Mailing List Archive

https://bugzilla.mindrot.org/show_bug.cgi?id=1457





--- Comment #2 from Yann Rouillard <yann@pleiades.fr.eu.org> 2008-04-06 08:38:11 ---

Yes it's what I'm wondering and I am trying to see how other os behave.

BTW, while reading the getaddrinfo manpage, I found the following
option:

If the AI_ADDRCONFIG flag is specified, IPv4 addresses are returned
only if an IPv4 address is configured on the local system, and IPv6
addresses are returned only if an IPv6 address is configured on the
local system. For this case, the loopback address is not considered to
be as valid as a configured address. For example, when using the DNS, a
query for AAAA records should occur only if the node has at least one
IPv6 address configured (other than IPv6 loopback) and a query for A
records should occur only if the node has at least one IPv4 address
configured (other than the IPv4 loopback).

that could have been interesting.

However as an ipv6 loopback is not considered a valid interface, that
would still allow an attacker to hijack a X11 session in the case only
the loopback is ipv6 enabled and an application first try to talk to
the X11 forwarded port via tcp6.

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=1457





--- Comment #3 from Yann Rouillard <yann@pleiades.fr.eu.org> 2008-04-06 09:51:53 ---
Made some test under Linux/Ubuntu and the same problem exists.

getaddrinfo also returns the ipv6 loopback address ::1 even if inet6 is
not configured on the interface.

But the thing is that it's not a standard setup under linux, usually,
either you have ipv6 enabled and ipv6 on all interfaces, or ipv6 is
disabled. To reproduce the bug, I had to load the ipv6 module and then
manually disable the inet6 loopback address.

You usually don't meet the solaris-like case where ipv6 is in fact
enabled but no interface is configured with ipv6 support.


So I suppose that theoretically, you should not assume that addresses
informations returned by getaddrinfo are valid ones, but I didn't yet
read POSIX to check.


BTW, I maintain the blastwave openssh package [1] and I would like to
apply the attached patch on the stable package. May I request your
opinion about it ?


[1] http://www.blastwave.org/

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=1457





--- Comment #4 from Damien Miller <djm@mindrot.org> 2008-04-06 12:15:38 ---
Well, I'd be wary of doing this - adding hacks to support broken
systems is what got us this bug to begin with :(

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=1457





--- Comment #5 from Yann Rouillard <yann@pleiades.fr.eu.org> 2008-04-06 22:44:20 ---
Well, I don't want to break X11 forwarding on a lot of systems with a
stable update, so I just would like to know it the patch attached still
fixes properly the security hole without side-effects.

About this patch being a hack, it's true I have to make this
modification for a solaris-specific issue, but to not bind on
non-existing interface could be considered good behavior.

Anyway, if you're not interested in this issue, feel free to change it
to WONTFIX or INVALID.

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs