It was found that there is a theoretical leak of host private key material to privilege-separated child processes via realloc() when reading keys. No such leak was observed in practice for normal-sized keys, nor does a leak to the child processes directly expose key material to unprivileged users. CVE assignment: http://seclists.org/oss-sec/2016/q4/708 External References: https://www.openssh.com/txt/release-7.4
Upstream patch: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/authfile.c.diff?r1=1.121&r2=1.122
Created openssh tracking bugs for this issue: Affects: fedora-all [bug 1406296]
Statement: It seems that this flaw is not practically exploitable, the leak of host private key material to the privilege-separated child processes is theoretical. No such leak was observed in practice for normal-sized keys, nor does a leak to the child processes directly expose key material to unprivileged users. Because of the this restriction for successful exploitation, this issue has been rated as having Low security impact. A future update may address this flaw.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2029 https://access.redhat.com/errata/RHSA-2017:2029