[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Allow SSH2_MSG_EXT_INFO when authenticated


On Mon, 2018-12-10 at 09:10 -0500, Anderson Sasaki wrote:
> Hello,
> 
> Continuing the investigation of the curl issue [1], I found the
> actual problem which is a regression introduced by the CVE-2018-10933 
> fix.
> The SSH_MSG_EXT_INFO, used in key exchange, is being filtered when
> the user is already authenticated. This breaks the re-keying.
> Follows attached a patch to fix this regression. It can be reviewed
> in gitlab [2].

I don't think your patch is right. The SSH_MSG_EXT_INFO is acceptable
only during the first key exchange. See the discussion in OpenSSH bug
about this + the RFC:

https://bugzilla.mindrot.org/show_bug.cgi?id=2929

>    o  As the next packet following the server's first
SSH_MSG_NEWKEYS. [0]

The bug in OpenSSH server was that it send the EXT_INFO when the ext-
info-c was sent by the libssh client in the rekey request (also
wrongly, but already fixed in [1]).

[0] https://tools.ietf.org/html/rfc8308#section-2.4
[1] https://gitlab.com/jjelen/libssh-mirror/commit/83f2ac4a

> 
> Regards,
> Anderson
> 
> [1] https://github.com/curl/curl/issues/3310
> [2] https://gitlab.com/ansasaki/libssh-mirror/merge_requests/20
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.


Follow-Ups:
Re: [PATCH] Allow SSH2_MSG_EXT_INFO when authenticatedAnderson Sasaki <ansasaki@xxxxxxxxxx>
References:
[PATCH] Allow SSH2_MSG_EXT_INFO when authenticatedAnderson Sasaki <ansasaki@xxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org