Hi Yves-Alexis, all, On Wed, Jul 03, 2024 at 10:54:30PM +0200, Yves-Alexis Perez wrote: > use `-e` on sshd command-line as a mitigation measure.
An interesting idea! > I agree with Hector that at first sight the `snprintf()` call look OK on glibc > (no dynamic memory allocation or complicated handling that I could spot > either), and the write to stderr is done using write(2) (which is async- > signal-safe). We also agree: the glibc's snprintf() only calls malloc functions if the format string specifies positional parameters or floating points, which is not the case in sshd's SIGALRM handler. We double-checked this on Debian 12.5.0 and confirmed that the SIGALRM handler does not call any malloc function anymore if "-e" is used. > What are you thoughts on this mitigation? Perhaps surprisingly (given the above) we advise against this mitigation in the general case: unlike the "LoginGraceTime 0" mitigation, this "-e" mitigation still calls the SIGALRM handler, which has a long and complex history in sshd, so there is no guarantee that this mitigation is also safe for other distributions or versions of sshd. > thanks Qualys for the outstanding research and detailed report (as always). Thank you very much for your kind words! With best regards, -- the Qualys Security Advisory team
