[openssh] [CVE-2008-1483] allows local users to hijack forwarded X connections

Bug #210175 reported by disabled.user on 2008-04-01
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Debian)
Fix Released
Unknown
openssh (Gentoo Linux)
Fix Released
Medium
openssh (Mandriva)
Unknown
Unknown
openssh (Ubuntu)
Undecided
Unassigned
Dapper
Low
Kees Cook
Edgy
Low
Kees Cook
Feisty
Low
Kees Cook
Gutsy
Low
Kees Cook

Bug Description

References:
MDVSA-2008:078 (http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:078)

Quoting:
"OpenSSH allows local users to hijack forwarded X connections by causing
ssh to set DISPLAY to :10, even when another process is listening on
the associated port."

CVE-2008-1483 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1483):
  OpenSSH 4.3p2, and probably other versions, allows local users to hijack
  forwarded X connections by causing ssh to set DISPLAY to :10, even when
  another process is listening on the associated port, as demonstrated by
  opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.

According to the openssh upstream, this also affects vanilla versions later than 4.3. See

... $URL for details

openssh-4.7_p1-r5 in the tree for people to stabilize

Arches, please test and mark stable:
=net-misc/openssh-4.7_p1-r5
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"

@base-system, please also apply the patch in -r20 and above.

Download full text (4.3 KiB)

Created attachment 147620
build.log

[ebuild U ] net-misc/openssh-4.7_p1-r5 [4.7_p1-r3] USE="X X509* chroot* hpn* kerberos* ldap libedit* pam skey* smartcard* tcpd (-selinux) -static" 0 kB

Portage 2.1.4.4 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r3 i686)
=================================================================
System uname: 2.6.24-gentoo-r3 i686 AMD Athlon(tm) X2 Dual Core Processor BE-2400
Timestamp of tree: Sat, 29 Mar 2008 10:16:01 +0000
app-shells/bash: 3.2_p17-r1
dev-java/java-config: 1.3.7, 2.1.4
dev-lang/python: 2.4.4-r9
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox: 1.2.18.1-r2
sys-devel/autoconf: 2.13, 2.61-r1
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils: 2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool: 1.5.26
virtual/os-headers: 2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /opt/openjms/config /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/lib/hsqldb /var/vpopmail/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict unmerge-orphans userfetch userpriv"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE.utf8"
LC_ALL="de_DE.utf8"
LINGUAS="de"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
USE="3dnow 3dnowext X a52 acl acpi aiglx alsa apache2 apm applet artworkextra asf audiofile avahi bash-completion beagle berkdb bidi bogofilter bootsplash branding bzip2 cairo ccache cdda cddb cdparanoia cdr cli console cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dri dts dvd dvdr dvdread dvi eds emacs emboss encode esd evince evo exif fam fat fbcon fdftk ffmpeg firefox flac foomaticdb fortran ftp gb gcj gdbm gif glitz gnome gpm gsf gstreamer gtk gtk2 gtkhtml hal howl iconv icq idn imagemagick imap imlib immqt-bc isdnlog java javascript jpeg jpeg2k kde ldap libnotify lirc lm_sensors mad maildir matroska mbox midi mikmod mime mmx mmxext mng mono mp3 mpeg mpeg2 mudflap mule mysql nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc objc++ objc-gc offensive ogg opengl openmp pam pango pcre pdf perl php plotutils pmu png ppds pppd prediction preview-latex print python qt3 qt3support qt4 quicktime readline reflection samba sdk session slang spell spl sse ssl svg svga t1lib tcl tcpd tetex theora ...

Read more...

Created attachment 147621
patch.out

-r20 needs to get sorted out otherwise first. we're focusing on stable here, not ~arrch.

fixed patch failure with USE=X509 by not applying the gsskex patch

ppc and ppc64 stablized openssh-4.7_p1-r5

Stable for HPPA.

x86 stable

amd64 stable

(In reply to comment #7)
> -r20 needs to get sorted out otherwise first. we're focusing on stable here,
> not ~arrch.

~arch is what I meant. We don't need to stable -r20+, but a simple rev-bump and inclusion of the patch should secure ~arch users. Vulnerabilities should be fixed in latest arch and ~arch versions. ~arch will not be covered by the GLSA process though.

alpha/ia64/sparc stable

Fixed in release snapshot. CC'ing Diego, take a look at #12.

Not sure what I have to look at, I used -r20 so that -r5 and so on can be kept for stable non-pambase-aware ebuilds and -r21 could follow that path... is there a problem with providing two ebuilds? (-r5 and -r21)?

(In reply to comment #15)
> Not sure what I have to look at, I used -r20 so that -r5 and so on can be kept
> for stable non-pambase-aware ebuilds and -r21 could follow that path... is
> there a problem with providing two ebuilds? (-r5 and -r21)?

No problem at all, just bump -r20 to -r21 including the patch, both staying ~arch.

that patch isnt the only thing to go into the ebuild. i'll take care of the -r21 transition, but as i said i'm not doing it just yet until other things get sorted out (specific to the -r20 ebuild).

as you already noted, security is concerned about stable, not unstable

request filed.

Colin Watson (cjwatson) wrote :

We already fixed this in Hardy:

openssh (1:4.7p1-5) unstable; urgency=low

  * Recommends: xauth rather than Suggests: xbase-clients.
  * Document in ssh(1) that '-S none' disables connection sharing
    (closes: #471437).
  * Patch from Red Hat / Fedora:
    - SECURITY: Don't use X11 forwarding port which can't be bound on all
      address families, preventing hijacking of X11 forwarding by
      unprivileged users when both IPv4 and IPv6 are configured (closes:
      #463011).
  * Use printf rather than echo -en (a bashism) in openssh-server.config and
    openssh-server.preinst.
  * debconf template translations:
    - Update Finnish (thanks, Esko Arajärvi; closes: #468563).

 -- Colin Watson <email address hidden> Sat, 22 Mar 2008 12:37:00 +0000

The bug is still open in dapper through gutsy, though.

Changed in openssh:
status: New → Fix Released
Nicolas Valcarcel (nvalcarcel) wrote :

Including debdiff for edgy.

Nicolas Valcarcel (nvalcarcel) wrote :

Including debdiff for feisty

Nicolas Valcarcel (nvalcarcel) wrote :

Including debdiff for gutsy

Nicolas Valcarcel (nvalcarcel) wrote :

Including debdiff for dapper

Changed in openssh:
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
Kees Cook (kees) on 2008-04-01
Changed in openssh:
assignee: nobody → keescook
importance: Undecided → Low
status: Confirmed → In Progress
assignee: nobody → keescook
importance: Undecided → Low
status: Confirmed → In Progress
assignee: nobody → keescook
importance: Undecided → Low
status: Confirmed → In Progress
assignee: nobody → keescook
importance: Undecided → Low
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:4.6p1-5ubuntu0.2

---------------
openssh (1:4.6p1-5ubuntu0.2) gutsy-security; urgency=low

  * SECURITY UPDATE: X11 forward hijacking via alternate address families.
  * channels.c: upstream fixes, patched inline. Thanks to Nicolas Valcarcel
    (LP: #210175).
  * References
    CVE-2008-1483

 -- Kees Cook <email address hidden> Tue, 01 Apr 2008 10:31:42 -0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:4.3p2-8ubuntu1.2

---------------
openssh (1:4.3p2-8ubuntu1.2) feisty-security; urgency=low

  * SECURITY UPDATE: X11 forward hijacking via alternate address families.
  * channels.c: upstream fixes, patched inline. Thanks to Nicolas Valcarcel
    (LP: #210175).
  * References
    CVE-2008-1483

 -- Kees Cook <email address hidden> Tue, 01 Apr 2008 10:31:42 -0700

Changed in openssh:
status: In Progress → Fix Released
status: In Progress → Fix Released
Kees Cook (kees) wrote :
Changed in openssh:
status: In Progress → Fix Released
status: In Progress → Fix Released
Changed in openssh:
status: Unknown → Confirmed

GLSA 200804-03

Fixed for ~arch in 5.0_p1

Changed in openssh:
status: Confirmed → Fix Released
Changed in openssh:
status: Unknown → Fix Released
Changed in openssh (Gentoo Linux):
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.