lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 01 May 2003 04:25:07 -0700
From: Dan Harkless <bugtraq@...kless.org>
To: bugtraq@...urityfocus.com
Subject: Re: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv)



Valdis.Kletnieks@...edu writes:
> On Wed, 30 Apr 2003 13:39:49 +1000, Damien Miller <djm@...drot.org>  said:
> > 1. Systems affected:
> > 
> > 	Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected 
> > 	if OpenSSH was compiled using a non-AIX compiler (e.g. gcc).
> 
> This is the same problem as I spotted in Sendmail 8.10.  

Yeah, referring to my Bugtraq archives, I see you spotted that way back in
March 2000.  Damien writes in his advisory:

    We consider this a serious flaw in IBM's linker, and urge
    them to fix it immediately.  IBM, are you listening?

but if they haven't fixed it in the past 3 years, I don't think we should
hold our breaths for an immediate fix.  Guess it's a case of "that's not a
bug, it's a feature", only in this case it's "that's not a _security_hole_,
it's a feature".

> Basically, somewhere, linking is being done with "-L. -lfoo" or similar
> (in sendmail's case, it was -L../otherdir type stuff).

Right, Damien states in his advisory:

    The default behavior of the runtime linker on AIX is to search
    the current directory for dynamic libraries before searching
    system paths. 

but it's my understanding (don't currently have access to an AIX system to
double-check) that this is not default loader behavior, but rather occurs if
"-L." was specified when linking (not that that makes this much less of a
concern).

> Workaround/fix:  Link with "-bnolibpath -blibpath:/usr/local/lib:/usr/lib"
> or similar.

On the other topic addressed by OpenSSH 3.6.1p2, the valid account
identification timing leak, I find it a bit disturbing that the 3.6.1p2
announcement said just:

    Changes since OpenSSH 3.6.1p1:
    ============================

    * Security: corrected linking problem on AIX/gcc. AIX users are
      advised to upgrade immediately. For details, please refer to
      separate advisory (aixgcc.adv).

    * Corrected build problems on Irix

    * Corrected build problem when building with AFS support

    * Merged some changes from Openwall Linux

without mentioning what the Openwall changes were for and without a
"Security: " on that line.

Anyone subscribing to openssh-unix-announce but not Bugtraq would think
there was no need to upgrade to 3.6.1p2 if they weren't using AIX.

--
Dan Harkless
bugtraq@...kless.org
http://harkless.org/dan/


Powered by blists - more mailing lists