On 2016-01-29 20:27:43, Colin Watson wrote:
> On Fri, Jan 29, 2016 at 04:36:58PM -0500, Antoine Beaupré wrote:
>> So this definitely need coordination with the openssh maintainers at
>> this point, to at least confirm or infirm the "usability over security"
>> decision that happened all that while ago.
>
> I did that recently, and came to the conclusion that the upstream
> default isn't just unusable, it's laughably unusable:
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765632#41
>
> debian-devel wasn't unanimous, but those people who responded from
> desktop development communities (Josselin) indicated that there was
> negligible interest in doing anything about this. So no, unless the
> latter state of affairs changes I am not going to change this. Sorry.
Right, so I understand that.
> A different solution must be found.
The problem is, from what I understand, there is no way to fix
CVE-2016-1908 while ForwardX11Trusted is set to "yes". Basically, that
setting makes the whole exploit unnecessary because there's no
protection to workaround.
I am therefore tempted to agree with Guido that we should just mark this
as no-dsa and move on, because, unless users have explicitely disable
ForwardX11Trusted, it's impossible for us to fix that security issue for
them.
Any other ideas?
a.
--
Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are, by
definition, not smart enough to debug it.
- Brian W. Kernighan
