It was found that the shared memory manager used by pre-authentication compression support had a bounds checks that could be elided by some optimising compilers. Additionally, this memory manager was incorrectly accessible when pre-authentication compression was disabled. This could potentially allow attacks against the privileged monitor process from the sandboxed privilege-separation process (a compromise of the latter would be required first).
Created openssh tracking bugs for this issue:
Affects: fedora-all [bug 1406296]
In order to exploit this flaw, the attacker needs to first compromise the sandboxed privilege-separation process by using another security flaw. Because of this restriction for successful exploitation, this issue has been rated as having Low security impact. A future update to Red Hat Enterprise Linux 7 will address this flaw.
Just FYI, PCI QSA's are treating this issue as grounds for certification failure, so many have begun failing companies during the quarterly or annual scans when the version of OpenSSH included in RHEL 7 and older does not have a patch for this.
(In reply to Shabba from comment #5)
> Just FYI, PCI QSA's are treating this issue as grounds for certification
> failure, so many have begun failing companies during the quarterly or annual
> scans when the version of OpenSSH included in RHEL 7 and older does not have
> a patch for this.
Thank you for your information. This bugzilla is not completely correct and we should fix it.
Please, open a ticket with customer support to get up-to-date information about this issue and when it is going to be fixed.
Created attachment 1306453 [details]
removes pre-auth compression, resolves CVE-2016-10012
* removes pre-auth compression
* resolves CVE-2016-10012
* compatible with openssh rpm version 6.6.1.p1-35.el7 (meaning it can be included into rpm spec)
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2017:2029 https://access.redhat.com/errata/RHSA-2017:2029