Bug 439079 - (CVE-2008-1483) CVE-2008-1483 openssh may set DISPLAY even if it's unable to listen on respective port
CVE-2008-1483 openssh may set DISPLAY even if it's unable to listen on respec...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=debian,reported=20080108,publi...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-26 16:47 EDT by Red Hat Product Security
Modified: 2014-10-29 22:44 EDT (History)
5 users (show)

See Also:
Fixed In Version: openssh 5.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-23 11:51:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lubomir Kundrak 2008-03-26 16:47:33 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1483 to the following vulnerability:

OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.

References:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011
Comment 1 Lubomir Kundrak 2008-03-26 16:55:14 EDT
None of supported releases of Fedora is vulnerable, as the fix is a side effect
of another fix applied:

http://cvs.fedora.redhat.com/viewcvs/rpms/openssh/devel/openssh-3.9p1-skip-used.patch?rev=1.1&view=log
Comment 2 Lubomir Kundrak 2008-03-26 17:05:16 EDT
The Red Hat Security Response Team has rated this issue as having low security
impact, a future update may address this flaw. More information regarding issue
severity can be found here:
http://www.redhat.com/security/updates/classification/#low

Versions of openssh packages as shipepd with Red Hat Enterprise Linux versions 4
and 5 are not vulnerable to this issue as it was fixed as a side effect of
another change.

The risks associated with fixing this bug are greater than the low severity
security risk. We therefore currently have no plans to fix this flaw in Red Hat
Enterprise Linux 2.1 which is in maintenance mode.
Comment 3 Tomas Hoger 2008-04-03 07:34:52 EDT
Further clarification of the comment #3:

This issue is only exploitable on systems with IPv6 enabled, which is not by
default on Red Hat Enterprise Linux 2.1 and 3.  Therefore it was rated as having
low security impact on those Red Hat Enterprise Linux versions.  Issue is fixed
in Red Hat Enterprise Linux 4 and 5.

This issue was fixed in upstream OpenSSH version 5.0:

  http://www.openssh.com/txt/release-5.0
Comment 5 Red Hat Bugzilla 2009-10-23 15:04:26 EDT
Reporter changed to security-response-team@redhat.com by request of Jay Turner.
Comment 11 Tomas Hoger 2010-03-19 04:00:55 EDT
(In reply to comment #2)

> Versions of openssh packages as shipepd with Red Hat Enterprise Linux versions 4
> and 5 are not vulnerable to this issue as it was fixed as a side effect of
> another change.

Not really a side effect.  This issue was previously reported via bug #163732 against Red Hat Enterprise Linux 4 openssh and it was fixed as normal bug, as the security implications of the flaw were missed at that time:

http://rhn.redhat.com/errata/RHSA-2005-527.html

The patch from Red Hat Enterprise Linux openssh packages was adopted upstream in 5.0:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.272;r2=1.273;f=h

(In reply to comment #1)

> http://cvs.fedora.redhat.com/viewcvs/rpms/openssh/devel/openssh-3.9p1-skip-used.patch?rev=1.1&view=log    

This URL no longer works, cvs.fedoraproject.org has to be used instead of cvs.fedora.redhat.com:

http://cvs.fedoraproject.org/viewvc/rpms/openssh/devel/openssh-3.9p1-skip-used.patch
Comment 18 Vincent Danen 2010-12-23 11:51:47 EST
This was addressed via:

Red Hat Enterprise Linux version 4 (RHSA-2005:527)

Note You need to log in before you can comment on or make changes to this bug.