on Thu, Mar 07, 2002 at 11:48:38PM -0500, Michael G. Schabert wrote:
> C'mon, David, you know better than that. No program greater than a 
> hundred lines or so can have active development *and* be bug-free 
> every second. Every substantial program on the planet has had bugs 
> during its development. We still ship with sendmail too, and that has 
> had *far* more exploitable bugs than OpenSSH.
>
> No, you don't have to be prepared on a day's notice. The same could 
> be said the day after every every security avisory for every utility 
> is released. Heck, according to this advisory it has existed since 
> version 2.0 without anyone ever noticing.

OpenSSH 2.0 shipped in 15 June 2000. I suspect the bug was not spotted
because the bug was in the bounds checking which "should be right".
It's like seeing some code that uses strlcpy() and assuming strlcpy()
honours the length argument correctly.
No one is perfect, I agree. But maybe more could be done to minimize the
effect of such a mistake.

Even if OpenSSH were written in a higher level language, vulnerabilities
would still occur (e.g. CGI scripts and PHP), and if it still ran with
root privileges most of the time, those vulnerabilities would still be
just as troublesome.

I think, it might be nice to have a sshd that isn't one, huge, monolithic
blob. afaik, you can't chroot sshd itself or parts of it without a patch.
The only UID/GID it can change to is either of the user that is logging in
or root. Obviously it can't change to the UID/GID of the user logging in
until after authentication.