Date:	Wed, 30 Dec 1998 00:04:47 +1100
From:	Darren Reed <avalon@COOMBS.ANU.EDU.AU>
Subject:      ssh2 security problem (and patch) (fwd)
To:	BUGTRAQ@NETSPACE.ORG

This just came across the ssh list...I've deleted the patch for brievity
(original length was some 2900 lines).

> From owner-ssh@clinet.fi Tue Dec 29 23:13:34 EDT 1998
> From: Sami Lehtinen <sjl@ssh.fi>
> MIME-Version: 1.0
> Date: Tue, 29 Dec 1998 12:56:52 +0200 (EET)
> To: ssh@clinet.fi
> Subject: ssh2 security problem (and patch)
> Message-ID: <13960.46005.391107.110139@torni.ssh.fi>
>
>
> Description for the problem and the patch (and it's signature) are
> attached to this message.
>
> --
> [sjl@ssh.fi           --  Sami J. Lehtinen  --           sjl@iki.fi]
> [work:+358 9 43543214][gsm:+358 50 5170 258][http://www.iki.fi/~sjl]
> [SSH Communications Security Ltd.                http://www.ssh.fi/]
>
[...]
> sshd2 (version 2.0.11 and older) has a security bug, which allows any
> eligible user to request remote forwarding from privileged ports
> without being root. Thanks to Niko Tyni for pointing this one out.
>
> Included in this message is a patch that fixes this. It also makes the
> client print an error message, if remote port forwarding fails. Also,
> the configure script is a bit revised. It should atleast compile at
> HP-UX 9.x now (the "/usr/bin/ld: Unsatisfied symbols: vsnprintf
> (code)" bug should be fixed).
>
> This patch works with ssh-2.0.11, atleast.
>
> The patch can also be found in http://www.ssh.fi/sshprotocols2/ in a
> short while.
>
> Installing the patch is simple. Go to the sources directory
> (~/src/ssh-2.0.11/ , or whatever) and give this command
> % patch -p1 -l ~/patches/patch-ssh-2.0.11
> (the filename depends on where you save it, and with what name)
> Then run configure, make and make install as usual. Restart any
> sshd2-daemons currently running.
[...patch deleted...]