Re: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv)

From: Dan Harkless (bugtraqat_private)
Date: Thu May 01 2003 - 04:25:07 PDT

Next message: Kevin Spett: "Re: [Full-Disclosure] eBay Security Contact"

Previous message: ERRor: "Re: April appeared to be a month of IE bugs. Here's another one."
Next in thread: Damien Miller: "Re: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Valdis.Kletnieksat_private writes:
> On Wed, 30 Apr 2003 13:39:49 +1000, Damien Miller <djmat_private>  said:
> > 1. Systems affected:
> > 
> > 	Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected 
> > 	if OpenSSH was compiled using a non-AIX compiler (e.g. gcc).
> 
> This is the same problem as I spotted in Sendmail 8.10.  

Yeah, referring to my Bugtraq archives, I see you spotted that way back in
March 2000.  Damien writes in his advisory:

    We consider this a serious flaw in IBM's linker, and urge
    them to fix it immediately.  IBM, are you listening?

but if they haven't fixed it in the past 3 years, I don't think we should
hold our breaths for an immediate fix.  Guess it's a case of "that's not a
bug, it's a feature", only in this case it's "that's not a _security_hole_,
it's a feature".

> Basically, somewhere, linking is being done with "-L. -lfoo" or similar
> (in sendmail's case, it was -L../otherdir type stuff).

Right, Damien states in his advisory:

    The default behavior of the runtime linker on AIX is to search
    the current directory for dynamic libraries before searching
    system paths. 

but it's my understanding (don't currently have access to an AIX system to
double-check) that this is not default loader behavior, but rather occurs if
"-L." was specified when linking (not that that makes this much less of a
concern).

> Workaround/fix:  Link with "-bnolibpath -blibpath:/usr/local/lib:/usr/lib"
> or similar.

On the other topic addressed by OpenSSH 3.6.1p2, the valid account
identification timing leak, I find it a bit disturbing that the 3.6.1p2
announcement said just:

    Changes since OpenSSH 3.6.1p1:
    ============================

    * Security: corrected linking problem on AIX/gcc. AIX users are
      advised to upgrade immediately. For details, please refer to
      separate advisory (aixgcc.adv).

    * Corrected build problems on Irix

    * Corrected build problem when building with AFS support

    * Merged some changes from Openwall Linux

without mentioning what the Openwall changes were for and without a
"Security: " on that line.

Anyone subscribing to openssh-unix-announce but not Bugtraq would think
there was no need to upgrade to 3.6.1p2 if they weren't using AIX.

--
Dan Harkless
bugtraqat_private
http://harkless.org/dan/

Next message: Kevin Spett: "Re: [Full-Disclosure] eBay Security Contact"
Previous message: ERRor: "Re: April appeared to be a month of IE bugs. Here's another one."
Next in thread: Damien Miller: "Re: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 01 2003 - 11:48:23 PDT