Received: by 10.140.135.16 with HTTP; Sun, 3 Feb 2008 22:54:48 -0800 (PST)
Message-ID: <81f018ac0802032254w405a0219xe71a95ceb72c01a8@mail.gmail.com>
Date: Sun, 3 Feb 2008 22:54:48 -0800
From: "Phil Miller" <pmiller@XXXXXX>
Sender: unmobile@XXXXXX
To: deraadt AT openbsd.org
Subject: OpenSSH security vulnerability: Local users can hijack forwarded X connections
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Delivered-To: unmobile@gmail.com
X-Google-Sender-Auth: 2c4fa8934cb93a7c

Debian bug #463011 [1] describes a situation and technique in which
one user of a system can hijack a forwarded X connection attempt being
made by an application run by another user. I have verified that the
reproduction steps described in the bug report work [3,4].

I'm passing this along as a concerned user, as I've found no
indication from the bug description or Debian's security tracker entry
[2] or mailing list archives that information about this has been sent
upstream.

Phil Miller

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011
[2] http://idssi.enyo.de/tracker/TEMP-0463011-000202
[3] with slight corrections - the command to listen should be "netcat
-l 6010 -vv", sans the -p flag
[4] with client versions 4.6p1-5ubuntu0.1 (Debian package revision 5,
ubuntu revision 0.1) and 4.7p1-2 from Debian