|
|
BugTraq
Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) Apr 30 2003 03:39AM Damien Miller (djm mindrot org) (2 replies) Re: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) Apr 30 2003 06:09PM Valdis Kletnieks vt edu (3 replies) Re: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) May 01 2003 11:25AM Dan Harkless (bugtraq harkless org) Re: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) May 01 2003 01:48AM Darren Tucker (dtucker zip com au) Re: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) Apr 30 2003 08:29AM Darren Tucker (dtucker zip com au) |
|
Privacy Statement |
> On Wed, 30 Apr 2003 13:39:49 +1000, Damien Miller <djm (at) mindrot (dot) org [email concealed]> said:
>
>>1. Systems affected:
>>
>> Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected
>> if OpenSSH was compiled using a non-AIX compiler (e.g. gcc).
>
>
> This is the same problem as I spotted in Sendmail 8.10. Basically,
> somewhere, linking is being done with "-L. -lfoo" or similar (in sendmail's
> case, it was -L../otherdir type stuff).
>
> Workaround/fix: Link with "-bnolibpath -blibpath:/usr/local/lib:/usr/lib"
> or similar.
This is what we have done for a long time, but those options only work
when using xlc as the linker, with gcc you need to specify different
options.
3.6.1p2 specifies these options correctly, but it illustrates the deeper
problem: the default is insecure and you need to add workarounds for
each additional interface to the linker.
I wouldn't be suprised if this affected binaries built with libtool or
other wrappers, though I haven't checked (we don't use them).
-d
[ reply ]