## September 16, 2003

### OpenSSH 3.7.1p1

OpenSSH 3.7.1p1 was released today. It patches a potential security flaw. There are some allegations that there is actually an exploit, but the experts seem to view this as unlikely. No matter, I don’t mess around when it comes to Security.

I downloaded the source (be sure to check the PGP signature!) and compiled. It compiled just fine under MacOSX 10.2.6. But, after installation, the daemon kept dying whenever a client connected, because of some funny business with setuid(). Not wanting to mess around, I grabbed uidswap.c (not a part of the code affected by this vulnerability) from 3.6.1p1 and recompiled. It worked fine after that.

Update (9/17/2003): Despite some back-and-forth with Darren Tucker on openssh-unix-dev, we were unable to resolve this. So, until Apple comes along and releases a binary, MacOSX users should use the previous version of uidswap.c when compiling OpenSSH 3.7.1p1.

Update (9/18/2003): There’s now a patch to configure.ac which fixes the issue for MacOSX.

Update (9/22/2003): MacOSX 10.2.8 was just released, which deals with various security issues , including this one and the Sendmail issue mentioned above. And it “only” took a week! (N.B. the update does not include OpenSSH 3.7.1. Apple just applied a patch to version 3.4. While this fixes the immediate problem, there is a long list of reasons why you shouldn’t be running an outdated version of critical security software.)

Update (9/23/2003): The patch mentioned in the comments is no longer necessary. This, and several other more minor bugs were fixed in OpenSSH 3.7.1p2. Compile and Enjoy!

Posted by distler at September 16, 2003 9:11 PM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/221

### Re: OpenSSH 3.7.1p1

If you #define BROKEN_SETREUID and BROKEN_SETREGID in config.h, the problem goes away.

Posted by: Andrew Mortensen on September 17, 2003 10:25 PM | Permalink | Reply to this

### Re: OpenSSH 3.7.1p1

That didn’t suffice for me. I needed all three of the DEFINEs in this patch:

--- configure.ac~	Tue Sep 16 00:48:15 2003
+++ configure.ac	Wed Sep 17 22:00:46 2003
@@ -122,6 +122,9 @@
AC_DEFINE(IP_TOS_IS_BROKEN)
;;
*-*-darwin*)
+       AC_DEFINE(SETEUID_BREAKS_SETUID)
+	AC_DEFINE(BROKEN_SETREUID)
+	AC_DEFINE(BROKEN_SETREGID)
AC_TRY_RUN([#include <mach-o/dyld.h>
main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))

and then I ran autoconf before configure.

Of course, what I really spent my time doing was installing SRP on all my machines, so I have a fallback — SRP telnet (with SSL encryption) — should SSH be unusable.

The fact that SRP is utterly neglected, depite being such a great protocol, is a object-lesson in the evils of software patents.

Posted by: Jacques Distler on September 17, 2003 11:07 PM | Permalink | Reply to this

### Re: OpenSSH 3.7.1p1

Just so there’s no mistaking, the last line of the patch should be:

main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))

Else patch will complain that the line isn’t finished.

Hope this helps someone,
-Ryan Wilcox

Posted by: Ryan Wilcox on September 20, 2003 5:31 PM | Permalink | Reply to this

### Spooged Patch

Ack! I hate it when that happens.

It’s fixed now. Thanks.

Posted by: Jacques Distler on September 20, 2003 5:55 PM | Permalink | Reply to this

Post a New Comment