oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: double-free vulnerability in OpenSSH server 9.1

From: Qualys Security Advisory <qsa () qualys com>
Date: Thu, 2 Feb 2023 22:38:23 +0000
Hi Georgi, all,

On Thu, Feb 02, 2023 at 09:06:19PM +0200, Georgi Guninski wrote:

Nice find :)
This is very complicated codepath, did a human found it "manually"
or some analysis program found it?


Good question! Technically, we did not find the double free: we found
the underlying bug in compat_kex_proposal() (the "unintended" free of
options.kex_algorithms) during a manual code review, and reported it to
the OpenSSH developers in July 2022.

Unfortunately, back then we (Qualys) mistakenly believed that "this does
not seem to lead to a use-after-free or double-free, but the dangling
pointer in options.kex_algorithms is probably not ideal."

Then, in January 2023, Mantas Mikulenas reported a double free in sshd
to the OpenSSH bugzilla, and we immediately realized that this was a
direct consequence of the bug in compat_kex_proposal().

Thank you very much for your mail! With best regards,

-- 
the Qualys Security Advisory team
Previous By Date Next
Previous By Thread Next

Current thread: