Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 29 Sep 1999 21:56:21 -0600
From:      Warner Losh <imp@village.org>
To:        Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] 
Message-ID:  <199909300356.VAA08428@harmony.village.org>
In-Reply-To: Your message of "Wed, 29 Sep 1999 10:38:53 EDT." <199909291438.KAA19248@khavrinen.lcs.mit.edu> 
References:  <199909291438.KAA19248@khavrinen.lcs.mit.edu>  <199909291352.GAA31310@cwsys.cwsent.com> 

next in thread | previous in thread | raw e-mail | index | archive | help
In message <199909291438.KAA19248@khavrinen.lcs.mit.edu> Garrett
Wollman writes:
: It is an application bug in that temporary files created by
: applications should always reside in a newly-created directory which
: is owned by the appropriate user and mode 700.

Having looking into this more deeply, I agree this is an ssh bug.  It
needs to verify that /tmp/ssh-user exists, is a directory, and is
owned by user *BEFORE* trying to bind.  Hacking the kernel to not
follow symbolic links isn't the best solution here (commits to
-current not with standing).  It already creates the directoy if it
doesn't exist...  I'll have to look at the ssh code to see what a
proper fix is.

Warner


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909300356.VAA08428>