Document OpenSSH 7.2p2 fix for X11Forwarding command injection

1 files changed, 41 insertions, 0 deletions

diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 286fc735c0ab..9f9e24e672ac 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -58,6 +58,47 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="e4644df8-e7da-11e5-829d-c80aa9043978">
+    <topic>openssh -- command injection when X11Forwarding is enabled</topic>
+    <affects>
+      <package>
+	<name>openssh-portable</name>
+	<range><lt>7.2.p2,1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The OpenSSH project reports:</p>
+	<blockquote cite="http://www.openssh.com/txt/x11fwd.adv">
+	  <p>Missing sanitisation of untrusted input allows an
+	    authenticated user who is able to request X11 forwarding
+	    to inject commands to xauth(1).
+	  </p>
+	  <p>Injection of xauth commands grants the ability to read
+	    arbitrary files under the authenticated user's privilege,
+	    Other xauth commands allow limited information leakage,
+	    file overwrite, port probing and generally expose xauth(1),
+	    which was not written with a hostile user in mind, as an
+	    attack surface.
+	  </p>
+	  <p>Mitigation:</p>
+	  <p>Set X11Forwarding=no in sshd_config. This is the default.</p>
+	  <p>For authorized_keys that specify a "command" restriction,
+	    also set the "restrict" (available in OpenSSH &gt;=7.2) or
+	    "no-x11-forwarding" restrictions.
+	  </p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://www.openssh.com/txt/x11fwd.adv</url>
+    </references>
+    <dates>
+      <discovery>2016-03-11</discovery>
+      <entry>2016-03-11</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="70c44cd0-e717-11e5-85be-14dae9d210b8">
     <topic>quagga -- stack based buffer overflow vulnerability</topic>
     <affects>