Is OpenSSH vulnerable to the ZLIB problem or isn't it?

Dan Kaminsky dan at doxpara.com
Thu Apr 4 08:00:56 EST 2002 

> We know there is a bug.  We do not know what exact code causes these
> bugs.  Our educated opinion is that there was a bug.  We will go no
> further, since we do not know.
>
> Or, should I?  In my educated opinion, we probably fixed another
> critical bug in the last week.  Is it a hole?  In my educated opinoin,
> it is quite likely that we have fixed something which could have
> disastrous side effects.  And yes, I am for real.  That is how it works,
> and I am sure you know that is how it works.

Interestingly enough, I was a bit annoyed to hear about a remote root
compromise in OpenSSH when it remained "just a possibility".  It's kind of
funny to see the difference in Theo's style vs. the corporate style:  Theo
presumes a major hole, even without absolute proof; SSH.Com and most other
corps presume no hole at all unless absolute proof is given.

I think the bottom line from the OpenSSH team seems to be "We don't need an
exploit to fix our bugs."  That other groups *do* require that exploit is
one of the prime reasons exploits generally need to be built.  Their
position certainly isn't unreasonable, and to be honest it's reflected
somewhat in the OpenSSH developers' annoyance at security reports that omit
*both* the exploit *and* any explanation for how it might work -- see the
reaction to CRC32 overflow claims.  Perfectly reasonable.

Life is full of imaginary risks; humans use direct example to calibrate
their fears.  Most people need that actual exploit to motivate them to fix
their code.  Theo's paranoid enough not to require that ;-)

As for whether users should upgrade -- emergency patching procedures are
generally warranted when there's an emergent condition.  Certainly it's
undeniable that an upgrade cycle should occur within a reasonable timeframe,
and it should be a global upgrade.  But I don't think there's a 24 hour
criticality to this, like there *would* be for your traditional Remote Root
announcement.  There's a very interesting argument which says that
widespread knowledge of vulnerabilities in the purely theoretical phase are
the convenient calm to upgrade within before the storm of exploits.

This is of course the reasonably obscure condition of a hole in a massively
shared library without any clear method of exploiting it.  Most
vulnerabilities translate more readily to immediate attacks.

Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com

More information about the openssh-unix-dev mailing list