[openssh] [CVE-2008-1483] allows local users to hijack forwarded X connections

Bug #210175 reported by disabled.user on 2008-04-01
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Debian)
Fix Released
Unknown
openssh (Gentoo Linux)
Fix Released
Medium
openssh (Mandriva)
Unknown
Unknown
openssh (Ubuntu)
Undecided
Unassigned
Dapper
Low
Kees Cook
Edgy
Low
Kees Cook
Feisty
Low
Kees Cook
Gutsy
Low
Kees Cook

Bug Description

References:
MDVSA-2008:078 (http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:078)

Quoting:
"OpenSSH allows local users to hijack forwarded X connections by causing
ssh to set DISPLAY to :10, even when another process is listening on
the associated port."

Colin Watson (cjwatson) wrote :

We already fixed this in Hardy:

openssh (1:4.7p1-5) unstable; urgency=low

  * Recommends: xauth rather than Suggests: xbase-clients.
  * Document in ssh(1) that '-S none' disables connection sharing
    (closes: #471437).
  * Patch from Red Hat / Fedora:
    - SECURITY: Don't use X11 forwarding port which can't be bound on all
      address families, preventing hijacking of X11 forwarding by
      unprivileged users when both IPv4 and IPv6 are configured (closes:
      #463011).
  * Use printf rather than echo -en (a bashism) in openssh-server.config and
    openssh-server.preinst.
  * debconf template translations:
    - Update Finnish (thanks, Esko Arajärvi; closes: #468563).

 -- Colin Watson <email address hidden> Sat, 22 Mar 2008 12:37:00 +0000

The bug is still open in dapper through gutsy, though.

Changed in openssh:
status: New → Fix Released
Nicolas Valcarcel (nvalcarcel) wrote :

Including debdiff for edgy.

Nicolas Valcarcel (nvalcarcel) wrote :

Including debdiff for feisty

Nicolas Valcarcel (nvalcarcel) wrote :

Including debdiff for gutsy

Nicolas Valcarcel (nvalcarcel) wrote :

Including debdiff for dapper

Changed in openssh:
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
Kees Cook (kees) on 2008-04-01
Changed in openssh:
assignee: nobody → keescook
importance: Undecided → Low
status: Confirmed → In Progress
assignee: nobody → keescook
importance: Undecided → Low
status: Confirmed → In Progress
assignee: nobody → keescook
importance: Undecided → Low
status: Confirmed → In Progress
assignee: nobody → keescook
importance: Undecided → Low
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:4.6p1-5ubuntu0.2

---------------
openssh (1:4.6p1-5ubuntu0.2) gutsy-security; urgency=low

  * SECURITY UPDATE: X11 forward hijacking via alternate address families.
  * channels.c: upstream fixes, patched inline. Thanks to Nicolas Valcarcel
    (LP: #210175).
  * References
    CVE-2008-1483

 -- Kees Cook <email address hidden> Tue, 01 Apr 2008 10:31:42 -0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:4.3p2-8ubuntu1.2

---------------
openssh (1:4.3p2-8ubuntu1.2) feisty-security; urgency=low

  * SECURITY UPDATE: X11 forward hijacking via alternate address families.
  * channels.c: upstream fixes, patched inline. Thanks to Nicolas Valcarcel
    (LP: #210175).
  * References
    CVE-2008-1483

 -- Kees Cook <email address hidden> Tue, 01 Apr 2008 10:31:42 -0700

Changed in openssh:
status: In Progress → Fix Released
status: In Progress → Fix Released
Kees Cook (kees) wrote :
Changed in openssh:
status: In Progress → Fix Released
status: In Progress → Fix Released
Changed in openssh:
status: Unknown → Confirmed
Changed in openssh:
status: Confirmed → Fix Released
Changed in openssh:
status: Unknown → Fix Released
Changed in openssh (Gentoo Linux):
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.