From owner-freebsd-security@freebsd.org  Thu Aug 27 13:51:02 2015
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2CD199C287B
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Thu, 27 Aug 2015 13:51:02 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id E8FA21277
 for <freebsd-security@freebsd.org>; Thu, 27 Aug 2015 13:51:01 +0000 (UTC)
 (envelope-from des@des.no)
Received: from nine.des.no (smtp.des.no [194.63.250.102])
 by smtp.des.no (Postfix) with ESMTP id 3491ACD5B;
 Thu, 27 Aug 2015 13:50:59 +0000 (UTC)
Received: by nine.des.no (Postfix, from userid 1001)
 id 03B69717; Thu, 27 Aug 2015 15:50:58 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Mike Tancsa <mike@sentex.net>
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:22.openssh
References: <20150825212749.C154016C9@freefall.freebsd.org>
 <55DE0E74.4040000@sentex.net> <86h9nlqjmn.fsf@nine.des.no>
 <55DF0BBD.1080206@sentex.net>
Date: Thu, 27 Aug 2015 15:50:58 +0200
In-Reply-To: <55DF0BBD.1080206@sentex.net> (Mike Tancsa's message of "Thu, 27
 Aug 2015 09:08:13 -0400")
Message-ID: <864mjkrgal.fsf@nine.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2015 13:51:02 -0000

Mike Tancsa <mike@sentex.net> writes:
> For the latter two, I am trying to understand in the context of a shared
> hosting system. Could one user with sftp access to their own directory
> use these bugs to gain access to another user's account ?

Once again: both of these are attacks on the main sshd process by the
unprivileged child provess, so the attacker first has to gain control of
said child using some other vulnerability.  There is currently no known
way to exploit them.  The reason why an advisory was issued is that by
definition, the unprivileged child is assumed to be hostile.

  http://blog.des.no/2015/08/openssh-pam-and-user-names/

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no