Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0

[Thomas Roessler]

On 2001-07-22 10:03:31 +0200, Florian Weimer wrote:

>A quick glance at the source code suggests that SSH 2.3.0 and 
>2.4.0 have the same problem.  Is this true?

I suppose we are talking about this section of ssh 2.4.0's
sshunixuser.c:

   940
   941    /* Authentication is accepted if the encrypted passwords are identical. */
   942  #ifdef HAVE_HPUX_TCB_AUTH
   943    return strncmp(encrypted_password, correct_passwd,
   944                   strlen(correct_passwd)) == 0;
   945  #else /* HAVE_HPUX_TCB_AUTH */
   946    return strcmp(encrypted_password, correct_passwd) == 0;
   947  #endif /* HAVE_HPUX_TCB_AUTH */

If I read this correctly, it's certainly not a problem unless ssh is 
compiled with HAVE_HPUX_TCB_AUTH defined.  In that case, it may or 
may not be a problem.

-- 
Thomas Roessler                        http://log.does-not-exist.org/

PGP signature