Bug 168935 - CAN-2005-2798, CAN-2004-2069, CVE-2006-0225 OpenSSH vulnerabilities
CAN-2005-2798, CAN-2004-2069, CVE-2006-0225 OpenSSH vulnerabilities
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: openssh (Show other bugs)
unspecified
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://www.securityfocus.com/bid/14729
LEGACY, rh73, rh90, 1, 2, 3
: Security
: 178704 (view as bug list)
Depends On:
Blocks: 178704
  Show dependency treegraph
 
Reported: 2005-09-21 10:16 EDT by John Dalbec
Modified: 2007-04-18 13:31 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-18 14:14:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenSSH Project 1094 None None None Never

  None (edit)
Description John Dalbec 2005-09-21 10:16:45 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20050729 Netscape/8.0.3.3

Description of problem:
05.36.17 CVE: CAN-2005-2798
Platform: Cross Platform
Title: OpenSSH GSSAPI Credential Disclosure Vulnerability
Description: OpenSSH is reported to be vulnerable to a GSSAPI
credential delegation issue. When a user has GSSAPI authentication
configured and "GSSAPIDelegateCredentials" enabled, their kerberos
credentials will be forwarded to remote hosts. OpenSSH versions prior
to 4.2 are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/14729 

Version-Release number of selected component (if applicable):


How reproducible:
Didn't try


Additional info:
Comment 1 John Dalbec 2005-10-11 10:09:08 EDT
05.40.19 CVE: CAN-2004-2069
Platform: Cross Platform
Title: OpenSSH LoginGraceTime Remote Denial of Service
Description: OpenSSH is susceptible to a remote denial of service
vulnerability. This issue is due to a design flaw when servicing
timeouts related to the "LoginGraceTime" server configuration
directive. Specifically, when "LoginGraceTime" in conjunction with
"MaxStartups" and "UsePrivilegeSeparation" are configured and enabled
in the server, a condition may arise where the server refuses further
remote connection attempts. For a list of vulnerable versions, please
visit the reference provided.
Ref: http://www.securityfocus.com/bid/14963
Comment 2 Marc Deslauriers 2006-01-23 23:35:26 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA that fix these issues and the issue from bug
#178704:

86357ea99e0837b4d1034538fdbb98a1a27d3fc5  7.3/openssh-3.1p1-14.3.legacy.i386.rpm
69fa35dd258d0527c385f45fa13dbd960ff1063e  7.3/openssh-3.1p1-14.3.legacy.src.rpm
4931165763d6a71e663666dda2a9bfea3f25bc36 
7.3/openssh-askpass-3.1p1-14.3.legacy.i386.rpm
85b03e049b9dec2d64840acca863a6893b3db446 
7.3/openssh-askpass-gnome-3.1p1-14.3.legacy.i386.rpm
9f08ab7ed516da25dc191d0b58e9f8c0dfc61324 
7.3/openssh-clients-3.1p1-14.3.legacy.i386.rpm
bdad5f4c1b958803b2540bd5483e6377b77436f9 
7.3/openssh-server-3.1p1-14.3.legacy.i386.rpm

4051b188164dc52c26d95bb59a9fd4de01675468  9/openssh-3.5p1-11.4.legacy.i386.rpm
fb54f9535ae8a45a0b713c087a79238e99f9011d  9/openssh-3.5p1-11.4.legacy.src.rpm
220fa914d8190feedd329d026baed633bb8f49cd 
9/openssh-askpass-3.5p1-11.4.legacy.i386.rpm
87e4de20eea8e7ab465fb804620ae802d5f1dd8a 
9/openssh-askpass-gnome-3.5p1-11.4.legacy.i386.rpm
a9b55c2acd16683ec074d0c2ee597d880cc67fc0 
9/openssh-clients-3.5p1-11.4.legacy.i386.rpm
68eb044d9ebc8cb3a476afb970d84833288a3a5a 
9/openssh-server-3.5p1-11.4.legacy.i386.rpm

71e9861115fc6044b9b58b1d130a48481b2f7518  1/openssh-3.6.1p2-19.4.legacy.i386.rpm
f1be5c37e6b3e135f790e6b8f31531e88a5f3d5d  1/openssh-3.6.1p2-19.4.legacy.src.rpm
880d4616dba0d81a8c9f4abb6d214208f4cc332b 
1/openssh-askpass-3.6.1p2-19.4.legacy.i386.rpm
f6d261d7b77b6f9615a7b213e2b4a61b6cb72a27 
1/openssh-askpass-gnome-3.6.1p2-19.4.legacy.i386.rpm
899fce3ff00fe87cce20974c9be059af6354effa 
1/openssh-clients-3.6.1p2-19.4.legacy.i386.rpm
a647ccced966a440c56621bd49cfa9c04651f0d3 
1/openssh-server-3.6.1p2-19.4.legacy.i386.rpm

c0008f00752796b6cb8d5fe819c54febfc86aafc  2/openssh-3.6.1p2-34.4.legacy.i386.rpm
18e1d28a75342115cf5af6ddea7927b54655c23d  2/openssh-3.6.1p2-34.4.legacy.src.rpm
4d1c59cbbf8953d91b930573eaa3283bf799c3f3 
2/openssh-askpass-3.6.1p2-34.4.legacy.i386.rpm
738d68b10dda96c37a7f08ba06c92c9e3fd674f4 
2/openssh-askpass-gnome-3.6.1p2-34.4.legacy.i386.rpm
ab6c1b398fd72fc5f236f46d9a692df9c0d1fda6 
2/openssh-clients-3.6.1p2-34.4.legacy.i386.rpm
5d317acb7a8586d4388218b9bb1195a3990f5079 
2/openssh-server-3.6.1p2-34.4.legacy.i386.rpm

994a6012fd99a1be0ec49a47bef29211a0fb48b8  3/openssh-3.9p1-8.0.4.legacy.i386.rpm
a16e114f7d5fac3a62e9de8a7685d4060eef9801  3/openssh-3.9p1-8.0.4.legacy.src.rpm
69d1e85d328639a870a3b88fe50e5c3b7e01c771 
3/openssh-askpass-3.9p1-8.0.4.legacy.i386.rpm
4b1376b90fe867325eaaf4ce3d15fce48c945fde 
3/openssh-askpass-gnome-3.9p1-8.0.4.legacy.i386.rpm
a6a992d8f8a9a43c8489a5e13dae0aad9b704dac 
3/openssh-clients-3.9p1-8.0.4.legacy.i386.rpm
bf20500c05e59d075db4cdba274258e7209b51fb 
3/openssh-server-3.9p1-8.0.4.legacy.i386.rpm


http://www.infostrategique.com/linuxrpms/legacy/7.3/openssh-3.1p1-14.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/openssh-3.5p1-11.4.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/openssh-3.6.1p2-19.4.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/openssh-3.6.1p2-34.4.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/3/openssh-3.9p1-8.0.4.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD1a/oLMAs/0C4zNoRAnsnAKCjGqJuZWSBOJuQmQycuwazrEga9wCgiOJ7
tpb9dmDf4kEHbdkqhg8DFAE=
=AJYf
-----END PGP SIGNATURE-----
Comment 3 David Eisenstein 2006-01-24 06:56:28 EST
The issue from Bug #178704 is CVE-2006-0225.
Comment 4 Pekka Savola 2006-01-25 05:02:41 EST
It appears that the GSS issue has already been fixed in previous updates in all
the distros where GSSAPI has been enabled..

I did QA and the packages are roughly OK -- checking the patches was a bit of
work though.  The check raised two questions below.

As the issues are not critical, it might not hurt to wait for a week or so to
see if Red Hat releases an update for CVE-2006-0225, to leverage their backport
work.  But I guess we could also go forward as is.



In 3.6.2p1 and 3.9 (this doesn't apply to 3.5 or 3.1 as they don't have this
code), it appears as if the following fragment:
                                                                               
                                                            
> +     if (tuser && !okname(tuser)) {
> +             xfree(arg);
> +             return;
> +     }
                                                                               
                                                            
.. is missing 'xfree(arg);' at least compared to 4.2p1
-- is this intentional?
                                                                               
                                                            
I also noted that before 3.9p1, do_spawnwait return value is not
checked -- is this intentional?
Comment 5 Marc Deslauriers 2006-01-25 07:59:34 EST
Thos two changes are intentional.

In the older versions, the arg variable doesn't exist, so it doesn't need to be
freed.

Before 3.9p1, openssh doesn't check the return code of the function.

Comment 6 Pekka Savola 2006-01-25 11:20:21 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patches verified to come from RHEL, with the notes above

+PUBLISH RHL73, RHL9, FC1, FC2, FC3

69fa35dd258d0527c385f45fa13dbd960ff1063e  openssh-3.1p1-14.3.legacy.src.rpm
fb54f9535ae8a45a0b713c087a79238e99f9011d  openssh-3.5p1-11.4.legacy.src.rpm
f1be5c37e6b3e135f790e6b8f31531e88a5f3d5d  openssh-3.6.1p2-19.4.legacy.src.rpm
18e1d28a75342115cf5af6ddea7927b54655c23d  openssh-3.6.1p2-34.4.legacy.src.rpm
a16e114f7d5fac3a62e9de8a7685d4060eef9801  openssh-3.9p1-8.0.4.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFD16Y/GHbTkzxSL7QRApBLAJ9d/WLHeHeEpm6veDXgvgCzr0og4QCfRGuj
+B4WK4wLI9RXFxrva3nB9Is=
=irnV
-----END PGP SIGNATURE-----
Comment 7 Marc Deslauriers 2006-02-11 11:33:24 EST
Packages were released to updates-testing.
Comment 8 Marc Deslauriers 2006-02-11 13:32:21 EST
*** Bug 178704 has been marked as a duplicate of this bug. ***
Comment 9 Tom Yates 2006-02-12 08:08:21 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

2e4da4da715512dccb420fc67f3bb24dae2d9a40 openssh-3.5p1-11.4.legacy.i386.rpm
f0e967606a821ec50f6d0af708935a9f04b52d11 openssh-clients-3.5p1-11.4.legacy.i386.rpm
d49d40f814c95319dff11a49f8bb66dcdd3f808c openssh-server-3.5p1-11.4.legacy.i386.rpm

installs OK.  can ssh and scp in and out of the upgraded system fine.

+VERIFY RH9


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD7zRfePtvKV31zw4RAutDAJ9NK4iAkiCoKNR9J9Jl9pXFBGiYEgCfemZp
/wcDldSDsM1vtodRPZhaEsA=
=CC6X
-----END PGP SIGNATURE-----
Comment 10 Pekka Savola 2006-02-12 11:55:06 EST
Thanks, timeout in 4 weeks!
Comment 11 Pekka Savola 2006-02-14 01:34:49 EST
New policy: automatic accept after two weeks if no negative feedback.
Comment 12 Tres Seaver 2006-02-14 23:36:40 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Re:  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168935

System:  Fedora Core 1

Packages tested:

 - openssh
 - openssh-clients
 - openssh-server

 1. Verify the GPG signature and the SHA1 checksum of the package.

    $ cd ~/tmp
    $ sha1sum *.rpm
    c962909e215becff41ab14353a0b1ef3f5a499fd  \
        openssh-3.6.1p2-19.4.legacy.i386.rpm
    3818241e59db35fe61773f7e59d9d83fafd4b16a  \
        openssh-clients-3.6.1p2-19.4.legacy.i386.rpm
    202bec4605eaf6054433a170a6432a3d449862cb  \
        openssh-server-3.6.1p2-19.4.legacy.i386.rpm

    These checksums match those published in the notification sent to
    the legacy list.

    $ rpm --checksig postgresql-*.rpm
    openssh-3.6.1p2-19.4.legacy.i386.rpm: \
        (sha1) dsa sha1 md5 gpg OK
    openssh-clients-3.6.1p2-19.4.legacy.i386.rpm: \
        (sha1) dsa sha1 md5 gpg OK
    openssh-server-3.6.1p2-19.4.legacy.i386.rpm: \
        (sha1) dsa sha1 md5 gpg OK

 2. Could you install or update the package without problems?

    The packages listed installed cleanly from the temp dir.

 3. Could you use the package, as appropriate for the package,
    without problems?

   Yes.  I could ssh into the box and scp and rsync-over-ssh files to
   and from the box after the update.

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD8rDd+gerLs4ltQ4RAsJBAKDCX5MGLcIFBlL4aY/lmtSqrcydBwCg3OBu
ZQCLVPTxcQ2qVVGXX1eGA60=
=E2/z
-----END PGP SIGNATURE-----
Comment 13 Pekka Savola 2006-02-15 02:10:04 EST
Great, thanks for the testing!
Comment 14 Donald Maner 2006-02-17 13:16:56 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I performed QA on the following packages:

rh73:
49a20580e062c535c72c1e2bcd19ff27  openssh-3.1p1-14.3.legacy.i386.rpm
407ff594c62908db943729270a11d987  openssh-askpass-3.1p1-14.3.legacy.i386.rpm
36000b3494febba8a2ad2432ae88218d  openssh-askpass-gnome-3.1p1-14.3.legacy.i386.rpm
bcdd1830b26bab3e5407559415941324  openssh-clients-3.1p1-14.3.legacy.i386.rpm
591c501d9c1d4665ecdd990b59ef4b6b  openssh-server-3.1p1-14.3.legacy.i386.rpm

fc2:
14e634319b71ae3b7b4c1cbaefe83484  openssh-3.6.1p2-34.4.legacy.i386.rpm
905401e32afff7727eaaab03256373fe  openssh-askpass-3.6.1p2-34.4.legacy.i386.rpm
5e071671a5ea97fd63c1f90bbd9b323c  openssh-askpass-gnome-3.6.1p2-34.4.legacy.i386.rpm
50beb66a5cc47ab69c89039a70ba38d8  openssh-clients-3.6.1p2-34.4.legacy.i386.rpm
28fc00cd7c757fd7ebd6de659645e324  openssh-server-3.6.1p2-34.4.legacy.i386.rpm

fc3:

642a2761c4c1bb258bdcc52df2ad68ce  openssh-3.9p1-8.0.4.legacy.i386.rpm
80d762f09e015fdafb9b139b1746d724  openssh-askpass-3.9p1-8.0.4.legacy.i386.rpm
80cacfe9b132a0af9eea00f0e6b59487  openssh-askpass-gnome-3.9p1-8.0.4.legacy.i386.rpm
18eeebc9f20fcf3f4d46e829fca2eb58  openssh-clients-3.9p1-8.0.4.legacy.i386.rpm
9929fc739ddcae6ecfcdfec26bf53400  openssh-server-3.9p1-8.0.4.legacy.i386.rpm

Packages installed cleanly.  I tested logging in over ssh, scp, and X
forwarding.  All
were successful.  No issues.

+VERIFY rh73,fc2,fc3

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFD9geUpxMPKJzn2lIRApT9AJ405ZZOGyYP02SXPt9N9tA5DS2ZDgCcCVDT
A7UsMfTkzuxjNbhUg5NP1dM=
=V0X+
-----END PGP SIGNATURE-----
Comment 15 Donald Maner 2006-02-17 13:20:27 EST
ARGH, wrong bug, I'll post it on the right one.  This bugid is killing me.
Comment 16 Donald Maner 2006-02-17 13:22:01 EST
Ugh, nevermind, this is the right one, I thought I had posted that on the apache
one.  I gotta get more sleep.
Comment 17 Marc Deslauriers 2006-02-18 14:14:38 EST
Packages were released.
Comment 18 Eric Jon Rostetter 2006-02-23 14:01:57 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++VERIFY for FC 3 x86_64
 
Downloaded packages:
61a70c9f0cf6c152fb7f48c5857b5e002dc0527a openssh-3.9p1-8.0.4.legacy.x86_64.rpm
b8e38615db4f431c1e87204a0ecaefbabde2479b
openssh-askpass-3.9p1-8.0.4.legacy.x86_64.rpm
5cd606345fb8b3ba1f7c1d6f005d18c50d0886bd
openssh-askpass-gnome-3.9p1-8.0.4.legacy.x86_64.rpm
db5f2a76871dc0e6987702a492ad84252a5211c4
openssh-clients-3.9p1-8.0.4.legacy.x86_64.rpm
18f578efebdc634ee6ab363064f9ac8d81fa5cf0
openssh-server-3.9p1-8.0.4.legacy.x86_64.rpm
 
Package installed fine.  Used by two users over several days.  No problems
noticed.  Used with scp and ssh, X11 forwarding, etc.
 
Even though the package was released, I'm still posting this verify...
 
Vote for release for FC3 x86_64.  ++VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFD/gdI4jZRbknHoPIRArUJAJ9zsjJAiP9CiV+Lrh6bhHw9TC7b7QCfX7PX
4t6FojwSj+ew5MVKNiq7FEo=
=qMOe
-----END PGP SIGNATURE-----

Note You need to log in before you can comment on or make changes to this bug.