[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200305011125.h41BP8Mb031616@www.harkless.org>
Date: Thu, 01 May 2003 04:25:07 -0700
From: Dan Harkless <bugtraq@...kless.org>
To: bugtraq@...urityfocus.com
Subject: Re: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv)
Valdis.Kletnieks@...edu writes:
> On Wed, 30 Apr 2003 13:39:49 +1000, Damien Miller <djm@...drot.org> said:
> > 1. Systems affected:
> >
> > Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected
> > if OpenSSH was compiled using a non-AIX compiler (e.g. gcc).
>
> This is the same problem as I spotted in Sendmail 8.10.
Yeah, referring to my Bugtraq archives, I see you spotted that way back in
March 2000. Damien writes in his advisory:
We consider this a serious flaw in IBM's linker, and urge
them to fix it immediately. IBM, are you listening?
but if they haven't fixed it in the past 3 years, I don't think we should
hold our breaths for an immediate fix. Guess it's a case of "that's not a
bug, it's a feature", only in this case it's "that's not a _security_hole_,
it's a feature".
> Basically, somewhere, linking is being done with "-L. -lfoo" or similar
> (in sendmail's case, it was -L../otherdir type stuff).
Right, Damien states in his advisory:
The default behavior of the runtime linker on AIX is to search
the current directory for dynamic libraries before searching
system paths.
but it's my understanding (don't currently have access to an AIX system to
double-check) that this is not default loader behavior, but rather occurs if
"-L." was specified when linking (not that that makes this much less of a
concern).
> Workaround/fix: Link with "-bnolibpath -blibpath:/usr/local/lib:/usr/lib"
> or similar.
On the other topic addressed by OpenSSH 3.6.1p2, the valid account
identification timing leak, I find it a bit disturbing that the 3.6.1p2
announcement said just:
Changes since OpenSSH 3.6.1p1:
============================
* Security: corrected linking problem on AIX/gcc. AIX users are
advised to upgrade immediately. For details, please refer to
separate advisory (aixgcc.adv).
* Corrected build problems on Irix
* Corrected build problem when building with AFS support
* Merged some changes from Openwall Linux
without mentioning what the Openwall changes were for and without a
"Security: " on that line.
Anyone subscribing to openssh-unix-announce but not Bugtraq would think
there was no need to upgrade to 3.6.1p2 if they weren't using AIX.
--
Dan Harkless
bugtraq@...kless.org
http://harkless.org/dan/
Powered by blists - more mailing lists