Re: Announce: OpenSSH 9.8 released

Jan Schermer <jan@xxxxxxxxxxx> · Mon, 1 Jul 2024 12:29:28 +0200

Is there a CVE for these?
I fail to see updated packages or notices, are vendors just lazy again?

Thanks
Jan

> On 1. 7. 2024, at 10:21, Damien Miller <djm@xxxxxxxxxxx> wrote:
> 
> Hi,
> 
> Regarding the race condition fixed in OpenSSH 9.8. A mitigation to
> prevent exploitation of this bug is to disable the login grace timer
> by setting LoginGraceTime=0 in sshd_config. This will however make
> it much easier for an attacker to deny service to sshd.
> 
> Similarly, the much more minor keystroke timing bug can be avoided
> by disabling the feature using ObscureKeystrokeTiming=0.
> 
> Some users will understandably prefer to patch their OpenSSH rather
> than upgrade to the newest version, so here are minimal patches for
> both problems.
> 
> 1) Critical race condition in sshd
> 
> diff --git a/log.c b/log.c
> index 9fc1a2e2e..191ff4a5a 100644
> --- a/log.c
> +++ b/log.c
> @@ -451,12 +451,14 @@ void
> sshsigdie(const char *file, const char *func, int line, int showfunc,
>     LogLevel level, const char *suffix, const char *fmt, ...)
> {
> +#ifdef SYSLOG_R_SAFE_IN_SIGHAND
> 	va_list args;
> 
> 	va_start(args, fmt);
> 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
> 	    suffix, fmt, args);
> 	va_end(args);
> +#endif
> 	_exit(1);
> }
> 
> 2) Minor logic error in ObscureKeystrokeTiming
> 
> diff --git a/clientloop.c b/clientloop.c
> index 8ec36af94..6dcd6c853 100644
> --- a/clientloop.c
> +++ b/clientloop.c
> @@ -608,8 +608,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
> 		if (timespeccmp(&now, &chaff_until, >=)) {
> 			/* Stop if there have been no keystrokes for a while */
> 			stop_reason = "chaff time expired";
> -		} else if (timespeccmp(&now, &next_interval, >=)) {
> -			/* Otherwise if we were due to send, then send chaff */
> +		} else if (timespeccmp(&now, &next_interval, >=) &&
> +		    !ssh_packet_have_data_to_write(ssh)) {
> +			/* If due to send but have no data, then send chaff */
> 			if (send_chaff(ssh))
> 				nchaff++;
> 		}
> 
> 
> Thanks,
> Damien Miller
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev