Date: Mon, 24 Jun 2013 15:50:34 -0700 From: Jeremy Chadwick <jdc@koitsu.org> To: d@delphij.net Cc: freebsd-stable@FreeBSD.org, Miroslav Lachman <000.fbsd@quip.cz> Subject: Re: Another bug in SSH in FreeBSD 8.4 (sftp cannot create relative symlinks) Message-ID: <20130624225034.GA8873@icarus.home.lan> In-Reply-To: <51C8C9E8.9050507@delphij.net> References: <51C4DBFE.1010809@quip.cz> <51C4F5D4.6000802@delphij.net> <51C8C400.7080009@quip.cz> <51C8C9E8.9050507@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jun 24, 2013 at 03:36:24PM -0700, Xin Li wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 06/24/13 15:11, Miroslav Lachman wrote: > [...] > > The patch seems really simple and I know how to apply it, but I am > > not able to compile and install only fixed sftp command instead of > > the whole userland. Can you push me to the right direction? > > I think you can go to /usr/src/secure/usr.bin/sftp and do: > > make depend > make > > Then, as root: > > make install > > I usually do a full world build to make sure that this doesn't break > something else but this change should only affect sftp(1). I'm going to make this real simple: Is the problem with symlinks in the client (sftp(1)), in the server (sftp-server(8)), or both? The impression I get from the original post that started this thread is that it's in the server part. So, I believe he'd want to poke about in src/secure/libexec/sftp-server. However, that may not be enough, due to the fact that sftp-server(8) depends (links to) libssh.so.X, libcrypt.so.X, and libcrypto.so.X. I do not know where the actual broken code lies. Someone on -security might know exactly what all needs to be built/what commands need to be run, but I will tell you this up front: The official security announcements for SSL or SSH-related things have historically told people to build world. I went and read the mailing list archives for -security-announcements and found proof/examples of this fact when issues pertain to SSL or SSH. My recommendation is just to build world. Don't risk it -- this is a key piece of your system, all you're trying to do is save some time. Don't. Just build/install world and don't screw around. -- | Jeremy Chadwick jdc@koitsu.org | | UNIX Systems Administrator http://jdc.koitsu.org/ | | Making life hard for others since 1977. PGP 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130624225034.GA8873>