Another bug in SSH in FreeBSD 8.4 (sftp cannot create relative symlinks)

[Jeremy Chadwick]

On Mon, Jun 24, 2013 at 03:36:24PM -0700, Xin Li wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> On 06/24/13 15:11, Miroslav Lachman wrote:
> [...]
> > The patch seems really simple and I know how to apply it, but I am
> > not able to compile and install only fixed sftp command instead of
> > the whole userland. Can you push me to the right direction?
> 
> I think you can go to /usr/src/secure/usr.bin/sftp and do:
> 
> make depend
> make
> 
> Then, as root:
> 
> make install
> 
> I usually do a full world build to make sure that this doesn't break
> something else but this change should only affect sftp(1).

I'm going to make this real simple:

Is the problem with symlinks in the client (sftp(1)), in the server
(sftp-server(8)), or both?  The impression I get from the original post
that started this thread is that it's in the server part.

So, I believe he'd want to poke about in src/secure/libexec/sftp-server.
However, that may not be enough, due to the fact that sftp-server(8)
depends (links to) libssh.so.X, libcrypt.so.X, and libcrypto.so.X.  I do
not know where the actual broken code lies.

Someone on -security might know exactly what all needs to be built/what
commands need to be run, but I will tell you this up front:

The official security announcements for SSL or SSH-related things have
historically told people to build world.  I went and read the mailing
list archives for -security-announcements and found proof/examples of
this fact when issues pertain to SSL or SSH.

My recommendation is just to build world.  Don't risk it -- this is a
key piece of your system, all you're trying to do is save some time.
Don't.  Just build/install world and don't screw around.

-- 
| Jeremy Chadwick                                   jdc at koitsu.org |
| UNIX Systems Administrator                http://jdc.koitsu.org/ |
| Making life hard for others since 1977.             PGP 4BD6C0CB |