Date: Wed, 29 Sep 1999 21:56:21 -0600 From: Warner Losh <imp@village.org> To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Message-ID: <199909300356.VAA08428@harmony.village.org> In-Reply-To: Your message of "Wed, 29 Sep 1999 10:38:53 EDT." <199909291438.KAA19248@khavrinen.lcs.mit.edu> References: <199909291438.KAA19248@khavrinen.lcs.mit.edu> <199909291352.GAA31310@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199909291438.KAA19248@khavrinen.lcs.mit.edu> Garrett Wollman writes: : It is an application bug in that temporary files created by : applications should always reside in a newly-created directory which : is owned by the appropriate user and mode 700. Having looking into this more deeply, I agree this is an ssh bug. It needs to verify that /tmp/ssh-user exists, is a directory, and is owned by user *BEFORE* trying to bind. Hacking the kernel to not follow symbolic links isn't the best solution here (commits to -current not with standing). It already creates the directoy if it doesn't exist... I'll have to look at the ssh code to see what a proper fix is. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909300356.VAA08428>