OpenSSH 中 GSSAPI 密钥交换补丁漏洞分析
好的,我现在需要帮用户总结这篇文章的内容。用户的要求是用中文,控制在100字以内,不需要特定的开头,直接写描述即可。 首先,我快速浏览一下邮件内容。邮件来自Marc Deslauriers,主题是关于OpenSSH GSSAPI密钥交换补丁的安全问题。Jeremy Brown发现了这个问题,涉及多个发行版使用的补丁。 关键点包括:CVE-2026-3497被分配给这个问题。问题出在代码中使用了错误的函数,导致未初始化的变量被使用,进而引发堆溢出和权限提升风险。修复建议是替换函数。 我需要将这些信息浓缩到100字以内,确保涵盖主要问题、影响和修复建议。同时,语言要简洁明了,避免技术术语过多。 可能的结构:描述问题、影响、触发条件、修复方法。这样既全面又简洁。 最后检查字数是否符合要求,并确保信息准确无误。 </think> Jeremy Brown发现OpenSSH GSSAPI密钥交换补丁中的安全漏洞(CVE-2026-3497),导致未初始化变量使用和堆溢出风险。不同编译器选项影响漏洞严重性,修复建议替换错误函数以终止进程。 2026-3-12 18:19:0 Author: seclists.org(查看原文) 阅读量:1 收藏
好的,我现在需要帮用户总结这篇文章的内容。用户的要求是用中文,控制在100字以内,不需要特定的开头,直接写描述即可。 首先,我快速浏览一下邮件内容。邮件来自Marc Deslauriers,主题是关于OpenSSH GSSAPI密钥交换补丁的安全问题。Jeremy Brown发现了这个问题,涉及多个发行版使用的补丁。 关键点包括:CVE-2026-3497被分配给这个问题。问题出在代码中使用了错误的函数,导致未初始化的变量被使用,进而引发堆溢出和权限提升风险。修复建议是替换函数。 我需要将这些信息浓缩到100字以内,确保涵盖主要问题、影响和修复建议。同时,语言要简洁明了,避免技术术语过多。 可能的结构:描述问题、影响、触发条件、修复方法。这样既全面又简洁。 最后检查字数是否符合要求,并确保信息准确无误。 </think> Jeremy Brown发现OpenSSH GSSAPI密钥交换补丁中的安全漏洞(CVE-2026-3497),导致未初始化变量使用和堆溢出风险。不同编译器选项影响漏洞严重性,修复建议替换错误函数以终止进程。 2026-3-12 18:19:0 Author: seclists.org(查看原文) 阅读量:1 收藏
oss-sec mailing list archives
From: Marc Deslauriers <marc.deslauriers () canonical com>
Date: Thu, 12 Mar 2026 14:03:23 -0400
Hello,Jeremy Brown discovered a security issue in the GSSAPI Key Exchange patch a lot of distros carry on top of the OpenSSH package.
Unfortunately, there seems to be quite a few different versions of this patch being used, but a lot of them share the same core issue. Different compiler options also result in different outcomes, so the severity of this issue varies.
We have assigned CVE-2026-3497 to this issue.Attached is the full pdf from the reporter, along with the patch we used in Ubuntu. I suggest reading the full pdf, but I have extracted some of the most important excerpts from it:
"The patch contains a code defect where sshpkt_disconnect() (a non-terminating function that queues a disconnect message and returns) is used where ssh_packet_disconnect()(which terminates the process) was intended. This causes the default: error-handling case in the GSSAPI KEX server loop to fall through into code that reads an uninitialized stack variable (recv_tok), sends its contents to the privileged monitor process via IPC, and then passes it to gss_release_buffer() which may call free() on a garbage pointer."
"Bug: Non-terminating error handler (sshpkt_disconnect) in GSSAPI KEX server code allows fallthrough to uninitialized variable use- Impact: Pre-auth uninitialized pointer dereference (CWE-824, CWE-908); confirmed heap corruption via free() on uninitialized pointer (SIGABRT on x86_64); privsep boundary violation (up to 127KB of heap data to root monitor via IPC); SIGSEGV (signal 11) and SIGABRT (signal 6) on x86_64 with 90-second SSH lockout; 100% reliable child process crash
- Trigger: Single crafted SSH packet (~300 bytes), no authentication or credentials needed
- Potentially Affected: Ubuntu/Debian OpenSSH servers with GSSAPIKeyExchange yes- Potential Fix: Replace sshpkt_disconnect() with ssh_packet_disconnect() at the 3 server-side call sites in kexgsss.c"
"The uninitialized recv_tok contains different stack residue depending on compiler, optimization level, and flags."
"Different compilers produce fundamentally different residue. Clang -O0 leaves 0xfffbe600 with length 4. GCC -O2 -fno-stack-protector leaves a valid heap address with length 127344. The 8-build matrix shows that recv_tok.value ranges from NULL to stack addresses to heap addresses to unmapped addresses."
Thanks, Marc. -- Marc Deslauriers Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/
Attachment:
OpenSSH-GSSAPI.pdf
Description:
Attachment:
ubuntu-fix.patch
Description:
Current thread:
- OpenSSH GSSAPI keyex patch issue Marc Deslauriers (Mar 12)
- Re: OpenSSH GSSAPI keyex patch issue Solar Designer (Mar 14)
- Re: OpenSSH GSSAPI keyex patch issue Dmitry Belyavskiy (Mar 14)
- Re: OpenSSH GSSAPI keyex patch issue Solar Designer (Mar 14)
文章来源: https://seclists.org/oss-sec/2026/q1/299
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh