Call for testing: OpenSSH 6.8

Darren Tucker dtucker at
Sat Feb 28 05:04:20 AEDT 2015

On Fri, Feb 27, 2015 at 9:19 AM, Michael Felt <aixtools at> wrote:
> One problem coming directly is that the -L flag (-L/opt/libressl/lib is not
> being included in the -blibpath so the programs link, but do not run.
> I am sure there is a way for me to modify the blibpath - BUT - I ask you do
> consider inserting an openssl-dir path when it is not
> already in the blibpath variable.

There's a reason why it isn't: where that directory is writeable by a
non-root user it becomes a vector for local privilege escalation via
OpenSSH's setuid binaries.

Now that decision was made back in the day when OpenSSL's shared library
support was still considered experimental.  Maybe we could check that the
path is a) absolute and b) system-owned all the way down and add it to
blibpath if both are true.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list