Bug 439079 (CVE-2008-1483) - CVE-2008-1483 openssh may set DISPLAY even if it's unable to listen on respective port
Summary: CVE-2008-1483 openssh may set DISPLAY even if it's unable to listen on respec...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-1483
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-03-26 20:47 UTC by Red Hat Product Security
Modified: 2021-11-12 19:48 UTC (History)
5 users (show)

Fixed In Version: openssh 5.0
Clone Of:
Environment:
Last Closed: 2010-12-23 16:51:47 UTC
Embargoed:

Attachments (Terms of Use)

Description Lubomir Kundrak 2008-03-26 20:47:33 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1483 to the following vulnerability:

OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.

References:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011
Comment 1 Lubomir Kundrak 2008-03-26 20:55:14 UTC 
None of supported releases of Fedora is vulnerable, as the fix is a side effect
of another fix applied:

http://cvs.fedora.redhat.com/viewcvs/rpms/openssh/devel/openssh-3.9p1-skip-used.patch?rev=1.1&view=log
Comment 2 Lubomir Kundrak 2008-03-26 21:05:16 UTC 
The Red Hat Security Response Team has rated this issue as having low security
impact, a future update may address this flaw. More information regarding issue
severity can be found here:
http://www.redhat.com/security/updates/classification/#low

Versions of openssh packages as shipepd with Red Hat Enterprise Linux versions 4
and 5 are not vulnerable to this issue as it was fixed as a side effect of
another change.

The risks associated with fixing this bug are greater than the low severity
security risk. We therefore currently have no plans to fix this flaw in Red Hat
Enterprise Linux 2.1 which is in maintenance mode.
Comment 3 Tomas Hoger 2008-04-03 11:34:52 UTC 
Further clarification of the comment #3:

This issue is only exploitable on systems with IPv6 enabled, which is not by
default on Red Hat Enterprise Linux 2.1 and 3.  Therefore it was rated as having
low security impact on those Red Hat Enterprise Linux versions.  Issue is fixed
in Red Hat Enterprise Linux 4 and 5.

This issue was fixed in upstream OpenSSH version 5.0:

  http://www.openssh.com/txt/release-5.0
Comment 5 Red Hat Bugzilla 2009-10-23 19:04:26 UTC 
Reporter changed to security-response-team by request of Jay Turner.
Comment 11 Tomas Hoger 2010-03-19 08:00:55 UTC 
(In reply to comment #2)

> Versions of openssh packages as shipepd with Red Hat Enterprise Linux versions 4
> and 5 are not vulnerable to this issue as it was fixed as a side effect of
> another change.

Not really a side effect.  This issue was previously reported via bug #163732 against Red Hat Enterprise Linux 4 openssh and it was fixed as normal bug, as the security implications of the flaw were missed at that time:

http://rhn.redhat.com/errata/RHSA-2005-527.html

The patch from Red Hat Enterprise Linux openssh packages was adopted upstream in 5.0:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.272;r2=1.273;f=h

(In reply to comment #1)

> http://cvs.fedora.redhat.com/viewcvs/rpms/openssh/devel/openssh-3.9p1-skip-used.patch?rev=1.1&view=log    

This URL no longer works, cvs.fedoraproject.org has to be used instead of cvs.fedora.redhat.com:

http://cvs.fedoraproject.org/viewvc/rpms/openssh/devel/openssh-3.9p1-skip-used.patch
Comment 18 Vincent Danen 2010-12-23 16:51:47 UTC 
This was addressed via:

Red Hat Enterprise Linux version 4 (RHSA-2005:527)
Note You need to log in before you can comment on or make changes to this bug.