Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 16 May 2015 23:47:14 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: about this openssh heap overflow

On Sat, 16 May 2015 21:10:07 +0000
mancha <mancha1@...o.com> wrote:

> So, we're dealing with an OOB *read* triggered by a crafted config. By
> the way, if an attacker has write privileges to your config you have
> bigger fish to fry.

Uh no. Has nothing to do with the config (you may mix this up with
another issue I recently reported to ssh regarding config parsing, but
that's unrelated).

It's an OOB triggered in the client by a specific banner string from the
server.

> Notices are already going up describing this as heap buffer overflow
> with "high" risk. [1]

That's of course bogus.

> Serves as a good reminder that context and
> phrasing are critically important when publicly discussing bugs with
> possible security impact in order to avoid tsunamis of
> the-sky-is-falling posts & articles.

One take away from this story for me - also after criticism I got on
twitter: The term "heap overflow" seems to be prone for
misunderstanding.
Some people consider every out of bounds thing an "overflow", some
think that only oob writes should be considered "overflows.

To avoid confusion I'll call similar issues "out of bounds read"
instead of "read heap overflow" in the future. Probably a wording less
prone to misunderstandings.

(address sanitizer calls every oob read a heap/stack/global buffer
overflow, that is the main reason I used that term in the past - I often
sticked to the wording address sanitizer used)


-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.