[Bug 210175] Re: [openssh] [CVE-2008-1483] allows local users to hijack forwarded X connections
Bug Watch Updater
210175 at bugs.launchpad.net
Thu Apr 9 21:23:25 UTC 2020
Launchpad has imported 20 comments from the remote bug at
https://bugs.gentoo.org/show_bug.cgi?id=214985.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.
------------------------------------------------------------------------
On 2008-03-26T21:59:52+00:00 rbu wrote:
CVE-2008-1483 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1483):
OpenSSH 4.3p2, and probably other versions, allows local users to hijack
forwarded X connections by causing ssh to set DISPLAY to :10, even when
another process is listening on the associated port, as demonstrated by
opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/210175/comments/0
------------------------------------------------------------------------
On 2008-03-26T23:10:10+00:00 rbu wrote:
According to the openssh upstream, this also affects vanilla versions
later than 4.3. See
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/210175/comments/1
------------------------------------------------------------------------
On 2008-03-26T23:10:42+00:00 rbu wrote:
... $URL for details
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/210175/comments/2
------------------------------------------------------------------------
On 2008-03-29T03:07:43+00:00 vapier wrote:
openssh-4.7_p1-r5 in the tree for people to stabilize
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/210175/comments/3
------------------------------------------------------------------------
On 2008-03-29T10:20:37+00:00 rbu wrote:
Arches, please test and mark stable:
=net-misc/openssh-4.7_p1-r5
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"
@base-system, please also apply the patch in -r20 and above.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/210175/comments/4
------------------------------------------------------------------------
On 2008-03-29T11:08:28+00:00 fauli wrote:
Created attachment 147620
build.log
[ebuild U ] net-misc/openssh-4.7_p1-r5 [4.7_p1-r3] USE="X X509*
chroot* hpn* kerberos* ldap libedit* pam skey* smartcard* tcpd
(-selinux) -static" 0 kB
Portage 2.1.4.4 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r3 i686)
=================================================================
System uname: 2.6.24-gentoo-r3 i686 AMD Athlon(tm) X2 Dual Core Processor BE-2400
Timestamp of tree: Sat, 29 Mar 2008 10:16:01 +0000
app-shells/bash: 3.2_p17-r1
dev-java/java-config: 1.3.7, 2.1.4
dev-lang/python: 2.4.4-r9
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox: 1.2.18.1-r2
sys-devel/autoconf: 2.13, 2.61-r1
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils: 2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool: 1.5.26
virtual/os-headers: 2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /opt/openjms/config /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/lib/hsqldb /var/vpopmail/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict unmerge-orphans userfetch userpriv"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE.utf8"
LC_ALL="de_DE.utf8"
LINGUAS="de"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
USE="3dnow 3dnowext X a52 acl acpi aiglx alsa apache2 apm applet artworkextra asf audiofile avahi bash-completion beagle berkdb bidi bogofilter bootsplash branding bzip2 cairo ccache cdda cddb cdparanoia cdr cli console cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dri dts dvd dvdr dvdread dvi eds emacs emboss encode esd evince evo exif fam fat fbcon fdftk ffmpeg firefox flac foomaticdb fortran ftp gb gcj gdbm gif glitz gnome gpm gsf gstreamer gtk gtk2 gtkhtml hal howl iconv icq idn imagemagick imap imlib immqt-bc isdnlog java javascript jpeg jpeg2k kde ldap libnotify lirc lm_sensors mad maildir matroska mbox midi mikmod mime mmx mmxext mng mono mp3 mpeg mpeg2 mudflap mule mysql nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc objc++ objc-gc offensive ogg opengl openmp pam pango pcre pdf perl php plotutils pmu png ppds pppd prediction preview-latex print python qt3 qt3support qt4 quicktime readline reflection samba sdk session slang spell spl sse ssl svg svga t1lib tcl tcpd tetex theora threads thumbnailing tiff tk toolkit-scroll-bars totem tracker truetype truetype-fonts type1-fonts udev unicode usb userlocales vcd videos vorbis win32codecs wmf wxwindows x86 xface xft xine xml xorg xosd xpm xv xvid zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="canon ptp2" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" LIRC_DEVICES="atiusb" USERLAND="GNU" VIDEO_CARDS="vesa fbdev fglrx"
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/210175/comments/5
------------------------------------------------------------------------
On 2008-03-29T11:09:22+00:00 fauli wrote:
Created attachment 147621
patch.out
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/210175/comments/6
------------------------------------------------------------------------
On 2008-03-29T15:23:17+00:00 vapier wrote:
-r20 needs to get sorted out otherwise first. we're focusing on stable
here, not ~arrch.
fixed patch failure with USE=X509 by not applying the gsskex patch
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/210175/comments/7
------------------------------------------------------------------------
On 2008-03-29T16:07:58+00:00 ranger wrote:
ppc and ppc64 stablized openssh-4.7_p1-r5
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/210175/comments/8
------------------------------------------------------------------------
On 2008-03-29T17:14:42+00:00 jer wrote:
Stable for HPPA.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/210175/comments/9
------------------------------------------------------------------------
On 2008-03-29T18:12:25+00:00 fauli wrote:
x86 stable
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/210175/comments/10
------------------------------------------------------------------------
On 2008-03-29T19:11:40+00:00 rich0 wrote:
amd64 stable
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/210175/comments/11
------------------------------------------------------------------------
On 2008-03-29T19:37:10+00:00 rbu wrote:
(In reply to comment #7)
> -r20 needs to get sorted out otherwise first. we're focusing on stable here,
> not ~arrch.
~arch is what I meant. We don't need to stable -r20+, but a simple rev-
bump and inclusion of the patch should secure ~arch users.
Vulnerabilities should be fixed in latest arch and ~arch versions. ~arch
will not be covered by the GLSA process though.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/210175/comments/12
------------------------------------------------------------------------
On 2008-03-30T09:32:49+00:00 armin76 wrote:
alpha/ia64/sparc stable
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/210175/comments/13
------------------------------------------------------------------------
On 2008-03-30T11:39:29+00:00 pva wrote:
Fixed in release snapshot. CC'ing Diego, take a look at #12.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/210175/comments/14
------------------------------------------------------------------------
On 2008-03-30T13:59:35+00:00 flameeyes wrote:
Not sure what I have to look at, I used -r20 so that -r5 and so on can
be kept for stable non-pambase-aware ebuilds and -r21 could follow that
path... is there a problem with providing two ebuilds? (-r5 and -r21)?
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/210175/comments/15
------------------------------------------------------------------------
On 2008-03-30T22:21:10+00:00 rbu wrote:
(In reply to comment #15)
> Not sure what I have to look at, I used -r20 so that -r5 and so on can be kept
> for stable non-pambase-aware ebuilds and -r21 could follow that path... is
> there a problem with providing two ebuilds? (-r5 and -r21)?
No problem at all, just bump -r20 to -r21 including the patch, both
staying ~arch.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/210175/comments/16
------------------------------------------------------------------------
On 2008-03-30T23:56:54+00:00 vapier wrote:
that patch isnt the only thing to go into the ebuild. i'll take care of
the -r21 transition, but as i said i'm not doing it just yet until other
things get sorted out (specific to the -r20 ebuild).
as you already noted, security is concerned about stable, not unstable
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/210175/comments/17
------------------------------------------------------------------------
On 2008-03-31T15:53:33+00:00 rbu wrote:
request filed.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/210175/comments/18
------------------------------------------------------------------------
On 2008-04-05T12:55:13+00:00 rbu wrote:
GLSA 200804-03
Fixed for ~arch in 5.0_p1
Reply at:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/210175/comments/28
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/210175
Title:
[openssh] [CVE-2008-1483] allows local users to hijack forwarded X
connections
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Dapper:
Fix Released
Status in openssh source package in Edgy:
Fix Released
Status in openssh source package in Feisty:
Fix Released
Status in openssh source package in Gutsy:
Fix Released
Status in openssh package in Debian:
Fix Released
Status in openssh package in Gentoo Linux:
Fix Released
Status in openssh package in Mandriva:
Unknown
Bug description:
References:
MDVSA-2008:078 (http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:078)
Quoting:
"OpenSSH allows local users to hijack forwarded X connections by causing
ssh to set DISPLAY to :10, even when another process is listening on
the associated port."
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/210175/+subscriptions
More information about the foundations-bugs
mailing list