Red Hat Bugzilla – Bug 439079
CVE-2008-1483 openssh may set DISPLAY even if it's unable to listen on respective port
Last modified: 2014-10-29 22:44:30 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1483 to the following vulnerability:
OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.
None of supported releases of Fedora is vulnerable, as the fix is a side effect
of another fix applied:
The Red Hat Security Response Team has rated this issue as having low security
impact, a future update may address this flaw. More information regarding issue
severity can be found here:
Versions of openssh packages as shipepd with Red Hat Enterprise Linux versions 4
and 5 are not vulnerable to this issue as it was fixed as a side effect of
The risks associated with fixing this bug are greater than the low severity
security risk. We therefore currently have no plans to fix this flaw in Red Hat
Enterprise Linux 2.1 which is in maintenance mode.
Further clarification of the comment #3:
This issue is only exploitable on systems with IPv6 enabled, which is not by
default on Red Hat Enterprise Linux 2.1 and 3. Therefore it was rated as having
low security impact on those Red Hat Enterprise Linux versions. Issue is fixed
in Red Hat Enterprise Linux 4 and 5.
This issue was fixed in upstream OpenSSH version 5.0:
Reporter changed to firstname.lastname@example.org by request of Jay Turner.
(In reply to comment #2)
> Versions of openssh packages as shipepd with Red Hat Enterprise Linux versions 4
> and 5 are not vulnerable to this issue as it was fixed as a side effect of
> another change.
Not really a side effect. This issue was previously reported via bug #163732 against Red Hat Enterprise Linux 4 openssh and it was fixed as normal bug, as the security implications of the flaw were missed at that time:
The patch from Red Hat Enterprise Linux openssh packages was adopted upstream in 5.0:
(In reply to comment #1)
This URL no longer works, cvs.fedoraproject.org has to be used instead of cvs.fedora.redhat.com:
This was addressed via:
Red Hat Enterprise Linux version 4 (RHSA-2005:527)