| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 01 May 2003 09:26:44 +1000 From: Damien Miller <djm@...drot.org> To: Valdis.Kletnieks@...edu, bugtraq@...urityfocus.com Subject: Re: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) Valdis.Kletnieks@...edu wrote: > On Wed, 30 Apr 2003 13:39:49 +1000, Damien Miller <djm@...drot.org> said: > >>1. Systems affected: >> >> Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected >> if OpenSSH was compiled using a non-AIX compiler (e.g. gcc). > > > This is the same problem as I spotted in Sendmail 8.10. Basically, > somewhere, linking is being done with "-L. -lfoo" or similar (in sendmail's > case, it was -L../otherdir type stuff). > > Workaround/fix: Link with "-bnolibpath -blibpath:/usr/local/lib:/usr/lib" > or similar. This is what we have done for a long time, but those options only work when using xlc as the linker, with gcc you need to specify different options. 3.6.1p2 specifies these options correctly, but it illustrates the deeper problem: the default is insecure and you need to add workarounds for each additional interface to the linker. I wouldn't be suprised if this affected binaries built with libtool or other wrappers, though I haven't checked (we don't use them). -d
Powered by blists - more mailing lists