Bug 1356 - X11 forwarding broken.
Summary: X11 forwarding broken.
Status: REOPENED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 4.5p1
Hardware: Other FreeBSD
: P2 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-09-01 14:05 EST by Mark Andrews
Modified: 2009-08-22 01:37 EST (History)
1 user (show)

See Also:

Attachments
X11 bind(2) error handling. (696 bytes, patch)
2007-09-01 14:05 EST, Mark Andrews 		no flags Details | Diff
X11 bind(2) error handling (681 bytes, patch)
2007-09-01 14:09 EST, Mark Andrews 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Andrews 2007-09-01 14:05:21 EST 
Created attachment 1343 [details]
X11 bind(2) error handling.

I was testing FreeBSD 6-STABLE with no IPv4 interfaces configured.
I was unable to forward X11 in this configuration.

The reason it failed was that IPv4 was the last address family
returned by getaddrinfo(). The attached patch changes the error
behaviour on bind(2) failures to be dependent on errno and not
the position in the list returned by getaddrinfo().

Also logged w/ FreeBSD as bin/115960.

Mark
Comment 1 Mark Andrews 2007-09-01 14:09:37 EST 
Created attachment 1344 [details]
X11 bind(2) error handling
Comment 2 Damien Miller 2009-08-18 10:26:34 EST 
The logic for X11 binding has changed as a result of http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483 -- OpenSSH >5.0 will still fail in this case (getaddrinfo() returning both IPv4 and v6 addrs but bind not working for one of them), but it will fail /on purpose/. 

Given the problem that gave us CVE-2008-1483, I think OpenSSH refusing X11 forwarding is the only reasonable solution. IMO getaddrinfo() shouldn't return addresses that cannot be bound. A workaround for this is to explicitly set AddressFamily in sshd_config(5).
Comment 3 Mark Andrews 2009-08-21 17:31:23 EST 
> The logic for X11 binding has changed as a result of
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483 -- OpenSSH
> >5.0 will still fail in this case (getaddrinfo() returning both IPv4
> and v6 addrs but bind not working for one of them), but it will fail
> /on purpose/. 

There is a difference between EADDRINUSE and EADDRNOTAVAIL.  One
indicates that the <address,port> tuple is in use.  The other
indicates that the interface does not exist.
 
> Given the problem that gave us CVE-2008-1483, I think OpenSSH refusing
> X11 forwarding is the only reasonable solution. IMO getaddrinfo()
> shouldn't return addresses that cannot be bound. A workaround for this
> is to explicitly set AddressFamily in sshd_config(5).
 
The case in CVE-2008-1483 is covered by moving to the next port on
EADDRINUSE.

The patch was to not fail for EADDRNOTAVAIL which is a completely
different condition.  All errors are not equal.

Note the old code was wrong to continue on ai->ai_next being non
NULL which was why I removed the examination of ai->ai_next when I
reported this problem.  I had already thought about other applications
listening on one of the interfaces and not the other which is why
I looked at the value of errno.

Mark
Comment 4 Damien Miller 2009-08-22 01:37:14 EST 
Well, the case I had in mind was a machine that has an IPv6 address but not yet an IPv4 address (e.g. via rtsol and dhcp racing). sshd could end up binding the IPv6 socket but not an IPv4 one that could subsequently become valid.