From owner-freebsd-security@FreeBSD.ORG Mon Oct 2 21:25:12 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 765F316A417 for ; Mon, 2 Oct 2006 21:25:12 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd4mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id C195243D70 for ; Mon, 2 Oct 2006 21:25:07 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd5mr7so.prod.shaw.ca (pd5mr7so-qfe3.prod.shaw.ca [10.0.141.183]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J6J00MIM25V3L00@l-daemon> for freebsd-security@freebsd.org; Mon, 02 Oct 2006 15:25:07 -0600 (MDT) Received: from pn2ml7so.prod.shaw.ca ([10.0.121.151]) by pd5mr7so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J6J00G6N25VCF80@pd5mr7so.prod.shaw.ca> for freebsd-security@freebsd.org; Mon, 02 Oct 2006 15:25:07 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0J6J00E5O25UZ5X0@l-daemon> for freebsd-security@freebsd.org; Mon, 02 Oct 2006 15:25:07 -0600 (MDT) Received: (qmail 99450 invoked from network); Mon, 02 Oct 2006 21:25:05 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Mon, 02 Oct 2006 21:25:05 +0000 Date: Mon, 02 Oct 2006 14:25:05 -0700 From: Colin Percival In-reply-to: <200610022000.k92K0B5P009759@cvs.openbsd.org> To: Theo de Raadt Message-id: <452183B1.7000306@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <200610022000.k92K0B5P009759@cvs.openbsd.org> User-Agent: Thunderbird 1.5 (X11/20060416) Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:22.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Oct 2006 21:25:12 -0000 Theo de Raadt wrote: >> The OpenSSH project believe that the race condition can lead to a Denial >> of Service or potentially remote code execution > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > Bullshit. Where did anyone say this? The OpenSSH 4.4 release announcement says that, actually: * Fix an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. On portable OpenSSH, this vulnerability could theoretically lead to ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ pre-authentication remote code execution if GSSAPI authentication ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ is enabled, but the likelihood of successful exploitation appears remote. Colin Percival