Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 16 May 2015 22:21:23 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Subject: Re: about this openssh heap overflow

On Sat, May 16, 2015 at 11:47:14PM +0200, Hanno Böck wrote:
> On Sat, 16 May 2015 21:10:07 +0000 mancha <mancha1@...o.com> wrote:
> 
> > So, we're dealing with an OOB *read* triggered by a crafted config.
> > By the way, if an attacker has write privileges to your config you
> > have bigger fish to fry.
> 
> Uh no. Has nothing to do with the config (you may mix this up with
> another issue I recently reported to ssh regarding config parsing, but
> that's unrelated).
> 
> It's an OOB triggered in the client by a specific banner string from
> the server.

My git repo was out of sync so 26e0bcf766fadb4 came up after:

$ git log -i --grep Hanno

After a git pull I see 77199d6ec8986d4 is the fix for the issue you're
talking about. I stand corrected.

> > Notices are already going up describing this as heap buffer overflow
> > with "high" risk. [1]
> 
> That's of course bogus.

Not everyone will realize that.

> 
> > Serves as a good reminder that context and phrasing are critically
> > important when publicly discussing bugs with possible security
> > impact in order to avoid tsunamis of the-sky-is-falling posts &
> > articles.
> 
> One take away from this story for me - also after criticism I got on
> twitter: The term "heap overflow" seems to be prone for
> misunderstanding.  Some people consider every out of bounds thing an
> "overflow", some think that only oob writes should be considered
> "overflows.
> 
> To avoid confusion I'll call similar issues "out of bounds read"
> instead of "read heap overflow" in the future. Probably a wording less
> prone to misunderstandings.

Good idea. 

> 
> (address sanitizer calls every oob read a heap/stack/global buffer
> overflow, that is the main reason I used that term in the past - I
> often sticked to the wording address sanitizer used)

Another take-away might be to be extra careful when discussing potential
security issues with critical security infrastructure such as OpenSSL
and OpenSSH.

--mancha

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.