Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 9 Mar 2023 13:34:58 +0000
From: Qualys Security Advisory <qsa@...lys.com>
To: Georgi Guninski <gguninski@...il.com>
CC: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: Re: double-free vulnerability in OpenSSH server
 9.1 (CVE-2023-25136)

Hi Georgi,

On Mon, Mar 06, 2023 at 09:53:06AM +0200, Georgi Guninski wrote:
> So besides the double free bug you managed to circumvent
> the mitigation in both linux and openbsd, right?
> Did you find weakness in the mitigation or did you find
> fundamental way to exploit double free?

We have not been able to do anything useful on Linux (glibc) yet.

On OpenBSD, what we did works only because this double free is of the
form "free(ptr); many other malloc() and free() calls; free(ptr);".

If it were of the form "free(ptr); no other malloc() or free() call;
free(ptr);" then this double free would be caught immediately by
malloc's security checks.

Hopefully this helps! With best regards,

-- 
the Qualys Security Advisory team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.