openssh unix dev - Jul 2002 - [Bug 327] monitor_fdpass.c: Expected 1 got 1075033556 - Privilege Separation

http://bugzilla.mindrot.org/show_bug.cgi?id=327





------- Additional Comments From jmknoble at pobox.com  2002-07-02 04:11 -------
Could you please check the error message again?  Is it:

  mm_receive_fd: recvmsg: expected received 1 got nnnnnnnn

or is it this:

  mm_receive_fd: expected type 1 got nnnnnnnn

?  Those are two different problems, within a few lines of each other.  The
exact text of the error message is important.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=327





------- Additional Comments From dazo at netcom.no  2002-07-02 18:21 -------
The message I receive is: mm_receive_fd: expected type 1 got nnnnnnnn

I added a little more debuging to be shure, and I'm 100% shure that the
program
failes in line 117 in the monitor_fdpass.c file.





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=327





------- Additional Comments From jmknoble at pobox.com  2002-07-03 05:57 -------
Use the attached patch (against the openssh-SNAP-20020702 snapshot).

An explanation is in the openssh-unix-dev archives:
http://www.mindrot.org/pipermail/openssh-unix-dev/2002-June/013903.html




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=327





------- Additional Comments From jmknoble at pobox.com  2002-07-03 05:59 -------
Created an attachment (id=127)
Patch to enable mm_receive_fd() to work under Linux kernel-2.0.x




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=327





------- Additional Comments From dgatwood at apple.com  2002-07-03 09:21 -------

This isn't a security risk from what I can see.  It's a risk of reading
a bogus
file descriptor (or the wrong file descriptor).  If somebody can muck with 
your file descriptors enough to make this a security bug, then they're root 
already.  :-)

The fix for this, ideally, should be to detect the bogus value, report a 
warning in the system log, and continue.  If you get a valid file descriptor, 
then clearly the message is really of the type expected, or else it's 
garbage.  Either way, the worst it can do is maybe provide a really obscure 
local DOS attack....  As long as there are appropriate warnings in the 
system log about this being a kernel bug, it seems reasonable to work 
around it in this way.  Please consider adding such a workaround to the 
official tree.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=327

dazo at netcom.no changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED



------- Additional Comments From dazo at netcom.no  2002-07-03 17:46 -------
This seems to work!

Thank ya'll!

Dazo



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.