Home page logo
/

oss-sec logo oss-sec mailing list archives

FreeBSD 4.x OpenSSH/libopie remote root hole
From: Solar Designer <solar () openwall com>
Date: Tue, 5 Jul 2011 03:09:06 +0400

Hi,

I'd be interested in more detail on this bug.  So far, the closest to a
description of the bug that I saw is this:

http://lists.openwall.net/full-disclosure/2011/07/01/4

but it's not enough.

I'd like to learn not only on my own, but also on others' mistakes. ;-)
And for this purpose it does not matter how old the software is and
whether it is still supported or not.

Colin - any comments from you?  I realize the bug is not yours, but
perhaps you're one of the few people who have figured it out now, for a
reason similar to mine.

Red Hat - a lesson for you might be to stop linking sshd against so
many libraries (over 20 last time I checked).  Don't wait until your
remote root, really. ;-)  Yes, this means dropping some functionality,
or maybe moving it to extra builds of sshd that only a small subset of
systems will choose to run (e.g., configurable via /etc/sysconfig/sshd).
Just an idea.

Thanks,

Alexander


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault