Dear SSH maintainers, dear LTS team,I just spent quite some time with reading openSSH code related to checking if CVE-2015-5352 [1] needs to be fixed in Debian squeeze LTS.
The upstream commit for fixing CVE-2015-5352 is at [2]. The fix addresses an issue with the ForwardX11Timeout option in ssh_config. This option is not present in Debian squeeze's version of openSSH. So basically openSSH in squeeze is not affected.
In squeeze's version there is a hard-coded ForwardX11Timeout of 1200 (in seconds, 20min lifetime of the X11 auth cookie).
However, I sense, that parts of the commit [2] should be adopted, esp. this part:
--- a/clientloop.c
+++ b/clientloop.c
@@ -1706,6 +1729,11 @@ (in client_request_x11 function)
"malicious server.");
return NULL;
}
+ if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) {
+ verbose("Rejected X11 connection after ForwardX11Timeout "
+ "expired");
+ return NULL;
+ }
originator = packet_get_string(NULL);
if (datafellows & SSH_BUG_X11FWD) {
debug2("buggy server: x11 request w/o originator_port");
"""
... where x11_refuse_time would be the hard-coded 1200s value...
Any feedback is highly welcome!
Mike
[1] https://security-tracker.debian.org/tracker/CVE-2015-5352
[2]
https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=1bf477d3cdf1a864646d59820878783d42357a1d
-- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Attachment:
pgpB9a1Y_JnzQ.pgp
Description: Digitale PGP-Signatur