Sun flubs another SSH patch

June 17, 2008

I haven't been involved with Solaris 9 for a while now, so I have no idea if they've fixed the Solaris 9 SSH patch problem by now (although I certainly hope they have). But I was recently heartened to discover that Sun is perfectly capable of fumbling Solaris 10 SSH patches as well.

Sun recently released patch 126134-03, 'sshd patch', for Solaris 10 x86, in order to fix CVE-2008-1483, where the fun semantics of IPv6 versus IPv4 let an attacker hijack forwarded X sessions. Unfortunately if you install this patch on a system without IPv6 enabled, you lose the ability to forward X at all.

(Instead, sshd syslogs the message error: Failed to allocate internet-domain X11 display socket. What it really means is that it failed to allocate any IPv6 listening sockets because you don't have IPv6 enabled, and it refuses to fall back to IPv4.)

It is difficult for me to understand how Sun managed to screw this one up. The bug is not unique to Sun's version of SSH and other operating systems managed to get the fix correct, and the problem is uncovered in literally ten seconds of testing on one of the most common customer configurations of Solaris 10 x86. Somehow Sun either let it slip through anyways or decided that it didn't matter and they would release the patch with known issues and without any sort of warning (and I am not sure which option would be worse).

Unfortunately, there's a bigger issue here than Sun continuing their history of screwing up ssh; it is that this makes it clear that you cannot trust Sun security patches. Untrustworthy security patches are only slightly better than no security patches, and arguably they're worse; at least with no security patches you know clearly where you stand.

PS: if you want workarounds, the ones here might work.

Written on 17 June 2008.
« Why people persist in sending files by email
A simple request for vendor websites »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Jun 17 00:13:22 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.