Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]

[solar () FALSE COM (Solar Designer)]

Hi,

> This is from a post I made to BugTraq on September 17, entitled
> "A few bugs...".  If you're running Linux, it appears kernels pre 2.1 will
> not be affected by this bug as they do not follow symlinks when creating
> UNIX domain sockets (Solar Designer pointed this out after trying the
> exploit on a 2.0.38 kernel; I tested on a 2.0.34 kernel, and from there
> I'm generalizing).

The same applies to mknod(2), which follows dangling symlinks on
Linux 2.2, but doesn't on 2.0.  I've changed the code not to follow
such symlinks for both mknod(2) and bind(2), in 2.2.12-ow6.

As I am posting this anyway, -- other changes to the -ow patch for
2.2 since I've announced it here include the real exit_signal fix,
and the TCP sequence number fix I took from 2.2.13pre14.  (Speaking
of the latter, it's funny how most of the randomness went into the
wrong place on the stack, and probably remained unnoticed because of
the fairly large and unused at the time "struct tcp_opt".  2.0 isn't
vulnerable.  Yet another reason to continue running 2.0.38.)

Signed,
Solar Designer