[24654] in bugtraq
OpenSSH rebuild warning: problems avoiding zlib problems in
daemon@ATHENA.MIT.EDU (Michael Leo)
Tue Mar 12 23:37:55 2002
Message-Id: <4.3.2.7.2.20020312175352.032c4328@127.0.0.1>
Date: Tue, 12 Mar 2002 18:03:13 -0600
To: bugtraq@securityfocus.com
From: Michael Leo <mleo@cariboulake.com>
In-Reply-To: <20020312095407.25654.qmail@securityfocus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Gang,
OK, so there might be a way to exploit the zlib problems in OpenSSH.
I have primarily Solaris 7 & 8 systems, and I decided to build a new zlib
(in /usr/local/lib) and rebuild OpenSSH.
Following the directions in OpenSSH, I used a configure command
like this:
./configure --with-zlib=/usr/local
However, the resulting binaries still use Solaris' own copy of
of libz.so in /lib. Here is the ldd output of the new binary:
% ldd ssh
libz.so => /lib/libz.so
libsocket.so.1 => /lib/libsocket.so.1
libnsl.so.1 => /lib/libnsl.so.1
libc.so.1 => /lib/libc.so.1
libdl.so.1 => /lib/libdl.so.1
libmp.so.2 => /lib/libmp.so.2
/usr/platform/SUNW,Ultra-2/lib/libc_psr.so.1
%
Modifying LD_LIBRARY_PATH does not seem to help.
I have to dig into the makefiles, but I thought people might
want to know.
Replacing the Solaris /lib/libz.so library is undesirable, at least
at our site.
Convincing the OpenSSH build to use the PROPER libz in /usr/local/lib
is apparently no easy task.
Hope this helps,
Michael Leo mleo@cariboulake.com Java, Oracle
Caribou Lake Software http://www.cariboulake.com Ingres, JDBC
JSockets/JMobility: Tunnelling sockets over HTTP - REALLY!
