From owner-freebsd-stable@FreeBSD.ORG Tue Jun 25 01:13:33 2013 Return-Path: Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id B36D87E6 for ; Tue, 25 Jun 2013 01:13:33 +0000 (UTC) (envelope-from jdc@koitsu.org) Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) by mx1.freebsd.org (Postfix) with ESMTP id 409D719CF for ; Tue, 25 Jun 2013 01:13:32 +0000 (UTC) Received: from mfilter22-d.gandi.net (mfilter22-d.gandi.net [217.70.178.150]) by relay3-d.mail.gandi.net (Postfix) with ESMTP id D5FA6A80CE; Tue, 25 Jun 2013 03:13:15 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mfilter22-d.gandi.net Received: from relay3-d.mail.gandi.net ([217.70.183.195]) by mfilter22-d.gandi.net (mfilter22-d.gandi.net [10.0.15.180]) (amavisd-new, port 10024) with ESMTP id HIe3AvvKnzrj; Tue, 25 Jun 2013 03:13:14 +0200 (CEST) X-Originating-IP: 76.102.14.35 Received: from jdc.koitsu.org (c-76-102-14-35.hsd1.ca.comcast.net [76.102.14.35]) (Authenticated sender: jdc@koitsu.org) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 57DF1A80C7; Tue, 25 Jun 2013 03:13:10 +0200 (CEST) Received: by icarus.home.lan (Postfix, from userid 1000) id 08D2E73A1C; Mon, 24 Jun 2013 18:13:09 -0700 (PDT) Date: Mon, 24 Jun 2013 18:13:09 -0700 From: Jeremy Chadwick To: Miroslav Lachman <000.fbsd@quip.cz> Subject: Re: Another bug in SSH in FreeBSD 8.4 (sftp cannot create relative symlinks) Message-ID: <20130625011308.GA10736@icarus.home.lan> References: <51C4DBFE.1010809@quip.cz> <51C4F5D4.6000802@delphij.net> <51C8C400.7080009@quip.cz> <51C8C9E8.9050507@delphij.net> <20130624225034.GA8873@icarus.home.lan> <51C8EC48.1000807@quip.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <51C8EC48.1000807@quip.cz> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-stable@FreeBSD.org, d@delphij.net X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jun 2013 01:13:33 -0000 On Tue, Jun 25, 2013 at 03:03:04AM +0200, Miroslav Lachman wrote: > Jeremy Chadwick wrote: > >On Mon, Jun 24, 2013 at 03:36:24PM -0700, Xin Li wrote: > >>-----BEGIN PGP SIGNED MESSAGE----- > >>Hash: SHA512 > >> > >>On 06/24/13 15:11, Miroslav Lachman wrote: > >>[...] > >>>The patch seems really simple and I know how to apply it, but I am > >>>not able to compile and install only fixed sftp command instead of > >>>the whole userland. Can you push me to the right direction? > >> > >>I think you can go to /usr/src/secure/usr.bin/sftp and do: > >> > >>make depend > >>make > >> > >>Then, as root: > >> > >>make install > > Thank you! I didn't know I must be in /usr/src/secure/usr.bin/sftp > > I tried your patch and can confirm it works for me! > > >>I usually do a full world build to make sure that this doesn't break > >>something else but this change should only affect sftp(1). > > > >I'm going to make this real simple: > > > >Is the problem with symlinks in the client (sftp(1)), in the server > >(sftp-server(8)), or both? The impression I get from the original post > >that started this thread is that it's in the server part. > > No, it is the problem on the client side. The server side in all > cases is good old OpenSSH 5.4 on FreeBSD 8.3. Only the newer sftp > client is broken and this bug is really fixed by patch provided by > Xin Li. > > We tried OpenSSH 6.2 client side from Mac OS X and it is broken too. > The same apply to openssh-portable from ports (openssh-portable-6.2.p2_3,1) > > >So, I believe he'd want to poke about in src/secure/libexec/sftp-server. > >However, that may not be enough, due to the fact that sftp-server(8) > >depends (links to) libssh.so.X, libcrypt.so.X, and libcrypto.so.X. I do > >not know where the actual broken code lies. > > > >Someone on -security might know exactly what all needs to be built/what > >commands need to be run, but I will tell you this up front: > > > >The official security announcements for SSL or SSH-related things have > >historically told people to build world. I went and read the mailing > >list archives for -security-announcements and found proof/examples of > >this fact when issues pertain to SSL or SSH. > > > >My recommendation is just to build world. Don't risk it -- this is a > >key piece of your system, all you're trying to do is save some time. > >Don't. Just build/install world and don't screw around. > > I understand your concern and I will rebuild world if the patch > changes anything in the server part, but this is realy just a fix in > sftp client command and I want to try it quickly and to have a quick > path to go back to original version of the sftp command. > > This is on testing machine anyway, I will not do this on production > machines. Understood -- it was my misunderstanding of the issue (being on the client side, not server side), so Xin's advice is sound. Sorry for the noise on my part. -- | Jeremy Chadwick jdc@koitsu.org | | UNIX Systems Administrator http://jdc.koitsu.org/ | | Making life hard for others since 1977. PGP 4BD6C0CB |