http://bugs.gentoo.org/119966 http://lists.lysator.liu.se/pipermail/lsh-bugs/2006q1/000467.html From: Niels Möller nisse at lysator.liu.se Date: Fri Jan 20 17:44:07 CET 2006 Subject: SECURITY: lshd leaks fd:s to user shells Stefan Pfetzing noticed that lshd leaks a couple of file descriptors, related to the randomness generator, to user shells which are started by lshd. This is a security problem, in at least two ways: * A user can truncate the server's seed file, which may prevent the server from starting. * By reading the file, a user can get information that may be useful for cracking other user's session keys, as well as public keys that are generated from the disclosed seed file. (To understand what the impact is, one must understand how yarrow generates and uses the seed file. My initial analysis is that reading the seed-file is advantageous only if it is read just prior to the start of some process using the seed for initialization.) This is a local hole. It provides for fairly easy denial of service by local users, and with some more effort, maybe also cracking of session keys. The below patch, relative to lsh-2.0.1, seems to solve the problem. After applying the patch, you should remove and then regenerate the server's seed file (since users may still have open fd:s), and restart lshd. I hope to be able to put together a new release sometime next week. I'll be off-line over the weekend. In the mean time, feel free to inform other distributors and appropriate security fora about the problem. Sorry for the inconvenience, /Niels *** src/unix_random.c.~1.17.~ 2004-11-17 22:13:27.000000000 +0100 --- src/unix_random.c 2006-01-20 14:26:05.000000000 +0100 *************** *** 258,263 **** --- 258,264 ---- if (self->device_fd < 0) return 0; + io_set_close_on_exec(self->device_fd); self->device_last_read = now; } *************** *** 381,386 **** --- 382,388 ---- return NULL; } + io_set_close_on_exec(self->seed_file_fd); trace("random_init, reading seed file...\n"); if (!read_initial_seed_file(&self->yarrow, self->seed_file_fd))