On Thu, Mar 10, 2016 at 7:10 AM, Damien Miller <djm@xxxxxxxxxxx> wrote: > OpenSSH Security Advisory: x11fwd.adv > > This document may be found at: http://www.openssh.com/txt/x11fwd.adv > > 1. Affected configurations > > All versions of OpenSSH prior to 7.2p2 with X11Forwarding > enabled. > > 2. Vulnerability > > Missing sanitisation of untrusted input allows an > authenticated user who is able to request X11 forwarding > to inject commands to xauth(1). Ouch. I'm just trying to figure out under what normal circumstances a connection with X11 forwarding enabled wouldn't be owned by a user who already has normal system privileges for ssh, sftp, and scp access. I suppose it might be an unexpected filesystem access if someone's public SSH keys are tied to a "ForceCommand" option to run some X based application in $HOME/.ssh/authorized_keys, and that is actually relied on to limit access on the SSH server. And, of course, there is an XKCD cartoon about sanitizing inputs. https://xkcd.com/327/ _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
