Bug 208458 - CVE-2006-5051 unsafe GSSAPI signal handler
CVE-2006-5051 unsafe GSSAPI signal handler
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
reported=20060928,source=vendorsec,im...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-28 14:36 EDT by Josh Bressers
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-06 11:26:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2006-09-28 14:36:26 EDT
+++ This bug was initially created as a clone of Bug #208347 +++

OpenSSH 4.4 was released and mentions:

        * Fix an unsafe signal hander reported by Mark Dowd. The
        signal handler was vulnerable to a race condition that could
        be exploited to perform a pre-authentication denial of
        service. On portable OpenSSH, this vulnerability could
        theoretically lead to pre-authentication remote code execution
        if GSSAPI authentication is enabled, but the likelihood of
        successful exploitation appears remote.

-- Additional comment from bressers@redhat.com on 2006-09-28 11:17 EST --
I've done some analysis of this issue and received a mail from Mark Dowd
regarding this vulnerability.  The upstream details are misleading.

The problem is that the signal handling in openssh does quite a lot and can
introduce a race condition during cleanup.  This flaw could possibly cause a
double free condition within the kerberos cleanup code.  The GSSAPI code is
completely harmless, upstream calling this issue a GSSAPI issue leads me to
believe they did not analyze, not try to understand this issue.

There is also PAM cleanup code which is executed.  This PAM source hasn't been
investigated so the possible outcome is currently unknown.

Red Hat will be fixing this issue due to the incredible complexity and possible
danger.  This is a case of better safe than sorry.
Comment 1 Fedora Update System 2006-10-03 16:02:37 EDT
openssh-4.3p2-4.10 has been pushed for fc5, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.