FreSSH bugs undiscovered for years threaten OpenSSH security Researchers can disclose two brand-new vulnerabilities in OpenSSH now that patches have been released. Qualys discovered the bugs in January, per its disclosure timeline. These vulnerabilities allow miscreants to perform machine-in-the-middle (MitM) attacks on the OpenSSH client and pre-authentication denial-of-service (DoS) …
Careful examination of the copious small print reveals that the free T-shirt is, in fact, the only benefit of the Treadmill Pro Silver Subscription when compared with the basic version and that there is a minimum contract period of 5 years...
(Oh, crap! I should have posted this anonymously! Their lawyers will be all over me - I had to sign an NDA before I could view the T&Cs of the contract!)
> Memory based bug or not?
The explanation referenced by TFA shows that the answer to your question is:
NOT!
(Well, assuming by "Memory based bug" you meant buffer overflow or the like, as is all the rage at the moment; the problem is in the logic of setting variables that are used as success/failure return values, and as those variables are, indeed, in memory (in fact, on the stack!) then you could push the definition to breaking point and say "the error occurs in setting a value in memory"!)
Good read, thanks! So one of the bugs is that `verify_host_key` return an non-zero number to indicate an error, but `verify_host_key_callback`, which calls `verify_host_key` only checks for errors equal to -1, meaning that errors with values >0 are ignored.
Two things I learned from the recent comments on the reg article on RUST, Tovalds, and Hector Martin - After clash over Rust in Linux, now Asahi lead quits distro, slams Linus' kernel leadership
- one reason for rejecting C++ in the linux kernel was that C++ makes extensive use of exceptions to indicate errors. My POV wrt this bug: While exception certainly carries some risks,, it is also true that exceptions would have avoided this particular bug, just because exceptions are so explicit and simple and all errors can be handled at a single point, instead of having to possibly go through several levels of return value transformations that don't offer extra value.
- the advantage of not having to define strict internal interfaces because it allows more flexibility and speeds up development. My POV wrt this bug: Well, I probably don't need to say any more about how that failed here.
They aren't that important that you need to "get moving" all that quickly. When you need to drop everything and patch is when there's a remote exploit. A client only MITM attack (one that's quite difficult to make happen without the hacker having access to the client) and a simple DoS (which are basically impossible to really protect yourself from) don't rate very high on the "hair on fire" scale.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
