Jeremy Chadwick wrote:
On Mon, Jun 24, 2013 at 03:36:24PM -0700, Xin Li wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 06/24/13 15:11, Miroslav Lachman wrote:
[...]
The patch seems really simple and I know how to apply it, but I am
not able to compile and install only fixed sftp command instead of
the whole userland. Can you push me to the right direction?
I think you can go to /usr/src/secure/usr.bin/sftp and do:
make depend
make
Then, as root:
make install
Thank you! I didn't know I must be in /usr/src/secure/usr.bin/sftp
I tried your patch and can confirm it works for me!
I usually do a full world build to make sure that this doesn't break
something else but this change should only affect sftp(1).
I'm going to make this real simple:
Is the problem with symlinks in the client (sftp(1)), in the server
(sftp-server(8)), or both? The impression I get from the original post
that started this thread is that it's in the server part.
No, it is the problem on the client side. The server side in all cases
is good old OpenSSH 5.4 on FreeBSD 8.3. Only the newer sftp client is
broken and this bug is really fixed by patch provided by Xin Li.
We tried OpenSSH 6.2 client side from Mac OS X and it is broken too.
The same apply to openssh-portable from ports (openssh-portable-6.2.p2_3,1)
So, I believe he'd want to poke about in src/secure/libexec/sftp-server.
However, that may not be enough, due to the fact that sftp-server(8)
depends (links to) libssh.so.X, libcrypt.so.X, and libcrypto.so.X. I do
not know where the actual broken code lies.
Someone on -security might know exactly what all needs to be built/what
commands need to be run, but I will tell you this up front:
The official security announcements for SSL or SSH-related things have
historically told people to build world. I went and read the mailing
list archives for -security-announcements and found proof/examples of
this fact when issues pertain to SSL or SSH.
My recommendation is just to build world. Don't risk it -- this is a
key piece of your system, all you're trying to do is save some time.
Don't. Just build/install world and don't screw around.
I understand your concern and I will rebuild world if the patch changes
anything in the server part, but this is realy just a fix in sftp client
command and I want to try it quickly and to have a quick path to go back
to original version of the sftp command.
This is on testing machine anyway, I will not do this on production
machines.
Miroslav Lachman
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
