|
|
BugTraq
Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) Apr 30 2003 03:39AM Damien Miller (djm mindrot org) (2 replies) Re: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) Apr 30 2003 06:09PM Valdis Kletnieks vt edu (3 replies) Re: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) May 01 2003 01:48AM Darren Tucker (dtucker zip com au) Re: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) Apr 30 2003 11:26PM Damien Miller (djm mindrot org) Re: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) Apr 30 2003 08:29AM Darren Tucker (dtucker zip com au) |
|
Privacy Statement |
Valdis.Kletnieks (at) vt (dot) edu [email concealed] writes:
> On Wed, 30 Apr 2003 13:39:49 +1000, Damien Miller <djm (at) mindrot (dot) org [email concealed]> said:
> > 1. Systems affected:
> >
> > Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected
> > if OpenSSH was compiled using a non-AIX compiler (e.g. gcc).
>
> This is the same problem as I spotted in Sendmail 8.10.
Yeah, referring to my Bugtraq archives, I see you spotted that way back in
March 2000. Damien writes in his advisory:
We consider this a serious flaw in IBM's linker, and urge
them to fix it immediately. IBM, are you listening?
but if they haven't fixed it in the past 3 years, I don't think we should
hold our breaths for an immediate fix. Guess it's a case of "that's not a
bug, it's a feature", only in this case it's "that's not a _security_hole_,
it's a feature".
> Basically, somewhere, linking is being done with "-L. -lfoo" or similar
> (in sendmail's case, it was -L../otherdir type stuff).
Right, Damien states in his advisory:
The default behavior of the runtime linker on AIX is to search
the current directory for dynamic libraries before searching
system paths.
but it's my understanding (don't currently have access to an AIX system to
double-check) that this is not default loader behavior, but rather occurs if
"-L." was specified when linking (not that that makes this much less of a
concern).
> Workaround/fix: Link with "-bnolibpath -blibpath:/usr/local/lib:/usr/lib"
> or similar.
On the other topic addressed by OpenSSH 3.6.1p2, the valid account
identification timing leak, I find it a bit disturbing that the 3.6.1p2
announcement said just:
Changes since OpenSSH 3.6.1p1:
============================
* Security: corrected linking problem on AIX/gcc. AIX users are
advised to upgrade immediately. For details, please refer to
separate advisory (aixgcc.adv).
* Corrected build problems on Irix
* Corrected build problem when building with AFS support
* Merged some changes from Openwall Linux
without mentioning what the Openwall changes were for and without a
"Security: " on that line.
Anyone subscribing to openssh-unix-announce but not Bugtraq would think
there was no need to upgrade to 3.6.1p2 if they weren't using AIX.
--
Dan Harkless
bugtraq (at) harkless (dot) org [email concealed]
http://harkless.org/dan/
[ reply ]