bugzilla-daemon at mindrot.org
2023-Jul-27 11:31 UTC
[Bug 3594] New: PKCS11Provider now requires full paths
https://bugzilla.mindrot.org/show_bug.cgi?id=3594
Bug ID: 3594
Summary: PKCS11Provider now requires full paths
Product: Portable OpenSSH
Version: 9.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-agent
Assignee: unassigned-bugs at mindrot.org
Reporter: marc.deslauriers at canonical.com
Since the 29ef8a0486 commit for CVE-2023-28408, PKCS11Provider now
requires libraries to be specified using their full path as the new
code just opens the filename directly whereas the dlopen would search
system library paths.
This causes a change in behaviour for users.
(See downstream bug here:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2028774 )
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Jul-27 23:36 UTC
[Bug 3594] PKCS11Provider now requires full paths
https://bugzilla.mindrot.org/show_bug.cgi?id=3594
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WONTFIX
Status|NEW |RESOLVED
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
This is intentional, sorry.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Jul-28 00:06 UTC
[Bug 3594] PKCS11Provider now requires full paths
https://bugzilla.mindrot.org/show_bug.cgi?id=3594 --- Comment #2 from Damien Miller <djm at mindrot.org> --- I should add that the change that causes this has not been released yet. It will be part of OpenSSH 9.4 which is due pretty soon. I guess somebody has mistakenly cherry-picked it somewhere? It is not required to fix CVE-2023-38408 (only 892506b1365430 - the fatal() change is needed); it's more defence in depth. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Jul-28 11:22 UTC
[Bug 3594] PKCS11Provider now requires full paths
https://bugzilla.mindrot.org/show_bug.cgi?id=3594 --- Comment #3 from Marc Deslauriers <marc.deslauriers at canonical.com> --- Yes, I cherry picked that commit when fixing Ubuntu. Thanks for your response, I just wanted to make sure this change was intentional. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- [Bug 2610] New: ssh should not complain about "no slots" when PKCS11Provider is specified, but no slot is found nor used
- [Bug 2635] New: Unable to use SSH Agent and user level PKCS11Provider configuration directive
- Preloading shared library with libVirt
- CVE-2017-7494 in SAMBA-AD 4.3.11-ubuntu
- Recent inability to view long filenames stored with scp via samba mount