Bug 1489013
Summary: | ssh is failing to export the display variable when configured vi /etc/sysctl.conf | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Ajinkya Patil <ajipatil> | |
Component: | openssh | Assignee: | Jakub Jelen <jjelen> | |
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 7.4 | CC: | cww, jjelen, nmavrogi, riehecky, stepglenn, szidek | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1662189 (view as bug list) | Environment: | ||
Last Closed: | 2018-11-12 10:07:53 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1594286, 1662189 |
Description
Ajinkya Patil
2017-09-06 15:10:39 UTC
As visible from the upstream bug, there is no progress except for the proposed bug from Suse. I would like to avoid introducing something different solutions than will end up being upstream (though there are not many other possibilities how it can be fixed, it it will ever be). We discussed basically the same issue in the bug #1436097. Another discussion about the same issue is in upstream bug [1], but so far we have only workaround that needs a configuration using AddressFamily. [1] https://bugzilla.mindrot.org/show_bug.cgi?id=1356 That plan makes sense. Can something be done to get the upstream bug assigned? Currently it is assigned to no one which doesn't make progress likely. > Can something be done to get the upstream bug assigned? Currently it is assigned to no one which doesn't make progress likely.
No. I am not OpenSSH upstream developer so it does not make sense to assign myself to this bug. It does not look good if you try to assign somebody else from the developers either. At this point, the only hope is patience and workarounds.
Greetings, Do we have any update? No, there is no update on upstream bug nor on any other related in upstream. As I noted in the previous comment, there is no way how to make some upstream resolution from here nor I see this as a very high priority to implement it downstream with potential security implications, since we have pretty simple documented workarounds for these specific use cases. hello jakub, I completely understand the situation, however one our customer needs a patch for this. They are not willing to stay with the workaround for a long time. OK, once again I went down the the CVE-2008-1483 and tried to understand the consequences, the current fix and if the proposed fix opens this or some different security problem. For the interested parties, the initial report about the CVE was filled in the Debian bug tracked and describes the way how to drive this attack: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011 The problem represented in the CVE is that if we do not bind the port on IPv4 address but on IPv6 only, the attacker can have access to IPv4 one and because the DISPLAY environment variable does not list the host address family (just :10 for example), the X applications can send the data to the attacker. I just tested the behavior with the proposed patch from upstream bug and with two Fedora 26 boxes. It works as expected, the client gets the next display and attacker can not get hold of the data as described in the Debian reproducer. I am quite convinced that it is safe to apply this change. For some reason, upstream is not so I added one more comment to this bug if we can get some update. If we would like to go without upstream, we would really need QE confirmation. I will try to bring it up if there will be able to move on without upstream. Hello Jakub, Thank you for your efforts. I will wait for your update. Please let me know if you need any further data. |