[Bug 1457] New: X11 Forwarding doesn't work anymore on a solaris 10 host where ipv6 has not been enabled

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sun Apr 6 07:00:38 EST 2008


https://bugzilla.mindrot.org/show_bug.cgi?id=1457

           Summary: X11 Forwarding doesn't work anymore on a solaris 10    
                    host where ipv6 has not been enabled                   
    Classification: Unclassified                                           
           Product: Portable OpenSSH                                       
           Version: 4.9p1                                                  
          Platform: All                                                    
        OS/Version: Solaris                                                
            Status: NEW                                                    
          Severity: major                                                  
          Priority: P2                                                     
         Component: sshd                                                   
        AssignedTo: bitbucket at mindrot.org                                  
        ReportedBy: yann at pleiades.fr.eu.org                                


Created an attachment (id=1481)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1481)
Ignore a  EADDRNOTAVAIL error when binding to the X11 forwarding port

This bug happen with 5.0p1 (but this version was not available in the
version field of the bug report form).

The patch for CVE-2008-1483 applied in this release has a side effect
on Solaris (at least Solaris 10, I didn't test on other solaris
versions).

With this patch, openssh will do X forwarding on a port only if it
successfully binded to it on the inet4 and inet6 address (if the latter
was available).

The problem is that on Solaris 10, even if ipv6 was not enabled at
install time, the getaddrinfo will still return the ipv6 address in
addition to the ipv4 address.

As a result, when try to bind to port A, openssh will try to bind to
127.0.0.1:A and ::1:A, and the latter will always fail as there are not
ipv6-enabled localhost interface. 
So openssh will not be able to bind on any port and X Forwarding will
not work.

I don't know it it can be considered a solaris bug or openssh bug.


To fix this bug, I slightly modified the security fix patch so openssh
will ignore an error on an address if the errno is EADDRNOTAVAIL. 

This fixes the bug and still seems to avoid the X11 hijacking bug but I
am not sure it's the good solution.

One possible problem is if a sysadmin configures the inet6 loopback
interface after someone already did X forwarding.
That would leave a window for an attacker. He could then listen on the
6010 port on the inet6 interface to hijack X11 communication coming
from
apps which first try the ipv6 port.
That's not likely to happen often but still...

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list