oss-sec mailing list archives
Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 27 Jan 2012 09:59:49 -0700
On 01/27/2012 03:40 AM, Yves-Alexis Perez wrote:
On jeu., 2012-01-26 at 19:49 -0500, Marc Deslauriers wrote:Please use CVE-2012-0814 for this issue. Also please let me know if other Linux distributions are affected!Looks like this (I haven't tried...): http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54By the way, is the ForceCommand (and other directives) really supposed to be private for different keys (or, more widely, for different matches for the same user). Regards,
I created three separate keys, so three separate accounts. I can't see any valid reason that account #3 (that is the third key listed) should be able to see the first and second force commands. These commands could contain sensitive commands/passwords (e.g. log in with a key to trigger some automated job by the backup user) for example. -- Kurt Seifried Red Hat Security Response Team (SRT)
Current thread:
- CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 26)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 26)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Marc Deslauriers (Jan 26)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Yves-Alexis Perez (Jan 27)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 27)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Yves-Alexis Perez (Jan 27)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 27)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 27)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Marc Deslauriers (Jan 26)
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 26)