Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!spool.mu.edu!howland.erols.net!newsxfer3.itd.umich.edu!newsfeed.internetmci.com!news.bayarea.net!baygate.bayarea.net!thorpej From: thorpej@baygate.bayarea.net (Jason R. Thorpe) Newsgroups: comp.unix.bsd.netbsd.misc,comp.security.unix Subject: OpenBSD hides security fixes (and blindly integrates code) Date: 16 Feb 1997 06:37:20 GMT Organization: George's NetBSD answer man Lines: 50 Message-ID: <5e69v0$1u4@news.bayarea.net> References: <none-ya023480001912962244220001@news.infi.net> <DERAADT.97Feb15155022@zeus.pacifier.com> <5e5vkb$d89@panix2.panix.com> <DERAADT.97Feb15212032@zeus.pacifier.com> NNTP-Posting-Host: baygate.bayarea.net Xref: euryale.cc.adfa.oz.au comp.unix.bsd.netbsd.misc:5387 comp.security.unix:31776 In article <DERAADT.97Feb15212032@zeus.pacifier.com>, Theo de Raadt <deraadt@theos.com> wrote: >Really, security has very little to do with a kernel that cold-resets >the machine at boot. The code wasn't commited until it worked. That >took a while, of course. That is a false statement. I just checked, via your anoncvs service. The bug in question was committed to the OpenBSD source tree in revision 1.5, and was removed 8 weeks later in revision 1.7. The issue here is that you or one of your developers committed code without even looking at it. ...and, again, roughly two weeks later, another revision of the file was committed, leaving the bug in place. How many other places could this have happened in your tree? How many trojan horses have you or your developers committed to the OpenBSD source tree simply out of carelessness? While I don't approve of this hack being done, it raises the question of whether OpenBSD can rightfully claim to be secure. >The issue is not about how we go about integrating NetBSD code. The >issue is how NetBSD goes about trying to make it harder for us to >integrate the code. Firstly, it is not the NetBSD Project's job to make it easy for you to integrate code. Secondly, the OpenBSD project does not exactly go out of their way to make it easy for others to integrate the "security" fixes. One such example is OpenBSD's src/usr.bin/rsh/rsh.c, where an apparent security fix was committed in a revision containing the following log message: ---------------------------- revision 1.5 date: 1996/07/22 10:09:04; author: deraadt; state: Exp; lines: +2 -7 rcsid cleanup ---------------------------- The change, was to drop the effective uid set by exec'ing rsh. (One has to wonder _why_ this was done, given that the code path just does and exec's rlogin, which it setuid-root anyhow...) Care to explain? -- Jason R. Thorpe <thorpej@bayarea.net>