From owner-freebsd-security Fri Dec 10 16:52:56 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 1D9691542D; Fri, 10 Dec 1999 16:52:55 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 012961CD79C; Fri, 10 Dec 1999 16:52:54 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Fri, 10 Dec 1999 16:52:54 -0800 (PST) From: Kris Kennaway To: spork Cc: Todd Backman , security@freebsd.org Subject: Re: Security Advisory: Buffer overflow in RSAREF2 (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 10 Dec 1999, spork wrote: > root@ass[/usr/ports/security/rsaref]# ldd /usr/local/bin/ssh > /usr/local/bin/ssh: > libgmp.so.3 => /usr/lib/libgmp.so.3 (0x2806d000) > libz.so.2 => /usr/lib/libz.so.2 (0x28083000) > librsaref.so.2 => /usr/local/lib/librsaref.so.2 (0x28090000) > libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x28099000) > libutil.so.2 => /usr/lib/libutil.so.2 (0x280ae000) > libc.so.3 => /usr/lib/libc.so.3 (0x280b6000) > > does this mean that simply patching, recompiling, and installing librsaref > will fix ssh (for this vuln, not the last)? I'm not a genius with all > this shared lib stuff, but I think I'm reading this right... Yes. None of the librsaref code is included in the ssh binary itself, which would be the case if it was linked against the static librsaref.a (which you wouldn't see in ldd anyway). Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message