From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 12:00:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BB4B16A4B3 for ; Wed, 24 Sep 2003 12:00:19 -0700 (PDT) Received: from mail.broadpark.no (mail.broadpark.no [217.13.4.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9EA2843FE1 for ; Wed, 24 Sep 2003 12:00:18 -0700 (PDT) (envelope-from des@des.no) Received: from smtp.des.no (37.80-203-228.nextgentel.com [80.203.228.37]) by mail.broadpark.no (Postfix) with ESMTP id C849B79369; Wed, 24 Sep 2003 21:00:16 +0200 (MEST) Received: by smtp.des.no (Pony Express, from userid 666) id 95D4896121; Wed, 24 Sep 2003 21:00:16 +0200 (CEST) Received: from dwp.des.no (dwp.des.no [10.0.0.4]) by smtp.des.no (Pony Express) with ESMTP id ACC8A959E8; Wed, 24 Sep 2003 21:00:12 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 2602) id 77B48B84A; Wed, 24 Sep 2003 21:00:12 +0200 (CEST) To: Michael Sierchio References: <3F705D4D.4070404@tenebras.com> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Wed, 24 Sep 2003 21:00:12 +0200 In-Reply-To: <3F705D4D.4070404@tenebras.com> (Michael Sierchio's message of "Tue, 23 Sep 2003 07:48:45 -0700") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, hits=-2.5 required=8.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_GNUS_UA version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: security@freebsd.org Subject: Re: OpenSSH: multiple vulnerabilities in the new PAM code X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 19:00:19 -0000 Michael Sierchio writes: > This affects only 3.7p1 and 3.7.1p1. The advice to leave > PAM disabled is far from heartening, nor is the semi-lame > blaming the PAM spec for implementation bugs. They have their axe to grind. The PAM spec is not to be blamed; although the spec is remarkably unclear on some points related to the offending code, the fault for the bug is entirely mine. In the meantime, it is important to point out that privilege separation (which is on by default in FreeBSD) prevents exploitation of the first bug, and that there is no known way to exploit the second bug. It is also important to point out that the second bug is not directly PAM-related. The a bug is in a common portion of the ssh1 kbdint code; it just so happens that the PAM code is the only kbdint device which triggers it. And it just so happens that I wrote those few lines as well :( DES --=20 Dag-Erling Sm=F8rgrav - des@des.no