oss-sec mailing list archives
Re: double-free vulnerability in OpenSSH server 9.1
From: Qualys Security Advisory <qsa () qualys com>
Date: Thu, 2 Feb 2023 22:38:23 +0000
Hi Georgi, all, On Thu, Feb 02, 2023 at 09:06:19PM +0200, Georgi Guninski wrote:
Nice find :) This is very complicated codepath, did a human found it "manually" or some analysis program found it?
Good question! Technically, we did not find the double free: we found the underlying bug in compat_kex_proposal() (the "unintended" free of options.kex_algorithms) during a manual code review, and reported it to the OpenSSH developers in July 2022. Unfortunately, back then we (Qualys) mistakenly believed that "this does not seem to lead to a use-after-free or double-free, but the dangling pointer in options.kex_algorithms is probably not ideal." Then, in January 2023, Mantas Mikulenas reported a double free in sshd to the OpenSSH bugzilla, and we immediately realized that this was a direct consequence of the bug in compat_kex_proposal(). Thank you very much for your mail! With best regards, -- the Qualys Security Advisory team
Current thread:
- double-free vulnerability in OpenSSH server 9.1 Qualys Security Advisory (Feb 02)
- Re: double-free vulnerability in OpenSSH server 9.1 Georgi Guninski (Feb 02)
- Re: double-free vulnerability in OpenSSH server 9.1 Matthias Schmidt (Feb 02)
- Re: double-free vulnerability in OpenSSH server 9.1 Qualys Security Advisory (Feb 02)
- Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) Qualys Security Advisory (Feb 13)
- Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) Qualys Security Advisory (Feb 21)
- Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) Demi Marie Obenour (Feb 22)
- Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) Qualys Security Advisory (Feb 23)
- Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) Qualys Security Advisory (Feb 21)
- Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) Georgi Guninski (Mar 06)
- Re: Re: double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136) Qualys Security Advisory (Mar 09)
- Re: double-free vulnerability in OpenSSH server 9.1 Georgi Guninski (Feb 02)