[Bug 1356] X11 forwarding broken.
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Fri Aug 21 17:31:24 EST 2009
https://bugzilla.mindrot.org/show_bug.cgi?id=1356
Mark Andrews <marka at isc.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|WONTFIX |
--- Comment #3 from Mark Andrews <marka at isc.org> 2009-08-21 17:31:23 EST ---
> The logic for X11 binding has changed as a result of
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483 -- OpenSSH
> >5.0 will still fail in this case (getaddrinfo() returning both IPv4
> and v6 addrs but bind not working for one of them), but it will fail
> /on purpose/.
There is a difference between EADDRINUSE and EADDRNOTAVAIL. One
indicates that the <address,port> tuple is in use. The other
indicates that the interface does not exist.
> Given the problem that gave us CVE-2008-1483, I think OpenSSH refusing
> X11 forwarding is the only reasonable solution. IMO getaddrinfo()
> shouldn't return addresses that cannot be bound. A workaround for this
> is to explicitly set AddressFamily in sshd_config(5).
The case in CVE-2008-1483 is covered by moving to the next port on
EADDRINUSE.
The patch was to not fail for EADDRNOTAVAIL which is a completely
different condition. All errors are not equal.
Note the old code was wrong to continue on ai->ai_next being non
NULL which was why I removed the examination of ai->ai_next when I
reported this problem. I had already thought about other applications
listening on one of the interfaces and not the other which is why
I looked at the value of errno.
Mark
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list