oss-sec mailing list archives
Re: Qualys Security Advisory - Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778
From: Jan Schaumann <jschauma () netmeister org>
Date: Thu, 14 Jan 2016 20:46:42 -0500
Qualys Security Advisory <qsa () qualys com> wrote:
On Thu, Jan 14, 2016 at 01:11:29PM -0500, Jan Schaumann wrote:Why is version 5.3 not affected?The information leak is in resend_bytes() ["if (out_start < out_last)" should be "if (out_start <= out_last)"], but in OpenSSH 5.3, there is no call to resend_bytes(), at all (roaming_client.c does not even exist).
Thanks. I see resend_bytes() being added on 2009-06-27 in roaming_common.c: https://github.com/openssh/openssh-portable/commit/466df219615d72e48ff9103ec67521447f23a158 "2009/06/27 09:32:43 [roaming_common.c roaming.h] It may be necessary to retransmit some data when resuming, so add it to a buffer when roaming is enabled. " That's three days before the version was bumped to 5.3. I'm afraid I haven't had the time to test your PoC against 5.3, but I just want to make sure that we're not overlooking a vulnerable version. -Jan
Current thread:
- Qualys Security Advisory - Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778 Qualys Security Advisory (Jan 14)
- Re: Qualys Security Advisory - Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778 Jan Schaumann (Jan 14)
- Re: Qualys Security Advisory - Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778 Qualys Security Advisory (Jan 14)
- Re: Qualys Security Advisory - Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778 Jan Schaumann (Jan 14)
- Re: Qualys Security Advisory - Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778 Qualys Security Advisory (Jan 14)
- Re: Qualys Security Advisory - Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778 Florian Weimer (Jan 15)
- Re: Qualys Security Advisory - Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778 Yann Droneaud (Jan 15)
- Re: Qualys Security Advisory - Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778 Rich Felker (Jan 15)
- Re: Qualys Security Advisory - Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778 Florian Weimer (Jan 18)
- Re: Qualys Security Advisory - Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778 Yann Droneaud (Jan 20)
- Re: Qualys Security Advisory - Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778 Yann Droneaud (Jan 15)
- Re: Qualys Security Advisory - Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778 Jan Schaumann (Jan 14)
- Re: Qualys Security Advisory - Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778 Yves-Alexis Perez (Jan 15)