Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 16 May 2015 22:21:23 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Subject: Re: about this openssh heap overflow

On Sat, May 16, 2015 at 11:47:14PM +0200, Hanno Böck wrote:
> On Sat, 16 May 2015 21:10:07 +0000 mancha <mancha1@...o.com> wrote:
> 
> > So, we're dealing with an OOB *read* triggered by a crafted config.
> > By the way, if an attacker has write privileges to your config you
> > have bigger fish to fry.
> 
> Uh no. Has nothing to do with the config (you may mix this up with
> another issue I recently reported to ssh regarding config parsing, but
> that's unrelated).
> 
> It's an OOB triggered in the client by a specific banner string from
> the server.

My git repo was out of sync so 26e0bcf766fadb4 came up after:

$ git log -i --grep Hanno

After a git pull I see 77199d6ec8986d4 is the fix for the issue you're
talking about. I stand corrected.

> > Notices are already going up describing this as heap buffer overflow
> > with "high" risk. [1]
> 
> That's of course bogus.

Not everyone will realize that.

> 
> > Serves as a good reminder that context and phrasing are critically
> > important when publicly discussing bugs with possible security
> > impact in order to avoid tsunamis of the-sky-is-falling posts &
> > articles.
> 
> One take away from this story for me - also after criticism I got on
> twitter: The term "heap overflow" seems to be prone for
> misunderstanding.  Some people consider every out of bounds thing an
> "overflow", some think that only oob writes should be considered
> "overflows.
> 
> To avoid confusion I'll call similar issues "out of bounds read"
> instead of "read heap overflow" in the future. Probably a wording less
> prone to misunderstandings.

Good idea. 

> 
> (address sanitizer calls every oob read a heap/stack/global buffer
> overflow, that is the main reason I used that term in the past - I
> often sticked to the wording address sanitizer used)

Another take-away might be to be extra careful when discussing potential
security issues with critical security infrastructure such as OpenSSL
and OpenSSH.

--mancha

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ