From owner-freebsd-security  Fri Dec 10 16:36:12 1999
Delivered-To: freebsd-security@freebsd.org
Received: from super-g.com (super-g.com [207.240.140.161])
	by hub.freebsd.org (Postfix) with ESMTP id 88E941575E
	for <security@freebsd.org>; Fri, 10 Dec 1999 16:36:09 -0800 (PST)
	(envelope-from spork@super-g.com)
Received: by super-g.com (Postfix, from userid 1000)
	id DC43EC74E; Fri, 10 Dec 1999 19:36:07 -0500 (EST)
Received: from localhost (localhost [127.0.0.1])
	by super-g.com (Postfix) with SMTP
	id C5E86C74C; Fri, 10 Dec 1999 19:36:07 -0500 (EST)
Date: Fri, 10 Dec 1999 19:36:07 -0500 (EST)
From: spork <spork@super-g.com>
X-Sender: spork@super-g.inch.com
To: Kris Kennaway <kris@hub.freebsd.org>
Cc: Todd Backman <todd@flyingcroc.net>, security@freebsd.org
Subject: Re: Security Advisory: Buffer overflow in RSAREF2 (fwd)
In-Reply-To: <Pine.BSF.4.21.9912021536050.6925-100000@hub.freebsd.org>
Message-ID: <Pine.BSF.4.00.9912101932300.21197-100000@super-g.inch.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Can someone clarify this for me?  If ldd shows output like so:

root@ass[/usr/ports/security/rsaref]# ldd /usr/local/bin/ssh
/usr/local/bin/ssh:
        libgmp.so.3 => /usr/lib/libgmp.so.3 (0x2806d000)
        libz.so.2 => /usr/lib/libz.so.2 (0x28083000)
        librsaref.so.2 => /usr/local/lib/librsaref.so.2 (0x28090000)
        libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x28099000)
        libutil.so.2 => /usr/lib/libutil.so.2 (0x280ae000)
        libc.so.3 => /usr/lib/libc.so.3 (0x280b6000)        

does this mean that simply patching, recompiling, and installing librsaref
will fix ssh (for this vuln, not the last)?  I'm not a genius with all
this shared lib stuff, but I think I'm reading this right...

Thanks,

charles

On Thu, 2 Dec 1999, Kris Kennaway wrote:

> On Thu, 2 Dec 1999, Kris Kennaway wrote:
> 
> > It's been patched: re-cvsup your ports and rebuild rsaref, followed by
> > anything which depends on it (i.e. which statically links to librsaref.a
> > - but easier and safer to just do all of the dependencies).
> 
> I forgot to mention the easy way to get this list:
> 
> cat /var/db/pkg/rsaref-2.0/+REQUIRED_BY
> 
> before you rebuild.
> 
> Kris
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message