from Hacker News

CVE-2024-6409: OpenSSH: Possible remote code execution in privsep child

by andreyv on 7/9/24, 2:51 PM with 56 comments

  • by stncls on 7/9/24, 3:28 PM

    No vulnerability name, no website, concise description, neutral tone, precise list of affected distros (RHEL + derivatives and some EOL Fedoras) and even mention of unaffected distros (current Fedoras), plain admission that no attempt was made to exploit. What a breath of fresh air!

    (I am only joking of course. As a recovering academic, I understand that researchers need recognition, and I have no right to throw stones -- glass houses and all. Also, this one is really like regreSSHion's little sibling. Still, easily finding the information I needed made me happy.)

  • by hannob on 7/9/24, 2:57 PM

    For clarification, the bug is in a patch applied by red hat, not in openssh itself.
  • by londons_explore on 7/9/24, 2:59 PM

    Couldn't this entire class of bug be solved by annotating signal handlers in the source code and checking at compile time that anything called from a signal handler is async-signal-safe?
  • by qalmakka on 7/9/24, 3:14 PM

    This is why I've always disliked Debian and Red Hat.

    1. I hate the fact they have the hubris to think they can be smarter than the upstream developers and patch old versions

    2. I hate the fact they don't ship vanilla packages, but instead insist on patching things for features that nobody relies on anyway, __because they're not upstream__.

    Maintainers should stick to downloading tarballs, building them and updating them promptly when a new version is out. If there's no LTS available, pay upstream and get an LTS, don't take a random version and patch it forever just to keep the same version numbers, it's nonsensical and it was only a matter of time before people tried to exploit it. Just look at the XZ backdoor for instance, which relied on RedHat and Debian deploying a patched libsystemd.

  • by candiddevmike on 7/9/24, 3:00 PM

    The risk you take when you use a distribution that modifies upstream. Debian has had similar issues in the past (maybe not CVEs, but certainly packager-created bugs).
  • by ta988 on 7/9/24, 2:57 PM

    My understanding here is that it only impacts Redhat (and maybe derivatives)?
  • by password4321 on 7/9/24, 6:01 PM

    Is this in any way related to CVE-2024-6387 "RegreSSHion" discussed last week?

    https://news.ycombinator.com/item?id=40843778

    Edit: Ok it seems very closely related; I was just surprised no one had linked the previous discussion.

  • by crest on 7/9/24, 3:02 PM

    It's almost as if you should understand security critical C code before you start patching it to death.