[Bug 1457] New: X11 Forwarding doesn't work anymore on a solaris 10 host where ipv6 has not been enabled
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sun Apr 6 07:00:38 EST 2008
https://bugzilla.mindrot.org/show_bug.cgi?id=1457
Summary: X11 Forwarding doesn't work anymore on a solaris 10
host where ipv6 has not been enabled
Classification: Unclassified
Product: Portable OpenSSH
Version: 4.9p1
Platform: All
OS/Version: Solaris
Status: NEW
Severity: major
Priority: P2
Component: sshd
AssignedTo: bitbucket at mindrot.org
ReportedBy: yann at pleiades.fr.eu.org
Created an attachment (id=1481)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1481)
Ignore a EADDRNOTAVAIL error when binding to the X11 forwarding port
This bug happen with 5.0p1 (but this version was not available in the
version field of the bug report form).
The patch for CVE-2008-1483 applied in this release has a side effect
on Solaris (at least Solaris 10, I didn't test on other solaris
versions).
With this patch, openssh will do X forwarding on a port only if it
successfully binded to it on the inet4 and inet6 address (if the latter
was available).
The problem is that on Solaris 10, even if ipv6 was not enabled at
install time, the getaddrinfo will still return the ipv6 address in
addition to the ipv4 address.
As a result, when try to bind to port A, openssh will try to bind to
127.0.0.1:A and ::1:A, and the latter will always fail as there are not
ipv6-enabled localhost interface.
So openssh will not be able to bind on any port and X Forwarding will
not work.
I don't know it it can be considered a solaris bug or openssh bug.
To fix this bug, I slightly modified the security fix patch so openssh
will ignore an error on an address if the errno is EADDRNOTAVAIL.
This fixes the bug and still seems to avoid the X11 hijacking bug but I
am not sure it's the good solution.
One possible problem is if a sysadmin configures the inet6 loopback
interface after someone already did X forwarding.
That would leave a window for an attacker. He could then listen on the
6010 port on the inet6 interface to hijack X11 communication coming
from
apps which first try the ipv6 port.
That's not likely to happen often but still...
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list