Re: CVE-2023-51767: a bogus CVE in OpenSSH

["Todd C. Miller" <Todd.Miller () sudo ws>]

On Tue, 23 Sep 2025 05:21:13 +0200, Solar Designer wrote:

> FWIW, this paper was brought to oss-security back then, and I've added
> CC's to this reply based on that message:
>
> https://www.openwall.com/lists/oss-security/2023/12/21/9
>
> The only CVE I see in the paper itself is CVE-2023-42465 for sudo, which
> upstream (and some distros) fixed.  Was it perhaps more serious for sudo
> (actually exposed in real-world setups)?  Also CC'ing Todd for sudo.

I don't think it was particularly serious for sudo.  The attack was
only against passwd-based authentication, not PAM.  As such it
didn't really affect modern systems.

The interesting thing, to me anyway, was that it shows how a
single-bit flip can affect security-relevant functions with a boolean
return value.  In contrast, a function that returns 0 on success
and -1 (or other negative values) on error can be safer as long as
the caller checks for success (0) instead of error (-1).

For sudo I chose to use return values where a large number of bits
need to be flipped during the policy evaluation.  However, the
interface between the sudo front-end and the policy module still
uses a 0/1/-1 return value so it's not clear how effective this
actually is.

 - todd