{"id":"CVE-2016-0778","details":"The (1) roaming_read and (2) roaming_write functions in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2, when certain proxy and forward options are enabled, do not properly maintain connection file descriptors, which allows remote servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact by requesting many forwardings.","modified":"2026-05-08T12:07:12.764934Z","published":"2016-01-14T22:59:02.280Z","related":["SUSE-SU-2016:0117-1","SUSE-SU-2016:0118-1","SUSE-SU-2016:0119-1","SUSE-SU-2016:0120-1","openSUSE-SU-2024:10174-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","cpe":"cpe:2.3:a:openbsd:openssh:5.8:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"5.8"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:openbsd:openssh:6.2:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"6.2"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:openbsd:openssh:7.1:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.1"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:sophos:unified_threat_management_software:9.353:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"9.353"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"10.9.0"},{"last_affected":"10.9.5"},{"introduced":"10.10.0"},{"last_affected":"10.10.5"},{"introduced":"10.11.0"},{"last_affected":"10.11.3"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:hp:virtual_customer_access_system:*:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"15.07"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"11.3"}]}]},"references":[{"type":"WEB","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"},{"type":"ADVISORY","url":"http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10734"},{"type":"ADVISORY","url":"http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html"},{"type":"ADVISORY","url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176516.html"},{"type":"ADVISORY","url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176349.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00006.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00007.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00008.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00009.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00013.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00014.html"},{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/135273/Qualys-Security-Advisory-OpenSSH-Overflow-Leak.html"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2016/Jan/44"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3446"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/archive/1/537295/100/0/threaded"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/80698"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1034671"},{"type":"ADVISORY","url":"http://www.ubuntu.com/usn/USN-2869-1"},{"type":"ADVISORY","url":"https://blogs.sophos.com/2016/02/17/utm-up2date-9-354-released/"},{"type":"ADVISORY","url":"https://blogs.sophos.com/2016/02/29/utm-up2date-9-319-released/"},{"type":"ADVISORY","url":"https://bto.bluecoat.com/security-advisory/sa109"},{"type":"ADVISORY","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05247375"},{"type":"ADVISORY","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05356388"},{"type":"ADVISORY","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05385680"},{"type":"ADVISORY","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201601-01"},{"type":"ADVISORY","url":"https://support.apple.com/HT206167"},{"type":"FIX","url":"http://www.openssh.com/txt/release-7.1p2"},{"type":"EVIDENCE","url":"http://www.openwall.com/lists/oss-security/2016/01/14/7"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openssh/openssh-portable","events":[{"introduced":"0"},{"last_affected":"d13d995a202c562c80d7e7a11c43504c505481d1"},{"last_affected":"627337d95bee7dd8d4690238a35fffd35072d1fa"},{"last_affected":"4b8ebe7e3647d3078fd4d025f4325b8cc1ac20d6"},{"last_affected":"6f8f04b860765da07938bfe1fef017b00c3a3d55"},{"last_affected":"8c0fe794fcc0f47ff728101568da865ab387dc6d"},{"last_affected":"5643cf0fc4d71e783c6aef2574684f07d21945ab"},{"last_affected":"d5dacb43fa30c2f6d7eebbd4c5fcf906c3b5d5d8"},{"last_affected":"4eb0a532efe679917e07655721145c6882bdb4c7"},{"last_affected":"eed8dc261018aea4d6b8606ca3addc9f8cf9ed1e"},{"last_affected":"b396fa313014ca06e7e694ab01b7c36cba660b0a"},{"last_affected":"4425e64da7dee0b3e81f1ae301f56fa3a83fe221"},{"last_affected":"e01f4f6bfd6f5a47f810fd3522a151d59815402b"},{"last_affected":"cdb6c90811caa5df2df856be9b0b16db020fe31d"},{"last_affected":"19158b2447e35838d69b2b735fb640d1e86061ea"},{"last_affected":"28453d58058a4d60c3ebe7d7f0c31a510cbf6158"},{"last_affected":"9f82e5a9042f2d872e98f48a876fcab3e25dd9bb"},{"last_affected":"7de4b03a6e4071d454b72927ffaf52949fa34545"},{"last_affected":"1dc8d93ce69d6565747eb44446ed117187621b26"},{"last_affected":"e91346dc2bbf460246df2ab591b7613908c1b0ad"}],"database_specific":{"source":"CPE_FIELD","cpe":["cpe:2.3:a:openbsd:openssh:5.4:*:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:5.4:p1:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:5.5:*:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:5.5:p1:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:5.6:*:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:5.6:p1:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:5.7:*:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:5.7:p1:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:5.8:p1:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:5.9:*:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:5.9:p1:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:6.0:*:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:6.0:p1:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:6.1:*:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:6.1:p1:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:6.2:p1:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:6.2:p2:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:6.3:*:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:6.3:p1:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:6.4:*:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:6.4:p1:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:6.5:*:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:6.5:p1:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:6.6:*:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:6.6:p1:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:6.7:*:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:6.7:p1:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:6.8:*:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:6.8:p1:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:6.9:*:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:6.9:p1:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:7.0:*:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:7.0:p1:*:*:*:*:*:*","cpe:2.3:a:openbsd:openssh:7.1:p1:*:*:*:*:*:*"],"extracted_events":[{"introduced":"0"},{"last_affected":"5.4"},{"last_affected":"5.4-p1"},{"last_affected":"5.5"},{"last_affected":"5.5-p1"},{"last_affected":"5.6"},{"last_affected":"5.6-p1"},{"last_affected":"5.7"},{"last_affected":"5.7-p1"},{"last_affected":"5.8-p1"},{"last_affected":"5.9"},{"last_affected":"5.9-p1"},{"last_affected":"6.0"},{"last_affected":"6.0-p1"},{"last_affected":"6.1"},{"last_affected":"6.1-p1"},{"last_affected":"6.2-p1"},{"last_affected":"6.2-p2"},{"last_affected":"6.3"},{"last_affected":"6.3-p1"},{"last_affected":"6.4"},{"last_affected":"6.4-p1"},{"last_affected":"6.5"},{"last_affected":"6.5-p1"},{"last_affected":"6.6"},{"last_affected":"6.6-p1"},{"last_affected":"6.7"},{"last_affected":"6.7-p1"},{"last_affected":"6.8"},{"last_affected":"6.8-p1"},{"last_affected":"6.9"},{"last_affected":"6.9-p1"},{"last_affected":"7.0"},{"last_affected":"7.0-p1"},{"last_affected":"7.1-p1"}]}}],"versions":["ABOUT_TO_ADD_INET_ATON","AFTER_FREEBSD_PAM_MERGE","AFTER_KRB5_GSSAPI_MERGE","BEFORE_FREEBSD_PAM_MERGE","BEFORE_KRB5_GSSAPI_MERGE","POST_KRB4_REMOVAL","PRE-REORDER","PRE_CYGWIN_MERGE","PRE_DAN_PATCH_MERGE","PRE_FIXPATHS_INTEGRATION","PRE_HPUX_INTEGRATION","PRE_IPV6","PRE_KRB4_REMOVAL","PRE_NEW_LOGIN_CODE","PRE_SW_KRBV","V_1_2PRE17","V_1_2_1_PRE18","V_1_2_1_PRE19","V_1_2_1_PRE20","V_1_2_1_PRE21","V_1_2_1_PRE22","V_1_2_1_PRE23","V_1_2_1_PRE24","V_1_2_1_PRE25","V_1_2_1_PRE26","V_1_2_1_PRE27","V_1_2_2","V_1_2_2_P1","V_1_2_2_PRE28","V_1_2_2_PRE29","V_1_2_3","V_1_2_3_PRE1","V_1_2_3_PRE2","V_1_2_3_PRE3","V_1_2_3_PRE4","V_1_2_3_PRE5","V_1_2_3_TEST1","V_1_2_3_TEST2","V_1_2_3_TEST3","V_1_2_PRE10","V_1_2_PRE11","V_1_2_PRE12","V_1_2_PRE13","V_1_2_PRE14","V_1_2_PRE15","V_1_2_PRE16","V_1_2_PRE4","V_1_2_PRE5","V_1_2_PRE6","V_1_2_PRE7","V_1_2_PRE8","V_1_2_PRE9","V_2_0_0_BETA1","V_2_0_0_BETA2","V_2_0_0_TEST1","V_2_1_0","V_2_1_0_P1","V_2_1_0_P2","V_2_1_0_P3","V_2_1_1_P1","V_2_1_1_P2","V_2_1_1_P3","V_2_1_1_P4","V_2_2_0_P1","V_2_3_0_P1","V_2_5_0_P1","V_2_5_1_P1","V_2_5_1_P2","V_2_5_2_P1","V_3_0_1_P1","V_3_0_P1","V_3_1_P1","V_3_2_2_P1","V_3_4_P1","V_3_6_1_P1","V_3_8_P1","V_3_9_P1","V_4_2_P1","V_5_0_P1","V_5_1_P1","V_5_2_P1","V_5_4_P1","V_5_5_P1","V_5_6_P1","V_5_7_P1","V_5_8_P1","V_5_9_P1","V_6_0_P1","V_6_1_P1","V_6_2_P1","V_6_2_P2","V_6_3_P1","V_6_4_P1","V_6_5_P1","V_6_6_P1","V_6_7_P1","V_6_8_P1","V_6_9_P1","V_7_0_P1","V_7_1_P1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-0778.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}