Date: Wed, 12 Aug 2015 21:50:10 +0200 From: Moritz Jodeit <moritz@...efrostsecurity.de> To: Solar Designer <solar@...nwall.com>, oss-security@...ts.openwall.com Subject: Re: CVE request - OpenSSH 6.9 PAM privilege separation vulnerabilities On 12.08.2015 18:11, Solar Designer wrote: > Damien, Moritz - > > On Tue, Aug 11, 2015 at 08:40:38PM +0200, Moritz Jodeit wrote: >> could you please assign two CVE IDs for the following two security >> issues fixed in OpenSSH 7.0 (directly taken from the release notes ): >> >> * sshd(8): Portable OpenSSH only: Fixed a privilege separation >> weakness related to PAM support. Attackers who could successfully >> compromise the pre-authentication process for remote code >> execution and who had valid credentials on the host could >> impersonate other users. Reported by Moritz Jodeit. >> >> * sshd(8): Portable OpenSSH only: Fixed a use-after-free bug >> related to PAM support that was reachable by attackers who could >> compromise the pre-authentication process for remote code >> execution. Also reported by Moritz Jodeit. >> >>  http://www.openssh.com/txt/release-7.0 > > Far more important than having CVEs would be to know when (in what > version) these bugs were introduced, with what commits, and what commits > fix them. For checking derived versions, and for backports. The vulnerable code for the two privsep issues was introduced with the merge of the FreeBSD PAM code in 2003: https://github.com/openssh/openssh-portable/commit/4f9f42a9bb6a6aa8f6100d873dc6344f2f9994de The user impersonation issue was fixed by the following commit: https://github.com/openssh/openssh-portable/commit/d4697fe9a28dab7255c60433e4dd23cf7fce8a8b While the use-after-free is fixed by this commit: https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7 Cheers, Moritz
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ