Re: CVE request: mysecureshell: information disclosure (or worse)

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/23/2013 11:17 AM, Sebastian Pipping wrote:
> Hello everyone,
>
>
> mysecureshell [1] is an SFTP-only shell to be used with sshd.
>
> The latest release 1.31 makes use of shared memory to maintain 128
> slots with one struct for each connection/process. Access to that
> block of shared memory is not (or not properly) synchronized, so
> two or more processes might end up occupying the very same slot
> when process scheduling wants that to happen.  The effective 
> permissions of the process remain untouched, though.  So it's
> logging in as someone else and it isn't.
>
> The relevant code from SftpServer/SftpWho.c (lines 106 and after)
> is:
>
> for (i = 0; i < SFTPWHO_MAXCLIENT; i++) if (who[i].status ==
> SFTPWHO_EMPTY) { (void) usleep(100); if (who[i].status ==
> SFTPWHO_EMPTY) { //clean all old infos memset(&who[i], 0,
> sizeof(*who)); //marked structure as occuped :) who[i].status =
> SFTPWHO_IDLE; return (&who[i]); } }
>
> The symptoms of this bug have been reported earlier at [2] by forum
> user "voleg".  To my best knowledge, there is no CVE number
> assigned yet.
>
> Best,
>
>
>
> Sebastian
>
>
> [1] http://mysecureshell.sourceforge.net/ [2]
> http://mysecureshell.free.fr/forum/viewtopic.php?id=655

To reiterate: so I can confirm CVE assignments, and prevent duplicate
assignments you *MUST* provide links to the code commits/vulnerable
code. I don't have the time to go hunting through your source code for
them. People need to start making better CVE requests, or you're not
going to get CVEs from me.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR8OLgAAoJEBYNRVNeJnmTmREQAJqIQ4SB9RtJ0G5N47vtHdij
Dp0T2Nq0wQU+NPDXvk9V0xUrTIorNb0L0MIf+VrCMDce1ipIns4GO7ru2P6Fyxyq
plTbQHGfhsJh0sUDW8DrX2ZQmR6hLor++gBM5a7qE5nmXuy9SBJwwVbM79aiGyCt
PQpXdkvBhkn1yzhM/THiZEXU0ZaqwRwn3ny8TIJJCNuz5nqoiiYRSoXz8+EHztUC
pV8dnNZYR7VLBLduialEhlm6fjKIYj/IGvBQ3nRLuvgeqhT1T5pnd/kLbniY+8x7
sH/ShQA6ORlx9h+j6JNOjd8QT7Tc7KLdiIjoGXwCzBAOR2kuZ7UIzvvc30DyeoEG
8VghYfBbDW9Y2FM+roVywl5SJ6rQjzd2vzPYpd+VAadY9E8NLaXNBmE049IhX4ct
4VXv1KY70uz9J8RNnxTdJaWJt19n2zI+bXru55Btki0mKPNQ6HSJYWkawH0nab9B
KJaMLX5KE4dJD16VmLD3jpIgnf6gK6Y7UvO6ERi5ThBIQ7s2JWggg4L6DCrata5a
WyniqQC/TYLeBkrakPVQxnj5N854IfbbyjtocoEFueQi8jcKanIcyAeyliux3LY6
37kxhXJcalvsKsgGSwChIlBgimpkLchzzTkzstuz5BR+LjAvw0hGSOfzu2VFOzb8
UT4MLCwXSUmuwq77ESuM
=2ar5
-----END PGP SIGNATURE-----