Bug 208347 (CVE-2006-5051) - CVE-2006-5051 unsafe GSSAPI signal handler
Summary: CVE-2006-5051 unsafe GSSAPI signal handler
Alias: CVE-2006-5051
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2006-09-27 22:41 UTC by Mark J. Cox
Modified: 2021-11-12 19:34 UTC (History)
1 user (show)

Fixed In Version: RHSA-2006-0697
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2006-09-29 00:18:27 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0697 0 normal SHIPPED_LIVE Important: openssh security update 2006-09-28 04:00:00 UTC

Description Mark J. Cox 2006-09-27 22:41:06 UTC
OpenSSH 4.4 was released and mentions:

        * Fix an unsafe signal hander reported by Mark Dowd. The
        signal handler was vulnerable to a race condition that could
        be exploited to perform a pre-authentication denial of
        service. On portable OpenSSH, this vulnerability could
        theoretically lead to pre-authentication remote code execution
        if GSSAPI authentication is enabled, but the likelihood of
        successful exploitation appears remote.

This could only affect RHEL4 as previous RHEL did not support GSSAPI

Comment 2 Josh Bressers 2006-09-28 15:17:17 UTC
I've done some analysis of this issue and received a mail from Mark Dowd
regarding this vulnerability.  The upstream details are misleading.

The problem is that the signal handling in openssh does quite a lot and can
introduce a race condition during cleanup.  This flaw could possibly cause a
double free condition within the kerberos cleanup code.  The GSSAPI code is
completely harmless, upstream calling this issue a GSSAPI issue leads me to
believe they did not analyze, nor try to understand this issue.

There is also PAM cleanup code which is executed.  This PAM source hasn't been
investigated so the possible outcome is currently unknown.

Red Hat will be fixing this issue due to the incredible complexity and possible
danger.  This is a case of better safe than sorry.

Comment 3 Josh Bressers 2006-09-28 15:22:36 UTC
This issue also likely affects RHEL3

Comment 5 Red Hat Bugzilla 2006-09-29 00:18:27 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.