*BSD News Article 89225


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!spool.mu.edu!howland.erols.net!newsxfer3.itd.umich.edu!newsfeed.internetmci.com!news.bayarea.net!baygate.bayarea.net!thorpej
From: thorpej@baygate.bayarea.net (Jason R. Thorpe)
Newsgroups: comp.unix.bsd.netbsd.misc,comp.security.unix
Subject: OpenBSD hides security fixes (and blindly integrates code)
Date: 16 Feb 1997 06:37:20 GMT
Organization: George's NetBSD answer man
Lines: 50
Message-ID: <5e69v0$1u4@news.bayarea.net>
References: <none-ya023480001912962244220001@news.infi.net> <DERAADT.97Feb15155022@zeus.pacifier.com> <5e5vkb$d89@panix2.panix.com> <DERAADT.97Feb15212032@zeus.pacifier.com>
NNTP-Posting-Host: baygate.bayarea.net
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.netbsd.misc:5387 comp.security.unix:31776

In article <DERAADT.97Feb15212032@zeus.pacifier.com>,
Theo de Raadt <deraadt@theos.com> wrote:

>Really, security has very little to do with a kernel that cold-resets
>the machine at boot.  The code wasn't commited until it worked.  That
>took a while, of course.

That is a false statement.  I just checked, via your anoncvs service.
The bug in question was committed to the OpenBSD source tree in revision
1.5, and was removed 8 weeks later in revision 1.7.

The issue here is that you or one of your developers committed code
without even looking at it.

...and, again, roughly two weeks later, another revision of the file was
committed, leaving the bug in place.

How many other places could this have happened in your tree?  How many
trojan horses have you or your developers committed to the OpenBSD
source tree simply out of carelessness?

While I don't approve of this hack being done, it raises the question
of whether OpenBSD can rightfully claim to be secure.

>The issue is not about how we go about integrating NetBSD code.  The
>issue is how NetBSD goes about trying to make it harder for us to
>integrate the code.

Firstly, it is not the NetBSD Project's job to make it easy for
you to integrate code.

Secondly, the OpenBSD project does not exactly go out of their way to
make it easy for others to integrate the "security" fixes.  One such
example is OpenBSD's src/usr.bin/rsh/rsh.c, where an apparent security
fix was committed in a revision containing the following log message:

----------------------------
revision 1.5
date: 1996/07/22 10:09:04;  author: deraadt;  state: Exp;  lines: +2 -7
rcsid cleanup
----------------------------

The change, was to drop the effective uid set by exec'ing rsh.  (One
has to wonder _why_ this was done, given that the code path just
does and exec's rlogin, which it setuid-root anyhow...)

Care to explain?

	-- Jason R. Thorpe <thorpej@bayarea.net>