X11 forwarding with IPv6 disabled

Jakub Jelen jjelen at redhat.com
Thu Mar 30 00:26:54 AEDT 2017

Hello all,
one more (ever-returning) bug [1] reported recently caught my eye. The 
problem is that disabling IPv6 in kernel leads to OpenSSH failing to 
bind localhost IPv6 address and after the fix for CVE-2008-1483 [2] 
leads to the whole X11 forwarding fail.

If I read the description of the CVE in question correctly, we should 
care only of the case when the address is already used (errno = 
EADDRINUSE). Other errors or at least EADDRNOTAVAIL (trying to bind IPv6 
address when disabled or the other way round) should not lead to fatal 
errors and fallback to the other address (if any).

This was already discussed in the bug #2143 [2] and #1356 [3] with 
basically the same patch I came up with. The comments from Darren nor 
Damien in any of them did not come with any convincing reasoning why not 
to include this change. Therefore I am bringing this issue up again 
here. Can you have a look into that and get that fixed almost 10 years 
later? Any comments welcome.

Other discussed solution would be not to return IPv6 address from 
getaddrinfo() if disabled, but I don't think we will be able to justify 
this change of behavior.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1436097
[2] https://github.com/openssh/openssh-portable/commit/5f5cd746
[3] https://bugzilla.mindrot.org/show_bug.cgi?id=2143

Jakub Jelen
Software Engineer
Security Technologies
Red Hat

More information about the openssh-unix-dev mailing list