[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

*possible* perl-related security issue

"querybts ssh" says, believe it or not, "No outstanding bugs for ssh"

Obviously there is significant lag in the BTS, and getting a bug number
back may not be imminent.  Since I would like to request that perl-fluent
eyes examine a script for a significant security problem, I hope you
will bear with my pasting the message to this list.  If it turns out to
be unrelated to perl, my apologies in advance.  With the implications
inherent in the recent ssh vulnerabilities, I hope someone here will
find this worthy of examination.  (I suspect most of our systems rely
upon the ssh cryptosystem in a fundamental manner.)

As should be obvious below, I don't have anything more than a strong
suspicion this is related to perl 5.6 vs perl 5.005.  However, if so,
I figured those on the list would be able to get a workaround to the
right people (security@ and ssh-maint?) in the most timely manner,
as well as to the list itself, as appropriate.  ("Many eyes" etc.)

I've tried to err on the side of verbosity, since it is quite likely
that inbound email to this address will remain broken during the time
in question and clarification will not be possible.  Thanks in advance
for any perl guru time logged. :-)

----- Forwarded BTS report -----
ssh: make-ssh-known-hosts no longer works

Obviously there are security implications here, and perhaps this bug's
severity should be increased, especially in light of the recent ssh
vulnerabilities and their being *related* to man-in-the-middle attacks
(and therefore, make-ssh-known-hosts.)  (If a cryptoSYSTEM is defective,
it provides a false sense of security, which is worse than ... well,
you know the drill here.  And you don't get more crucial than ssh typically.)

Some possibly-pertinent packages:
ii  bind9          9.1.0-1        Internet Domain Name Server
ii  libperl5.6     5.6.0-6.2      Shared Perl library
ii  perl-5.6       5.6.0-6.2      Larry Wall's Practical Extracting and Report
ii  perl-5.6-base  5.6.0-6.2      The Pathologically Eclectic Rubbish Lister

As you can see, this is a current sid system.

Running "/usr/bin/make-ssh-known-hosts $my.local.net" fails here, which
I had initially thought might be due to bind9, however...
"/usr/bin/make-ssh-known-hosts debian.org" says:
# Domain = debian.org, server = samosa.debian.org.
# Found 0 hosts, 0 CNAMEs (total 5 lines)
# SOA = 0
when run on this sid box.  Unless samosa is running bind9, that isn't
the culprit and bind9 was a red herring.  (I mention this to save your
going down the same road during diagnosis.)

Installing sid's 1:2.3.0p1-1.13 on a current woody box, (since security
fixes take TOO LONG to trickle down to woody, imo) and running the same
command line gives:
# Domain = debian.org, server = samosa.debian.org
# Found 72 hosts, 60 CNAMEs (total 241 lines)
# SOA = samosa hostmaster ( 2001021101 3h 1h 1w 3h )
(and more, which I aborted, for obvious reasons.)

Obviously the problem is running-on-woody vs running-on-sid, and since
the ssh version is identical on each here, it seems *likely* that the
current ssh doesn't cooperate with current-sid-perl.  (I think we've also
just proven that it's not bind9, since samosa's named is constant there.)

The woody box has the following, for comparison, if this aids in your diagnosis:
ii  bind           8.2.3-0.potato Internet Domain Name Server
ii  perl-5.005     5.005.03-7.1   Larry Wall's Practical Extracting and Report
ii  perl-5.005-bas 5.005.03-7.1   The Pathologically Eclectic Rubbish Lister
ii  perl-base      5.004.05-1.1   Fake package assuring that one of the -base

I'm not positive it's a perl issue, though it seems likely since it is
a perl script and the perl versions do differ, but not the script itself.

In any case, "current sid ssh" on a "current sid system" doesn't work,
so I'm filing this against ssh for now.

-- System Information
Debian Release: post-2.2
Kernel Version: Linux phoenix 2.4.1 #1 Sat Feb 3 10:14:17 UTC 2001 i586 unknown

Versions of the packages ssh depends on:
ii  libc6          2.2.1-3        GNU C Library: Shared libraries and Timezone
ii  libpam-modules 0.72-12        Pluggable Authentication Modules for PAM
ii  libpam0g       0.72-12        Pluggable Authentication Modules library
ii  libssl096      0.9.6-1        SSL shared libraries
ii  libwrap0       7.6-7          Wietse Venema's TCP wrappers library
ii  zlib1g         1.1.3-12       compression library - runtime

----- End forwarded report -----

-- 
Please (OpenPGP) encrypt all mail whenever possible. Request the following
Public Keys for Lazarus Long <lazarus@overdue.dhis.net>

  Type    Bits/KeyID    Fingerprint                   DSA KeyID: vvvv vvvv
ElGamal: 2048g/21ED0589 F635 6388 2D82 B8FA CE77  2789 D5F4 F28D 8DD0 5745
(2000 keys)
ElGamal: 2048g/92F6493B 2C55 E967 278B 4E8B D25B  F5F3 352B 9B0E 32C3 3BA4
Reply to: