From owner-freebsd-security Wed Sep 29 20:56:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 71C99151B2 for ; Wed, 29 Sep 1999 20:56:20 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id VAA38150; Wed, 29 Sep 1999 21:56:19 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id VAA08428; Wed, 29 Sep 1999 21:56:21 -0600 (MDT) Message-Id: <199909300356.VAA08428@harmony.village.org> To: Garrett Wollman Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Wed, 29 Sep 1999 10:38:53 EDT." <199909291438.KAA19248@khavrinen.lcs.mit.edu> References: <199909291438.KAA19248@khavrinen.lcs.mit.edu> <199909291352.GAA31310@cwsys.cwsent.com> Date: Wed, 29 Sep 1999 21:56:21 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199909291438.KAA19248@khavrinen.lcs.mit.edu> Garrett Wollman writes: : It is an application bug in that temporary files created by : applications should always reside in a newly-created directory which : is owned by the appropriate user and mode 700. Having looking into this more deeply, I agree this is an ssh bug. It needs to verify that /tmp/ssh-user exists, is a directory, and is owned by user *BEFORE* trying to bind. Hacking the kernel to not follow symbolic links isn't the best solution here (commits to -current not with standing). It already creates the directoy if it doesn't exist... I'll have to look at the ssh code to see what a proper fix is. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message