Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed,  1 Jul 2015 12:12:41 -0400 (EDT)
Subject: Re: CVE Request: two security issues in openSSH 6.9

Hash: SHA1

> The openSSH 6.9 release contains the following changes declared as
> security issues:

We don't know whether the upstream vendor uses:


exclusively to mean that they are announcing vulnerability fixes, or
sometimes instead to mean that a change is otherwise related to


Use CVE-2015-5352 for the issue in which the refusal deadline was not
checked within the x11_open_helper function. (There's extra code to
make the x11_refuse_time value usable within two source-code files,
but adding that code doesn't seem to be related to any independent

We didn't completely understand the rationale for moving "system(cmd)"
after the x11_refuse_time assignment, or whether this is addressing an
independent problem. It seems conceivable that there's a very slow
network connection to the X server, and an "xauth generate" may
therefore take a very long time. So, we think this might add a risk
that, by the time system(cmd) finishes, the refusal deadline has
already passed. If we're misunderstanding this or there's a
vulnerability fixed by moving the system(cmd) call, please let us

> - if (x11_refuse_time != 0 && monotime() >= x11_refuse_time) {
> + if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) {

We're guessing that this isn't a vulnerability fix, and that the
author just somehow doesn't want x11_refuse_time to be a time_t.

> "fail open"
> behaviour in the X11 server when clients attempted connections with
> expired credentials.

The scope of CVE-2015-5352 does not include any fail-open
characteristics of an X server. There could possibly be a separate CVE
ID if there is an error that needs to be fixed in the X codebase.

>  * ssh-agent(1): fix weakness of agent locking (ssh-add -x) to
>    password guessing by implementing an increasing failure delay,
>    storing a salted hash of the password rather than the password
>    itself and using a timing-safe comparison function for verifying
>    unlock attempts.

Our current thought is that a CVE ID may not be needed because attacks
against ssh-agent locking don't cross a privilege boundary. In other
words, the changelog entry could be interpreted to mean addition of a
new security feature related to a threat model that wasn't in the
previous design goals (e.g., password guessing by malware running
under the same account).

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ