CVE-2016-10011

authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process.

References

Affected packages

Git / github.com/openbsd/src

Affected ranges

Type: GIT
Repo: https://github.com/openbsd/src
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ac8147a06ed2e2403fb6b9a0c03e618a9333c0e9

Type

GIT

Repo

https://github.com/openssh/openssh-portable

Events

Introduced

Last affected

99522ba7ec6963a05c04a156bf20e3ba3605987c

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.3"
        }
    ]
}

Affected versions

Other

ABOUT_TO_ADD_INET_ATON

AFTER_FREEBSD_PAM_MERGE

AFTER_KRB5_GSSAPI_MERGE

BEFORE_FREEBSD_PAM_MERGE

BEFORE_KRB5_GSSAPI_MERGE

POST_KRB4_REMOVAL

PRE-REORDER

PRE_CYGWIN_MERGE

PRE_DAN_PATCH_MERGE

PRE_FIXPATHS_INTEGRATION

PRE_HPUX_INTEGRATION

PRE_IPV6

PRE_KRB4_REMOVAL

PRE_NEW_LOGIN_CODE

PRE_SW_KRBV

V_1_2PRE17

V_1_2_1_PRE18

V_1_2_1_PRE19

V_1_2_1_PRE20

V_1_2_1_PRE21

V_1_2_1_PRE22

V_1_2_1_PRE23

V_1_2_1_PRE24

V_1_2_1_PRE25

V_1_2_1_PRE26

V_1_2_1_PRE27

V_1_2_2

V_1_2_2_P1

V_1_2_2_PRE28

V_1_2_2_PRE29

V_1_2_3

V_1_2_3_PRE1

V_1_2_3_PRE2

V_1_2_3_PRE3

V_1_2_3_PRE4

V_1_2_3_PRE5

V_1_2_3_TEST1

V_1_2_3_TEST2

V_1_2_3_TEST3

V_1_2_PRE10

V_1_2_PRE11

V_1_2_PRE12

V_1_2_PRE13

V_1_2_PRE14

V_1_2_PRE15

V_1_2_PRE16

V_1_2_PRE4

V_1_2_PRE5

V_1_2_PRE6

V_1_2_PRE7

V_1_2_PRE8

V_1_2_PRE9

V_2_0_0_BETA1

V_2_0_0_BETA2

V_2_0_0_TEST1

V_2_1_0

V_2_1_0_P1

V_2_1_0_P2

V_2_1_0_P3

V_2_1_1_P1

V_2_1_1_P2

V_2_1_1_P3

V_2_1_1_P4

V_2_2_0_P1

V_2_3_0_P1

V_2_5_0_P1

V_2_5_1_P1

V_2_5_1_P2

V_2_5_2_P1

V_3_0_1_P1

V_3_0_P1

V_3_1_P1

V_3_2_2_P1

V_3_4_P1

V_3_6_1_P1

V_3_8_P1

V_3_9_P1

V_4_2_P1

V_5_0_P1

V_5_1_P1

V_5_2_P1

V_5_5_P1

V_5_7_P1

V_6_0_P1

V_6_1_P1

V_6_2_P1

V_6_5_P1

V_6_6_P1

V_6_8_P1

V_6_9_P1

V_7_0_P1

V_7_1_P1

V_7_2_P1

V_7_3_P1

Database specific

vanir_signatures

[
    {
        "id": "CVE-2016-10011-0f8d3ee9",
        "signature_type": "Line",
        "target": {
            "file": "usr.bin/ssh/authfile.c"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "75525643093109034731553590261460840776",
                "318455587152355419279819460226454456672",
                "50390910067941858906014107870040528870",
                "139459360037284384696710180020572442073",
                "205445149505529878645094192427186871953",
                "96170179190694496588613694385243789956",
                "194186241473440258314860828432865186262",
                "32910386434020412082145462822199810540",
                "179250248721199213409874908512478678912",
                "292351879166569457427476217505415422074"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://github.com/openbsd/src/commit/ac8147a06ed2e2403fb6b9a0c03e618a9333c0e9"
    },
    {
        "id": "CVE-2016-10011-c83da3a4",
        "signature_type": "Function",
        "target": {
            "file": "usr.bin/ssh/authfile.c",
            "function": "sshkey_load_file"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "131967150470127632179863844496832158061",
            "length": 886.0
        },
        "signature_version": "v1",
        "source": "https://github.com/openbsd/src/commit/ac8147a06ed2e2403fb6b9a0c03e618a9333c0e9"
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-10011.json"