Regression in signal handler.

This vulnerability is exploitable remotely on glibc-based Linux systems, where syslog() itself calls async-signal-unsafe functions (for example, malloc() and free()): an unauthenticated remote code execution as root, because it affects sshd’s privileged code, which is not sandboxed and runs with full privileges.

  • MrSoup
    link
    fedilink
    English
    arrow-up
    6
    ·
    5 months ago

    8.5p1 <= OpenSSH < 9.8p1 is vulnerable

    • refalo@programming.dev
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      3
      ·
      5 months ago

      what does that mean? I don’t understand multiple signs in the same sentence and what is the significance of having “OpenSSH” in the middle?

      • cucumberbob@programming.dev
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        5 months ago

        You can read them as separate statements with the middle repeated and a logical AND between them:

        If (8.5p1 <= your OpenSSH version) AND (your OpenSSH version < 9.8p1) Then you are vulnerable

        It’s the same as saying if your OpenSSH version is between these two versions (including 8.5p1, but not 9.8p1), then you are vulnerable

        • refalo@programming.dev
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          3
          ·
          5 months ago

          I don’t get it… wouldn’t everything < 9.8p1 already include <= 8.5p1? So why is it even necessary to mention?

          • rushaction@programming.dev
            link
            fedilink
            English
            arrow-up
            3
            ·
            5 months ago

            Because this is a regression and this particular issue was introduced in 8.5p1. So it only affects versions newer than that, up until when it was fixed in 9.8p1.

          • towerful@programming.dev
            link
            fedilink
            English
            arrow-up
            1
            ·
            5 months ago

            For an integer, 4 < x < 6 x has to be 5. It’s the only value that satisfies all sides of the equation.
            You are deriving a set of values for open ssh that satisfies all sides of the equation.

            I think it’s more of a mathematical representation than programming representation (I mean, I don’t know of a language that would accept that syntax).
            Certainly psuedocode would have quick statements like this