[CVE-2007-4752] ssh in OpenSSH before 4.7 does not properly handle...

Bug #162171 reported by Stephan Ruegamer on 2007-11-12
256
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Undecided
Colin Watson
Dapper
Low
Stephan Ruegamer
Edgy
Low
Stephan Ruegamer
Feisty
Low
Stephan Ruegamer
Gutsy
Low
Stephan Ruegamer

Bug Description

Dear Colleagues,

According to CVE-2007-4752:

ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.

Please find attached some debdiffs.

Regards,

\sh

Stephan Ruegamer (sadig) wrote :
Stephan Ruegamer (sadig) wrote :
Stephan Ruegamer (sadig) wrote :
Stephan Ruegamer (sadig) on 2007-11-16
Changed in openssh:
assignee: nobody → shermann
status: New → In Progress
Colin Watson (cjwatson) wrote :
Download full text (3.5 KiB)

Fixed in Hardy now; stable updates still remain (Kees acknowledged this bug on IRC).

openssh (1:4.7p1-1) unstable; urgency=low

  * New upstream release (closes: #453367).
    - CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if
      creation of an untrusted cookie fails; found and fixed by Jan Pechanec
      (closes: #444738).
    - sshd(8) in new installations defaults to SSH Protocol 2 only. Existing
      installations are unchanged.
    - The SSH channel window size has been increased, and both ssh(1)
      sshd(8) now send window updates more aggressively. These improves
      performance on high-BDP (Bandwidth Delay Product) networks.
    - ssh(1) and sshd(8) now preserve MAC contexts between packets, which
      saves 2 hash calls per packet and results in 12-16% speedup for
      arcfour256/hmac-md5.
    - A new MAC algorithm has been added, UMAC-64 (RFC4418) as
      "<email address hidden>". UMAC-64 has been measured to be approximately
      20% faster than HMAC-MD5.
    - Failure to establish a ssh(1) TunnelForward is now treated as a fatal
      error when the ExitOnForwardFailure option is set.
    - ssh(1) returns a sensible exit status if the control master goes away
      without passing the full exit status.
    - When using a ProxyCommand in ssh(1), set the outgoing hostname with
      gethostname(2), allowing hostbased authentication to work.
    - Make scp(1) skip FIFOs rather than hanging (closes: #246774).
    - Encode non-printing characters in scp(1) filenames. These could cause
      copies to be aborted with a "protocol error".
    - Handle SIGINT in sshd(8) privilege separation child process to ensure
      that wtmp and lastlog records are correctly updated.
    - Report GSSAPI mechanism in errors, for libraries that support multiple
      mechanisms.
    - Improve documentation for ssh-add(1)'s -d option.
    - Rearrange and tidy GSSAPI code, removing server-only code being linked
      into the client.
    - Delay execution of ssh(1)'s LocalCommand until after all forwardings
      have been established.
    - In scp(1), do not truncate non-regular files.
    - Improve exit message from ControlMaster clients.
    - Prevent sftp-server(8) from reading until it runs out of buffer space,
      whereupon it would exit with a fatal error (closes: #365541).
    - pam_end() was not being called if authentication failed
      (closes: #405041).
    - Manual page datestamps updated (closes: #433181).
  * Install the OpenSSH FAQ in /usr/share/doc/openssh-client.
    - Includes documentation on copying files with colons using scp
      (closes: #303453).
  * Create /var/run/sshd on start even if /etc/ssh/sshd_not_to_be_run exists
    (closes: #453285).
  * Fix "overriden" typo in ssh(1) (thanks, A. Costa; closes: #390699).
  * Refactor debian/rules configure and make invocations to make development
    easier.
  * Remove the hideously old /etc/ssh/primes on upgrade (closes: #123013).
  * Update moduli(5) to revision 1.11 from OpenBSD CVS.
  * Document the non-default options we set as standard in ssh_config(5) and
    sshd_config(5) (closes: #327886, #345...

Read more...

Changed in openssh:
assignee: shermann → kamion
status: In Progress → Fix Released
Kees Cook (kees) on 2008-01-09
Changed in openssh:
assignee: nobody → shermann
importance: Undecided → Low
status: New → Fix Committed
assignee: nobody → shermann
importance: Undecided → Low
status: New → Fix Committed
assignee: nobody → shermann
importance: Undecided → Low
status: New → Fix Committed
assignee: nobody → shermann
importance: Undecided → Low
status: New → Fix Committed
Kees Cook (kees) wrote :

The attached patches don't seem to match the upstream changes. I've rearranged things a bit to remove the duplicated xauth listing code, and will have this published shortly. Thanks!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:4.6p1-5ubuntu0.1

---------------
openssh (1:4.6p1-5ubuntu0.1) gutsy-security; urgency=low

  * SECURITY UPDATE: trusted cookie leak when untrusted cookie cannot be
    generated.
  * debian/control: Updated Maintainer Field to follow Ubuntu Maintainer Policy
  * clientloop.c: Applied patch according to openssh upstream (LP: #162171),
    thanks to Stephan Hermann.
  * References:
    CVE-2007-4752
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444738
    http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/clientloop.c.diff?r1=1.180&r2=1.181

 -- Kees Cook <email address hidden> Wed, 09 Jan 2008 12:37:26 -0800

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:4.3p2-8ubuntu1.1

---------------
openssh (1:4.3p2-8ubuntu1.1) feisty-security; urgency=low

  * SECURITY UPDATE: trusted cookie leak when untrusted cookie cannot be
    generated.
  * clientloop.c: Applied patch according to openssh upstream (LP: #162171),
    thanks to Stephan Hermann.
  * References:
    CVE-2007-4752
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444738
    http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/clientloop.c.diff?r1=1.180&r2=1.181

 -- Kees Cook <email address hidden> Wed, 09 Jan 2008 12:39:28 -0800

Changed in openssh:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Kees Cook (kees) wrote :
Changed in openssh:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.