Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <633ff42d-052a-df7b-dc34-6264e9d4eb77@gmail.com>
Date: Fri, 21 Jul 2023 11:04:49 +1000
From: Matthew Fernandez <matthew.fernandez@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Announce: OpenSSH 9.3p2 released



On 7/20/23 23:41, Sevan Janiyan wrote:
> On 20/07/2023 14:24, Demi Marie Obenour wrote:
>> Should there be a system-wide configuration file containing a list of 
>> known-good PKCS#11 libraries? ssh-agent having to guess if something 
>> is a PKCS#11 library is less than awesome.
> 
> There's a compile time setting for paths from which you are able to load 
> libraries from.

I don’t think this helps much though, right? The Qualys research that 
motivated this found an exploit chain using only libs present in 
/usr/lib in a default Ubuntu install. If you want to lock down loading 
to a specific non-/usr/lib path that you have control over, this 
suggests you know and are in control of the PKCS#11 providers you’re 
going to support. In which case, why not avoid dynamic loading to begin 
with? I guess the allowlist and new defaults are the answer to this 
conundrum though.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.