(no title)

With a heap corruption as a primitive, two FILE structures malloc()ated in the heap, and 21 fixed bits in the glibc's addresses, we believe that this signal handler race condition is exploitable on amd64 (probably not in ~6-8 hours, but hopefully in less than a week). Only time will tell.

It is a race condition in a signal handler. The behaviour depends on the implementation of various standard library functions on the target system (syslog, malloc). This may very well be exploitable on other architectures (and systems). Apparently it is non-trivial to trigger. But it is possibly remote code execution with root permissions. Definetely nobody wants this in sshd.