Bug 208347 (CVE-2006-5051)
| Summary: | CVE-2006-5051 unsafe GSSAPI signal handler | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Mark J. Cox <mjc> |
| Component: | vulnerability | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bressers |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | RHSA-2006-0697 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-09-29 00:18:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I've done some analysis of this issue and received a mail from Mark Dowd regarding this vulnerability. The upstream details are misleading. The problem is that the signal handling in openssh does quite a lot and can introduce a race condition during cleanup. This flaw could possibly cause a double free condition within the kerberos cleanup code. The GSSAPI code is completely harmless, upstream calling this issue a GSSAPI issue leads me to believe they did not analyze, nor try to understand this issue. There is also PAM cleanup code which is executed. This PAM source hasn't been investigated so the possible outcome is currently unknown. Red Hat will be fixing this issue due to the incredible complexity and possible danger. This is a case of better safe than sorry. This issue also likely affects RHEL3 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0697.html |
OpenSSH 4.4 was released and mentions: * Fix an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. On portable OpenSSH, this vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. This could only affect RHEL4 as previous RHEL did not support GSSAPI