X11 forwarding with IPv6 disabled
Jakub Jelen
jjelen at redhat.com
Thu Mar 30 00:26:54 AEDT 2017
Hello all,
one more (ever-returning) bug [1] reported recently caught my eye. The
problem is that disabling IPv6 in kernel leads to OpenSSH failing to
bind localhost IPv6 address and after the fix for CVE-2008-1483 [2]
leads to the whole X11 forwarding fail.
If I read the description of the CVE in question correctly, we should
care only of the case when the address is already used (errno =
EADDRINUSE). Other errors or at least EADDRNOTAVAIL (trying to bind IPv6
address when disabled or the other way round) should not lead to fatal
errors and fallback to the other address (if any).
This was already discussed in the bug #2143 [2] and #1356 [3] with
basically the same patch I came up with. The comments from Darren nor
Damien in any of them did not come with any convincing reasoning why not
to include this change. Therefore I am bringing this issue up again
here. Can you have a look into that and get that fixed almost 10 years
later? Any comments welcome.
Other discussed solution would be not to return IPv6 address from
getaddrinfo() if disabled, but I don't think we will be able to justify
this change of behavior.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1436097
[2] https://github.com/openssh/openssh-portable/commit/5f5cd746
[3] https://bugzilla.mindrot.org/show_bug.cgi?id=2143
Thanks,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat
More information about the openssh-unix-dev
mailing list