Sshd RSAREF Buffer Overflow Vulnerability

Solution:
This patch was submitted by Daniel Jacobowitz of Debian GNU/Linux to BugTraq on Nov 8, 1999.

--- rsaglue.c.orig Tue Nov 9 11:12:32 1999
+++ rsaglue.c Tue Nov 9 11:17:58 1999
@@ -139,6 +139,10 @@

input_bits = mpz_sizeinbase(input, 2);
input_len = (input_bits + 7) / 8;
+ if(input_bits > MAX_RSA_MODULUS_BITS)
+ fatal("Attempted to encrypt a block too large (%d bits, %d max) (malicious?).",
+ input_bits, MAX_RSA_MODULUS_BITS);
+
gmp_to_rsaref(input_data, input_len, input);

rsaref_public_key(&public_key, key);
@@ -172,6 +176,10 @@

input_bits = mpz_sizeinbase(input, 2);
input_len = (input_bits + 7) / 8;
+ if(input_bits > MAX_RSA_MODULUS_BITS)
+ fatal("Received session key too long (%d bits, %d max) (malicious?).",
+ input_bits, MAX_RSA_MODULUS_BITS);
+
gmp_to_rsaref(input_data, input_len, input);

rsaref_private_key(&private_key, key);

Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.
 

Privacy Statement
Copyright 2010, SecurityFocus