Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 Jan 2016 20:46:42 -0500
From: Jan Schaumann <jschauma@...meister.org>
To: Qualys Security Advisory <qsa@...lys.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: Qualys Security Advisory - Roaming through the
 OpenSSH client: CVE-2016-0777 and CVE-2016-0778

Qualys Security Advisory <qsa@...lys.com> wrote:
> On Thu, Jan 14, 2016 at 01:11:29PM -0500, Jan Schaumann wrote:
> > Why is version 5.3 not affected?
> 
> The information leak is in resend_bytes() ["if (out_start < out_last)"
> should be "if (out_start <= out_last)"], but in OpenSSH 5.3, there is no
> call to resend_bytes(), at all (roaming_client.c does not even exist).

Thanks.

I see resend_bytes() being added on 2009-06-27 in roaming_common.c:
https://github.com/openssh/openssh-portable/commit/466df219615d72e48ff9103ec67521447f23a158

"2009/06/27 09:32:43

[roaming_common.c roaming.h]
It may be necessary to retransmit some data when resuming, so add it
to a buffer when roaming is enabled.
"

That's three days before the version was bumped to 5.3.

I'm afraid I haven't had the time to test your PoC against 5.3, but I
just want to make sure that we're not overlooking a vulnerable version.

-Jan

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ