Debian Bug report logs -
#444738
CVE-2007-4752 privilege escalation
Reported by: Nico Golde <nion@debian.org>
Date: Sun, 30 Sep 2007 16:54:02 UTC
Severity: normal
Tags: patch, security
Fixed in version openssh/1:4.7p1-1
Done: Colin Watson <cjwatson@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
:
Bug#444738
; Package openssh
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: openssh
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openssh.
CVE-2007-4752[0]:
| ssh in OpenSSH before 4.7 does not properly handle when an untrusted
| cookie cannot be created and uses a trusted X11 cookie instead, which
| allows attackers to violate intended policy and gain privileges by
| causing an X client to be treated as trusted.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
As far as I can see the fix for this issue is:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/clientloop.c.diff?r1=1.180&r2=1.181
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4752
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Severity set to `normal' from `grave'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Sun, 30 Sep 2007 20:00:13 GMT) (full text, mbox, link).
Reply sent to Colin Watson <cjwatson@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #12 received at 444738-close@bugs.debian.org (full text, mbox, reply):
Source: openssh
Source-Version: 1:4.7p1-1
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-client-udeb_4.7p1-1_i386.udeb
to pool/main/o/openssh/openssh-client-udeb_4.7p1-1_i386.udeb
openssh-client_4.7p1-1_i386.deb
to pool/main/o/openssh/openssh-client_4.7p1-1_i386.deb
openssh-server-udeb_4.7p1-1_i386.udeb
to pool/main/o/openssh/openssh-server-udeb_4.7p1-1_i386.udeb
openssh-server_4.7p1-1_i386.deb
to pool/main/o/openssh/openssh-server_4.7p1-1_i386.deb
openssh_4.7p1-1.diff.gz
to pool/main/o/openssh/openssh_4.7p1-1.diff.gz
openssh_4.7p1-1.dsc
to pool/main/o/openssh/openssh_4.7p1-1.dsc
openssh_4.7p1.orig.tar.gz
to pool/main/o/openssh/openssh_4.7p1.orig.tar.gz
ssh-askpass-gnome_4.7p1-1_i386.deb
to pool/main/o/openssh/ssh-askpass-gnome_4.7p1-1_i386.deb
ssh-krb5_4.7p1-1_all.deb
to pool/main/o/openssh/ssh-krb5_4.7p1-1_all.deb
ssh_4.7p1-1_all.deb
to pool/main/o/openssh/ssh_4.7p1-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 444738@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 24 Dec 2007 16:43:02 +0000
Source: openssh
Binary: ssh-askpass-gnome ssh-krb5 openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source i386 all
Version: 1:4.7p1-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client - secure shell client, an rlogin/rsh/rcp replacement
openssh-client-udeb - secure shell client for the Debian installer (udeb)
openssh-server - secure shell server, an rshd replacement
openssh-server-udeb - secure shell server for the Debian installer (udeb)
ssh - secure shell client and server (metapackage)
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
ssh-krb5 - secure shell client and server (transitional package)
Closes: 123013 246774 303453 327886 345628 365541 390699 405041 433181 444738 453285 453367
Changes:
openssh (1:4.7p1-1) unstable; urgency=low
.
* New upstream release (closes: #453367).
- CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if
creation of an untrusted cookie fails; found and fixed by Jan Pechanec
(closes: #444738).
- sshd(8) in new installations defaults to SSH Protocol 2 only. Existing
installations are unchanged.
- The SSH channel window size has been increased, and both ssh(1)
sshd(8) now send window updates more aggressively. These improves
performance on high-BDP (Bandwidth Delay Product) networks.
- ssh(1) and sshd(8) now preserve MAC contexts between packets, which
saves 2 hash calls per packet and results in 12-16% speedup for
arcfour256/hmac-md5.
- A new MAC algorithm has been added, UMAC-64 (RFC4418) as
"umac-64@openssh.com". UMAC-64 has been measured to be approximately
20% faster than HMAC-MD5.
- Failure to establish a ssh(1) TunnelForward is now treated as a fatal
error when the ExitOnForwardFailure option is set.
- ssh(1) returns a sensible exit status if the control master goes away
without passing the full exit status.
- When using a ProxyCommand in ssh(1), set the outgoing hostname with
gethostname(2), allowing hostbased authentication to work.
- Make scp(1) skip FIFOs rather than hanging (closes: #246774).
- Encode non-printing characters in scp(1) filenames. These could cause
copies to be aborted with a "protocol error".
- Handle SIGINT in sshd(8) privilege separation child process to ensure
that wtmp and lastlog records are correctly updated.
- Report GSSAPI mechanism in errors, for libraries that support multiple
mechanisms.
- Improve documentation for ssh-add(1)'s -d option.
- Rearrange and tidy GSSAPI code, removing server-only code being linked
into the client.
- Delay execution of ssh(1)'s LocalCommand until after all forwardings
have been established.
- In scp(1), do not truncate non-regular files.
- Improve exit message from ControlMaster clients.
- Prevent sftp-server(8) from reading until it runs out of buffer space,
whereupon it would exit with a fatal error (closes: #365541).
- pam_end() was not being called if authentication failed
(closes: #405041).
- Manual page datestamps updated (closes: #433181).
* Install the OpenSSH FAQ in /usr/share/doc/openssh-client.
- Includes documentation on copying files with colons using scp
(closes: #303453).
* Create /var/run/sshd on start even if /etc/ssh/sshd_not_to_be_run exists
(closes: #453285).
* Fix "overriden" typo in ssh(1) (thanks, A. Costa; closes: #390699).
* Refactor debian/rules configure and make invocations to make development
easier.
* Remove the hideously old /etc/ssh/primes on upgrade (closes: #123013).
* Update moduli(5) to revision 1.11 from OpenBSD CVS.
* Document the non-default options we set as standard in ssh_config(5) and
sshd_config(5) (closes: #327886, #345628).
* Recode LICENCE to UTF-8 when concatenating it to debian/copyright.
* Override desktop-file-but-no-dh_desktop-call lintian warning; the
.desktop file is intentionally not installed (see 1:3.8.1p1-10).
* Update copyright dates for Kerberos patch in debian/copyright.head.
* Policy version 3.7.3: no changes required.
Files:
e4be8bf0d8eeb50aced09e83b971ee1b 1132 net standard openssh_4.7p1-1.dsc
bea83d2e0f9ac7b3d4393d693e68b5c1 1009361 net standard openssh_4.7p1.orig.tar.gz
8dbea4ef533097fe69f373be3391884e 201822 net standard openssh_4.7p1-1.diff.gz
05d181f3d6ded8352216fd2c5334f5a1 1044 net extra ssh_4.7p1-1_all.deb
c0b77420c1144e9c546b89522dbad3a7 86892 net extra ssh-krb5_4.7p1-1_all.deb
9681446b5860a92b931f48b33c2bde09 661682 net standard openssh-client_4.7p1-1_i386.deb
04c0b2d9d2c6658fa91ba5cc2208f1fe 244302 net optional openssh-server_4.7p1-1_i386.deb
150374216e2494558e6657bf11474e4e 94468 gnome optional ssh-askpass-gnome_4.7p1-1_i386.deb
2ddb6b74912130c019f6874d9fda20e6 158566 debian-installer optional openssh-client-udeb_4.7p1-1_i386.udeb
56e6ed3cdd943b9dac92830004a82d8f 169090 debian-installer optional openssh-server-udeb_4.7p1-1_i386.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iD8DBQFHb+Vx9t0zAhD6TNERAvdSAJ9pCqLCB8vG2v0gIO/PClsJWlJp/QCdGs4U
IKqTDQgKydVQv435xVHnYD8=
=k6Bk
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 23 Jan 2008 07:27:35 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:54:33 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.