Man, what a week.
Last week was, in theory, an extra-short week. Monday was an Easter holiday and Friday was Anzac Day (a national holiday here in Oz). It should have been an easy week.
It all turned pear-shaped on Wednesday. It involved what should have been a relatively simple software upgrade. There wasn't any single major problem but a series of minor ones that blew it out into a 24-hour work day. I crawled into bed at 9am Thursday and slept most of the day.
If that wasn't enough, on Friday a report arrived that my OpenSSH AIX packages had a linkage problem that caused them to look in the current directory before the system directories. This would have been merely annoying for regular binaries, but since some of the binaries are setuid root, creating a fake library (libc, for example) in the current directory and running one of the setuid binaries, an unprivileged user could get root. Gadzooks!
Worse, investigation showed that the problem was not limited to my binaries but would be generated by any version of OpenSSH on AIX when compiled with gcc. If you use AIX and have an OpenSSH compiled with gcc, including mine, go upgrade them right now. I'll wait.
I did some more reading (the best info I found was a proftpd readme) and checked the older releases. Convinced that it was a real problem, I wrote a quick patch to set sane compiler flags, which I included in a report to the OpenSSH core team.
I spent a good part of the weekend exchanging emails, and testing the patch. I found that it didn't work with gcc when configured with gas, which was fixed and another patch released. I also pulled the vulnerable binaries from my page and put up replacements.
This is the first time I've been involved in this type of security advisory (before the event, anyway), and it feels like walking a tightrope: notifying the people who need to know balanced against notifying too many and risking the details getting out; getting enough test coverage of the proposed fix balanced against the risk of shipping a broken patch.