https://bugzilla.mindrot.org/show_bug.cgi?id=2341
--- Comment #23 from Darren Tucker <[email protected]> --- Comment from Ron Frederick on openssh-unix-dev@ (https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-December/035584.html): """ Looking at this patch, it seems to me that it introduces a possible exploit. The new code calls stat() on whatever string is set as the display value, even before checking for display values that are meant to refer to remote network hosts. If âsshâ is run in a directory which happens to have a file/pipe/socket named to match one of those network display values, this new code would return that it should connect to this local socket rather than the remote host when doing the forwarding. While checking for â/tmp/launchâ as a prefix is a problem now that MacOS is putting these local sockets in paths starting with â/private/tmp/com.apple.launchdâ, I think this new code should at a minimum require that the path start with a leading â/â before treating it as a local socket and doing a stat() on it. """ Sorry but this is now too late for 7.4. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
