Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Aug 2015 21:50:10 +0200
From: Moritz Jodeit <moritz@...efrostsecurity.de>
To: Solar Designer <solar@...nwall.com>, oss-security@...ts.openwall.com
Subject: Re: CVE request - OpenSSH 6.9 PAM privilege separation
 vulnerabilities

On 12.08.2015 18:11, Solar Designer wrote:
> Damien, Moritz -
> 
> On Tue, Aug 11, 2015 at 08:40:38PM +0200, Moritz Jodeit wrote:
>> could you please assign two CVE IDs for the following two security
>> issues fixed in OpenSSH 7.0 (directly taken from the release notes [1]):
>>
>>  * sshd(8): Portable OpenSSH only: Fixed a privilege separation
>>    weakness related to PAM support. Attackers who could successfully
>>    compromise the pre-authentication process for remote code
>>    execution and who had valid credentials on the host could
>>    impersonate other users.  Reported by Moritz Jodeit.
>>
>>  * sshd(8): Portable OpenSSH only: Fixed a use-after-free bug
>>    related to PAM support that was reachable by attackers who could
>>    compromise the pre-authentication process for remote code
>>    execution. Also reported by Moritz Jodeit.
>>
>> [1] http://www.openssh.com/txt/release-7.0
> 
> Far more important than having CVEs would be to know when (in what
> version) these bugs were introduced, with what commits, and what commits
> fix them.  For checking derived versions, and for backports.

The vulnerable code for the two privsep issues was introduced with the merge of the
FreeBSD PAM code in 2003:

https://github.com/openssh/openssh-portable/commit/4f9f42a9bb6a6aa8f6100d873dc6344f2f9994de

The user impersonation issue was fixed by the following commit:

https://github.com/openssh/openssh-portable/commit/d4697fe9a28dab7255c60433e4dd23cf7fce8a8b

While the use-after-free is fixed by this commit:

https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7

Cheers,
Moritz

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ