From http://www.openssh.com/txt/gcmrekey.adv A memory corruption vulnerability exists in the post-authentication sshd process when an AES-GCM cipher (aes128-gcm@openssh.com or aes256-gcm@openssh.com) is selected during kex exchange. If exploited, this vulnerability might permit code execution with the privileges of the authenticated user and may therefore allow bypassing restricted shell/command configurations. Affected: OpenSSH 6.2 and 6.3 built against OpenSSL supporting AES-GCM are affected. Fixed: OpenSSH 6.4 Mitigation: Disable AES-GCM in the server configuration.
Fixed in openssh-6.3_p1-r1. Adding 6.4 will probably have to wait for a new X509 patch.
(In reply to Tim Harder from comment #1) > Fixed in openssh-6.3_p1-r1. > > Adding 6.4 will probably have to wait for a new X509 patch. Please remove the affected versions.
What about a fix for OpenSSH 6.2?
*** Bug 490752 has been marked as a duplicate of this bug. ***
(In reply to Fabian Henze from comment #3) > What about a fix for OpenSSH 6.2? Done in -r5.
(In reply to Tim Harder from comment #1) > Adding 6.4 will probably have to wait for a new X509 patch. Looks to me like the only changes are s/xmalloc/xcalloc/g: http://data.zx2c4.com/openssh-6.3-6.4.diff
(In reply to Jason A. Donenfeld from comment #6) > (In reply to Tim Harder from comment #1) > > Adding 6.4 will probably have to wait for a new X509 patch. > > Looks to me like the only changes are s/xmalloc/xcalloc/g: > > http://data.zx2c4.com/openssh-6.3-6.4.diff Which is why I'm not in a rush to bump 6.4, I thought that implication was obvious. :)
CVE-2013-4548 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4548): The mm_newkeys_from_blob function in monitor_wrap.c in sshd in OpenSSH 6.2 and 6.3, when an AES-GCM cipher is used, does not properly initialize memory for a MAC context data structure, which allows remote authenticated users to bypass intended ForceCommand and login-shell restrictions via packet data that provides a crafted callback address.
