Date: Sat, 16 May 2015 22:21:23 +0000 From: mancha <mancha1@...o.com> To: oss-security@...ts.openwall.com Subject: Re: about this openssh heap overflow On Sat, May 16, 2015 at 11:47:14PM +0200, Hanno Böck wrote: > On Sat, 16 May 2015 21:10:07 +0000 mancha <mancha1@...o.com> wrote: > > > So, we're dealing with an OOB *read* triggered by a crafted config. > > By the way, if an attacker has write privileges to your config you > > have bigger fish to fry. > > Uh no. Has nothing to do with the config (you may mix this up with > another issue I recently reported to ssh regarding config parsing, but > that's unrelated). > > It's an OOB triggered in the client by a specific banner string from > the server. My git repo was out of sync so 26e0bcf766fadb4 came up after: $ git log -i --grep Hanno After a git pull I see 77199d6ec8986d4 is the fix for the issue you're talking about. I stand corrected. > > Notices are already going up describing this as heap buffer overflow > > with "high" risk.  > > That's of course bogus. Not everyone will realize that. > > > Serves as a good reminder that context and phrasing are critically > > important when publicly discussing bugs with possible security > > impact in order to avoid tsunamis of the-sky-is-falling posts & > > articles. > > One take away from this story for me - also after criticism I got on > twitter: The term "heap overflow" seems to be prone for > misunderstanding. Some people consider every out of bounds thing an > "overflow", some think that only oob writes should be considered > "overflows. > > To avoid confusion I'll call similar issues "out of bounds read" > instead of "read heap overflow" in the future. Probably a wording less > prone to misunderstandings. Good idea. > > (address sanitizer calls every oob read a heap/stack/global buffer > overflow, that is the main reason I used that term in the past - I > often sticked to the wording address sanitizer used) Another take-away might be to be extra careful when discussing potential security issues with critical security infrastructure such as OpenSSL and OpenSSH. --mancha Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ