oss-sec mailing list archives
Re: about this openssh heap overflow
From: Hanno Böck <hanno () hboeck de>
Date: Sat, 16 May 2015 23:47:14 +0200
On Sat, 16 May 2015 21:10:07 +0000 mancha <mancha1 () zoho com> wrote:
So, we're dealing with an OOB *read* triggered by a crafted config. By the way, if an attacker has write privileges to your config you have bigger fish to fry.
Uh no. Has nothing to do with the config (you may mix this up with another issue I recently reported to ssh regarding config parsing, but that's unrelated). It's an OOB triggered in the client by a specific banner string from the server.
Notices are already going up describing this as heap buffer overflow with "high" risk. [1]
That's of course bogus.
Serves as a good reminder that context and phrasing are critically important when publicly discussing bugs with possible security impact in order to avoid tsunamis of the-sky-is-falling posts & articles.
One take away from this story for me - also after criticism I got on twitter: The term "heap overflow" seems to be prone for misunderstanding. Some people consider every out of bounds thing an "overflow", some think that only oob writes should be considered "overflows. To avoid confusion I'll call similar issues "out of bounds read" instead of "read heap overflow" in the future. Probably a wording less prone to misunderstandings. (address sanitizer calls every oob read a heap/stack/global buffer overflow, that is the main reason I used that term in the past - I often sticked to the wording address sanitizer used) -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
_bin
Description: OpenPGP digital signature
Current thread:
- about this openssh heap overflow Hanno Böck (May 16)
- Re: about this openssh heap overflow mancha (May 16)
- Re: about this openssh heap overflow Hanno Böck (May 16)
- Re: about this openssh heap overflow mancha (May 16)
- Re: about this openssh heap overflow Hanno Böck (May 16)
- Re: about this openssh heap overflow mancha (May 16)