/$O$=$NFbMF$rGK4~$9$k$h$&$K@_Dj$9$k$3$H$,2DG=$G$9!#(B

malloc $B<BAu(B $B"*(B malloc $B$N<BAu(B
----
$B$3$,$h$&$$$A$m$&(B
