Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote Root Exploit In lsh

Posted by timothy on from the harsh-eye dept.

skookum writes "After last week's OpenSSH patch-fest, a lot of people suggested GNU lsh as a replacement. Unfortunately, it seems that the lsh team has recently discovered a heap overflow bug of their own that can lead to compromise. An exploit was posted to BugTraq two days ago. Happy patching."

5 of 445 comments (clear)

  1. That's it by Anonymous Coward · · Score: 5, Funny

    I am switching to a vendor, who takes security seriously. Enough of this patching crap.

  2. That is it I quit by Anonymous Coward · · Score: 5, Funny

    Between MS worms, SSH, and this I am throwing down my keyboard...

    Oh wait is that a new slashdot article?

    I might be able to get first post...

  3. Re:Another forum for bashing Microsoft by UserGoogol · · Score: 5, Funny
    And this, my friends, is why software should never be popular. Use OpenBSD!

    Warning. The preceeding has been detected by Slashdot to contain sarcasm. OpenBSD is, of course, wonderful. Unlike those commies using FreeBSD.
    --The Management

    --
    "Never attribute to malice that which can be adequately explained by stupidity." -- Hanlon's Razor
  4. Re:Can someone explain to me why.. by lcs · · Score: 5, Informative

    I, like the author of lsh, is a member of the same
    computer society, Lysator, and I happen to remember
    reading about the early lsh developments.

    It was started in August 1998, and that's as far
    as I know, several months if not years before
    OpenSSH was started.

  5. Re:Telnet by TomV · · Score: 5, Insightful

    Why the hell not? Good bridges are the ones that don't fall down

    That's not the same as saying that good bridges have no faults. Bridges are built with a large safety factor. A large amount of the steel wire in the Brooklyn Bridge cables is hideously substandard, slipped in there by a currupt subcontractor. But because the safety factors were in place, even though the cables are probably about 5/6 as strong as they were designed to be, because they were designed to be 4 times as strong as strictly necessary, the Brooklyn Bridge is still there today. They paid for a lot more steel than strictly necessary, but they were proved right to have done so.

    The bridge is Verifiably Strong Enough, but it certainly isn't Fault-Free. It was a product of defensive engineering, and software containing the inevitable bugs can be made much safer by taking a defensive approach to programming. It's better not to have an out-of-bounds situation at all, but that's no reason not to do bounds-checking wherever an OOB might pose a hazard. Yes it costs money to code all those extra checks, but that's what engineers do in most other disciplines.

    TomV