Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv)
From: Dan Harkless <bugtraq () harkless org>
Date: Thu, 01 May 2003 04:25:07 -0700

Valdis.Kletnieks () vt edu writes:
On Wed, 30 Apr 2003 13:39:49 +1000, Damien Miller <djm () mindrot org>  said:
1. Systems affected:

    Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected 
    if OpenSSH was compiled using a non-AIX compiler (e.g. gcc).

This is the same problem as I spotted in Sendmail 8.10.  

Yeah, referring to my Bugtraq archives, I see you spotted that way back in
March 2000.  Damien writes in his advisory:

    We consider this a serious flaw in IBM's linker, and urge
    them to fix it immediately.  IBM, are you listening?

but if they haven't fixed it in the past 3 years, I don't think we should
hold our breaths for an immediate fix.  Guess it's a case of "that's not a
bug, it's a feature", only in this case it's "that's not a _security_hole_,
it's a feature".

Basically, somewhere, linking is being done with "-L. -lfoo" or similar
(in sendmail's case, it was -L../otherdir type stuff).

Right, Damien states in his advisory:

    The default behavior of the runtime linker on AIX is to search
    the current directory for dynamic libraries before searching
    system paths. 

but it's my understanding (don't currently have access to an AIX system to
double-check) that this is not default loader behavior, but rather occurs if
"-L." was specified when linking (not that that makes this much less of a

Workaround/fix:  Link with "-bnolibpath -blibpath:/usr/local/lib:/usr/lib"
or similar.

On the other topic addressed by OpenSSH 3.6.1p2, the valid account
identification timing leak, I find it a bit disturbing that the 3.6.1p2
announcement said just:

    Changes since OpenSSH 3.6.1p1:

    * Security: corrected linking problem on AIX/gcc. AIX users are
      advised to upgrade immediately. For details, please refer to
      separate advisory (aixgcc.adv).

    * Corrected build problems on Irix

    * Corrected build problem when building with AFS support

    * Merged some changes from Openwall Linux

without mentioning what the Openwall changes were for and without a
"Security: " on that line.

Anyone subscribing to openssh-unix-announce but not Bugtraq would think
there was no need to upgrade to 3.6.1p2 if they weren't using AIX.

Dan Harkless
bugtraq () harkless org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]