Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed,  1 Jul 2015 12:12:41 -0400 (EDT)
Subject: Re: CVE Request: two security issues in openSSH 6.9

Hash: SHA1

> The openSSH 6.9 release contains the following changes declared as
> security issues:

We don't know whether the upstream vendor uses:


exclusively to mean that they are announcing vulnerability fixes, or
sometimes instead to mean that a change is otherwise related to


Use CVE-2015-5352 for the issue in which the refusal deadline was not
checked within the x11_open_helper function. (There's extra code to
make the x11_refuse_time value usable within two source-code files,
but adding that code doesn't seem to be related to any independent

We didn't completely understand the rationale for moving "system(cmd)"
after the x11_refuse_time assignment, or whether this is addressing an
independent problem. It seems conceivable that there's a very slow
network connection to the X server, and an "xauth generate" may
therefore take a very long time. So, we think this might add a risk
that, by the time system(cmd) finishes, the refusal deadline has
already passed. If we're misunderstanding this or there's a
vulnerability fixed by moving the system(cmd) call, please let us

> - if (x11_refuse_time != 0 && monotime() >= x11_refuse_time) {
> + if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) {

We're guessing that this isn't a vulnerability fix, and that the
author just somehow doesn't want x11_refuse_time to be a time_t.

> "fail open"
> behaviour in the X11 server when clients attempted connections with
> expired credentials.

The scope of CVE-2015-5352 does not include any fail-open
characteristics of an X server. There could possibly be a separate CVE
ID if there is an error that needs to be fixed in the X codebase.

>  * ssh-agent(1): fix weakness of agent locking (ssh-add -x) to
>    password guessing by implementing an increasing failure delay,
>    storing a salted hash of the password rather than the password
>    itself and using a timing-safe comparison function for verifying
>    unlock attempts.

Our current thought is that a CVE ID may not be needed because attacks
against ssh-agent locking don't cross a privilege boundary. In other
words, the changelog entry could be interpreted to mean addition of a
new security feature related to a threat model that wasn't in the
previous design goals (e.g., password guessing by malware running
under the same account).

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.