Bug 280361 (CVE-2007-4752)

Summary: CVE-2007-4752 openssh falls back to the trusted x11 cookie if generation of an untrusted cookie fails
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: skakar, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://openssh.org/txt/release-4.7
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-29 09:49:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 280461, 280471, 459286, 459287, 459288, 459289, 459290, 459291    
Bug Blocks:    

Description Tomas Hoger 2007-09-06 12:15:29 UTC 
OpenSSH release 4.7 fixes following security-related issue:

 * Prevent ssh(1) from using a trusted X11 cookie if creation of an
   untrusted cookie fails; found and fixed by Jan Pechanec.


OpenSSH 4.7 release notes:

http://openssh.org/txt/release-4.7

Upstream patch:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/clientloop.c.diff?r1=1.180&r2=1.181
Comment 2 Tomas Hoger 2007-09-11 11:16:54 UTC 
The Red Hat Security Response Team has rated this issue as having low
security impact, a future update may address this flaw. More
information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

This issue did not affect openssh packages as distributed with Red Hat
Enterprise Linux 2.1 or 3, as they do not support Trusted X11
forwarding.

On Red Hat Enterprise Linux 4 and 5, Trusted X11 forwarding is enabled
in default ssh client configuration as of Red Hat Enterprise Linux 4
Update 1 and is used whenever X11 forwarding is used.  Therefore exploitation
of this issue with default client configuration will not give attacker
any additional privileges.
Comment 3 Tomas Hoger 2010-03-29 09:49:05 UTC 
https://www.redhat.com/security/data/cve/CVE-2007-4752.html

Fixed in Red Hat Enterprise Linux 4 and 5 via:
https://rhn.redhat.com/errata/RHSA-2008-0855.html