oss-sec mailing list archives

Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)

From: Qualys Security Advisory <qsa () qualys com>
Date: Thu, 9 Mar 2023 13:34:58 +0000

Hi Georgi,

On Mon, Mar 06, 2023 at 09:53:06AM +0200, Georgi Guninski wrote:

So besides the double free bug you managed to circumvent
the mitigation in both linux and openbsd, right?
Did you find weakness in the mitigation or did you find
fundamental way to exploit double free?


We have not been able to do anything useful on Linux (glibc) yet.

On OpenBSD, what we did works only because this double free is of the
form "free(ptr); many other malloc() and free() calls; free(ptr);".

If it were of the form "free(ptr); no other malloc() or free() call;
free(ptr);" then this double free would be caught immediately by
malloc's security checks.

Hopefully this helps! With best regards,

-- 
the Qualys Security Advisory team

Current thread:

double-free vulnerability in OpenSSH server 9.1 Qualys Security Advisory (Feb 02)
- Re: double-free vulnerability in OpenSSH server 9.1 Georgi Guninski (Feb 02)
  - Re: double-free vulnerability in OpenSSH server 9.1 Matthias Schmidt (Feb 02)
  - Re: double-free vulnerability in OpenSSH server 9.1 Qualys Security Advisory (Feb 02)
- Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) Qualys Security Advisory (Feb 13)
  - Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) Qualys Security Advisory (Feb 21)
    - Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) Demi Marie Obenour (Feb 22)
    - Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) Qualys Security Advisory (Feb 23)
  - Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) Georgi Guninski (Mar 06)
    - Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) Qualys Security Advisory (Mar 09)