bugzilla-daemon at bugzilla.mindrot.org
2007-Sep-01 04:05 UTC
[Bug 1356] New: X11 forwarding broken.
http://bugzilla.mindrot.org/show_bug.cgi?id=1356 Summary: X11 forwarding broken. Product: Portable OpenSSH Version: 4.5p1 Platform: Other OS/Version: FreeBSD Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedBy: marka at isc.org Created an attachment (id=1343) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1343) X11 bind(2) error handling. I was testing FreeBSD 6-STABLE with no IPv4 interfaces configured. I was unable to forward X11 in this configuration. The reason it failed was that IPv4 was the last address family returned by getaddrinfo(). The attached patch changes the error behaviour on bind(2) failures to be dependent on errno and not the position in the list returned by getaddrinfo(). Also logged w/ FreeBSD as bin/115960. Mark -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Sep-01 04:09 UTC
[Bug 1356] X11 forwarding broken.
http://bugzilla.mindrot.org/show_bug.cgi?id=1356 Mark Andrews <marka at isc.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1343 is|0 |1 obsolete| | --- Comment #1 from Mark Andrews <marka at isc.org> 2007-09-01 14:09:37 --- Created an attachment (id=1344) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1344) X11 bind(2) error handling -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Aug-18 00:26 UTC
[Bug 1356] X11 forwarding broken.
https://bugzilla.mindrot.org/show_bug.cgi?id=1356 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Status|NEW |RESOLVED Resolution| |WONTFIX --- Comment #2 from Damien Miller <djm at mindrot.org> 2009-08-18 10:26:34 EST --- The logic for X11 binding has changed as a result of http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483 -- OpenSSH>5.0 will still fail in this case (getaddrinfo() returning both IPv4and v6 addrs but bind not working for one of them), but it will fail /on purpose/. Given the problem that gave us CVE-2008-1483, I think OpenSSH refusing X11 forwarding is the only reasonable solution. IMO getaddrinfo() shouldn't return addresses that cannot be bound. A workaround for this is to explicitly set AddressFamily in sshd_config(5). -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Aug-21 07:31 UTC
[Bug 1356] X11 forwarding broken.
https://bugzilla.mindrot.org/show_bug.cgi?id=1356 Mark Andrews <marka at isc.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WONTFIX | --- Comment #3 from Mark Andrews <marka at isc.org> 2009-08-21 17:31:23 EST ---> The logic for X11 binding has changed as a result of > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483 -- OpenSSH > >5.0 will still fail in this case (getaddrinfo() returning both IPv4 > and v6 addrs but bind not working for one of them), but it will fail > /on purpose/.There is a difference between EADDRINUSE and EADDRNOTAVAIL. One indicates that the <address,port> tuple is in use. The other indicates that the interface does not exist.> Given the problem that gave us CVE-2008-1483, I think OpenSSH refusing > X11 forwarding is the only reasonable solution. IMO getaddrinfo() > shouldn't return addresses that cannot be bound. A workaround for this > is to explicitly set AddressFamily in sshd_config(5).The case in CVE-2008-1483 is covered by moving to the next port on EADDRINUSE. The patch was to not fail for EADDRNOTAVAIL which is a completely different condition. All errors are not equal. Note the old code was wrong to continue on ai->ai_next being non NULL which was why I removed the examination of ai->ai_next when I reported this problem. I had already thought about other applications listening on one of the interfaces and not the other which is why I looked at the value of errno. Mark -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Aug-21 15:37 UTC
[Bug 1356] X11 forwarding broken.
https://bugzilla.mindrot.org/show_bug.cgi?id=1356 --- Comment #4 from Damien Miller <djm at mindrot.org> 2009-08-22 01:37:14 EST --- Well, the case I had in mind was a machine that has an IPv6 address but not yet an IPv4 address (e.g. via rtsol and dhcp racing). sshd could end up binding the IPv6 socket but not an IPv4 one that could subsequently become valid. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- [Bug 1950] New: sshd tries to bind over and over to ::1 for several seconds
- [Bug 2143] New: X11 forwarding for ipv4 is broken when ipv6 is disabled on the loopback interface
- 5.2: Solaris 10 x86 x-11 forwarding fails, assign requested address
- OpenSSH -current segfaults on HP-UX+gcc
- X11 forwarding with IPv6 disabled