[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

CVE-2015-5352: openSSH in squeeze not affected(?)

Dear SSH maintainers, dear LTS team,

I just spent quite some time with reading openSSH code related to checking if CVE-2015-5352 [1] needs to be fixed in Debian squeeze LTS.

The upstream commit for fixing CVE-2015-5352 is at [2]. The fix addresses an issue with the ForwardX11Timeout option in ssh_config. This option is not present in Debian squeeze's version of openSSH. So basically openSSH in squeeze is not affected.

In squeeze's version there is a hard-coded ForwardX11Timeout of 1200 (in seconds, 20min lifetime of the X11 auth cookie).

However, I sense, that parts of the commit [2] should be adopted, esp. this part:

--- a/clientloop.c
+++ b/clientloop.c
@@ -1706,6 +1729,11 @@ (in client_request_x11 function)
                    "malicious server.");
                return NULL;
+       if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) {
+               verbose("Rejected X11 connection after ForwardX11Timeout "
+                        "expired");
+               return NULL;
+       }
        originator = packet_get_string(NULL);
        if (datafellows & SSH_BUG_X11FWD) {
                debug2("buggy server: x11 request w/o originator_port");

... where x11_refuse_time would be the hard-coded 1200s value...

Any feedback is highly welcome!


[1] https://security-tracker.debian.org/tracker/CVE-2015-5352
[2] https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=1bf477d3cdf1a864646d59820878783d42357a1d

mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de


Attachment: pgpGC1PNVcSfd.pgp
Description: Digitale PGP-Signatur

Reply to: