Dear SSH maintainers, dear LTS team,

I just spent quite some time with reading openSSH code related to checking if CVE-2015-5352 [1] needs to be fixed in Debian squeeze LTS.

The upstream commit for fixing CVE-2015-5352 is at [2]. The fix addresses an issue with the ForwardX11Timeout option in ssh_config. This option is not present in Debian squeeze's version of openSSH. So basically openSSH in squeeze is not affected.

In squeeze's version there is a hard-coded ForwardX11Timeout of 1200 (in seconds, 20min lifetime of the X11 auth cookie).

However, I sense, that parts of the commit [2] should be adopted, esp. this part:

--- a/clientloop.c
+++ b/clientloop.c
@@ -1706,6 +1729,11 @@ (in client_request_x11 function)
                    "malicious server.");
                return NULL;
+       if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) {
+               verbose("Rejected X11 connection after ForwardX11Timeout "
+                        "expired");
+               return NULL;
+       }
        originator = packet_get_string(NULL);
        if (datafellows & SSH_BUG_X11FWD) {
                debug2("buggy server: x11 request w/o originator_port");

... where x11_refuse_time would be the hard-coded 1200s value...

Any feedback is highly welcome!



mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31


Attachment: pgp7D8FunZ8Um.pgp
Description: Digitale PGP-Signatur

Reply via email to