Is OpenSSH vulnerable to the ZLIB problem or isn't it?

Thu Apr 4 06:01:24 EST 2002

> On Wed, Apr 03, 2002 at 12:34:08PM -0700, Theo de Raadt wrote:
> > > On Wed, Apr 03, 2002 at 11:08:44AM -0600, Dave Dykstra wrote:
> > > > I'm disappointed that nobody has replied to my question.  OpenSSH
> > > > development team, isn't the potential for a remote root exploit something
> > > > that's important to you?  Many other tools that use zlib have issued a
> > > > public statement saying they are or they are not vulnerable.
> > > 
> > > do you have an exploit? how would it look like?  what would it do?
> > > sorry, i'm not writing exploits, so i have no idea how such an exploit
> > > should work. however, compress.c now has some code that should
> > > prevent a double free from zlib.
> > 
> > Please go read www.openbsd.org/security.html
> 
> That's wonderful, it has a statement on the zlib bug.  The corresponding
> page at www.openssh.org/security.html, however does not.  That's all I'm
> asking for.

That statement is about OpenBSD, not about OpenSSH.

I wanted you to read the rest.  About how we find and fix bugs, and do
not do exploitability testing:

> > We do not do exploitability checking.
> > 
> > Many groups on the net do, and I feel they waste their time greatly
> > doing so, instead of just fixing their code.
> 
> I'm not asking for a detailed check, just a quick educated opinion from the
> people who know the code best.

We know there is a bug.  We do not know what exact code causes these
bugs.  Our educated opinion is that there was a bug.  We will go no
further, since we do not know.

Or, should I?  In my educated opinion, we probably fixed another
critical bug in the last week.  Is it a hole?  In my educated opinoin,
it is quite likely that we have fixed something which could have
disastrous side effects.  And yes, I am for real.  That is how it works,
and I am sure you know that is how it works.

> > As a user, do what you should naturally do.  Assume so.  And upgrade.
> > I mean, what is the problem?  A bug has been fixed.  A new release is
> > out.  Upgrade.
> 
> Please post a recommendation to do that then.

No, I do not think that is needed.

I could go further and say that systems which have weak mallocs which
do not handle this, are broken.  How many more double free holes are
we going to see before some of these systems fix their malloc's?

> > We simply do not do software release management in the
> > way you want us to, and we never will.  Why hold us accountable to do
> > things in a stupid way which it is clear every single company on the
> > planet does not follow either?
> >
> > Why should we be better, when we are unfinanced, volunteer based, and
> > such?
> 
> I'm not asking you to do that.  I do that for openssh binaries for a lot
> of people, and I'd just like some advice on whether or not it's worth
> initiating my process to get all my users to upgrade.

I've heard you are an intelligent person capable of making your own
decisions, and I think you can make this decision on your own.