X11 forwarding with IPv6 disabled

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hello all,
one more (ever-returning) bug [1] reported recently caught my eye. The problem is that disabling IPv6 in kernel leads to OpenSSH failing to bind localhost IPv6 address and after the fix for CVE-2008-1483 [2] leads to the whole X11 forwarding fail.

If I read the description of the CVE in question correctly, we should care only of the case when the address is already used (errno = EADDRINUSE). Other errors or at least EADDRNOTAVAIL (trying to bind IPv6 address when disabled or the other way round) should not lead to fatal errors and fallback to the other address (if any).

This was already discussed in the bug #2143 [2] and #1356 [3] with basically the same patch I came up with. The comments from Darren nor Damien in any of them did not come with any convincing reasoning why not to include this change. Therefore I am bringing this issue up again here. Can you have a look into that and get that fixed almost 10 years later? Any comments welcome.


Other discussed solution would be not to return IPv6 address from getaddrinfo() if disabled, but I don't think we will be able to justify this change of behavior.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1436097
[2] https://github.com/openssh/openssh-portable/commit/5f5cd746
[3] https://bugzilla.mindrot.org/show_bug.cgi?id=2143

Thanks,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux