Hello,
> Does anyone knows which versions of the commercial SSH (if any) are
> vulnerable?
The diff between the vulnerable version and the good one is:
- if (id < 0 || id > channels_alloc) {
+ if (id < 0 || id >= channels_alloc) {
The function channel_lookup appeared in channels.c on Tue Mar 28 20:31:25
2000 UTC, 23 months, 1 week ago
in this form:
+ if (id < 0 && id > channels_alloc) {
+ log("channel_lookup: %d: bad id", id);
See
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.40&r2=1.41
for the diff.
Then on Sun Jun 25 20:17:57 2000 UTC, 20 months, 1 week ago the above line
changed:
- if (id < 0 && id > channels_alloc) {
+ if (id < 0 || id > channels_alloc) {
See
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.62&r2=1.63
for the diff.
In ssh.com's 3.1.0 there is no channels.c, or channels_alloc so I think
this bug does not affect that (or not exactly the same way as in OpenSSH
:).
--------------------------------------------------------------------------
Attila Nagy e-mail: Attila.Nagy@fsn.hu
Budapest Polytechnic (BMF.HU) @work: +361 210 1415 (194)
H-1084 Budapest, Tavaszmezo u. 15-17. cell.: +3630 306 6758
