www/errata.html - diff

Return to errata.html CVS log

Up to [local] / www

Diff for /www/errata.html between version 1.60 and 1.61

-version 1.60, 1998/02/09 21:56:33
+version 1.61, 1998/02/14 02:20:37
 Line 26
 Line 26
 Line 26
  <a href=http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/readlink/readlink.c?rev=1.13>
  revision 1.13 of usr.bin/readlink/readlink.c</a>.
  <p>
+ <li><strong>IMPORTANT</strong>
+ A combination localhost+remote host security problem exists if a
+ local user running a setuid binary causes a non-existant root .rhosts
+ file to be created via a symbolic link with a specific kind of corefile,
+ and then subsequently uses rsh/rlogin to enter the machine from remote.
+ A similar exploit might also be possible using sshd which lacks any code
+ for checking for deviations from the expected format in the .rhosts or
+ .shosts files, but we have not confirmed this yet.  The following two
+ fixes are recommended:
+ <p>
+ <ul>
+ <li>
+ <a href=ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/nosuidcoredump.patch>
+ (1) Adds a new sysctl option which permits the adminstrator to decide
+ whether setuid corefiles should be written or not.</a>
+ <p>
+ <li><a href=ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.2/common/rcmd.patch>
+ (2) Replaces the ruserok() function in libc with a much more paranoid
+ version which can detect these bogus looking .rhosts files better.  If the
+ previous patch is used to stop setuid coredumps, then this patch is not
+ as important.</a>
+ </ul>
+ <p>
+ This problem is fixed much better in OpenBSD-current, where the kernel's
+ symbolic link handling has been improved such that coredumping will not
+ create a file on the other side of a symbolic link.  Such a patch is not
+ possible for the 4.4lite1 VFS layer in the OpenBSD 2.2 kernel.
+ <p>
  </ul>
  <a name=i386></a>
  <li><font color=#e00000>i386</font>