Package: openssh-server Version: 1:8.9p1-2.1 Severity: important Tags: patch
Dear Maintainer, After accepting an ssh connection, the sshd process is killed and I see the following in dmesg: audit: type=1326 audit(1645794361.669:40): auid=0 uid=100 gid=65534 ses=1 subj==unconfined pid=8338 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=40000003 syscall=414 compat=0 ip=0xb7ee3559 code=0x0 Sysycall 414 is ppoll_time64, so I'm guessing this is fallout from ongoing 2038 fixes. The attached patch fixes this by adding ppoll_time64 the seccomp sanbox filters, which seems reasonable as ppoll is already allowed. -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 5.16.0-2-686-pae (SMP w/1 CPU thread; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openssh-server depends on: ii adduser 3.118 ii debconf [debconf-2.0] 1.5.79 ii dpkg 1.21.1 ii init-system-helpers 1.62 ii libaudit1 1:3.0.7-1 ii libc6 2.33-7 ii libcom-err2 1.46.5-2 ii libcrypt1 1:4.4.27-1.1 ii libgssapi-krb5-2 1.19.2-2 ii libkrb5-3 1.19.2-2 ii libpam-modules 1.4.0-11 ii libpam-runtime 1.4.0-11 ii libpam0g 1.4.0-11 ii libselinux1 3.3-1+b1 ii libssl1.1 1.1.1m-1 ii libsystemd0 250.3-2 ii libwrap0 7.6.q-31 ii lsb-base 11.1.0 ii openssh-client 1:8.9p1-2.1 ii openssh-sftp-server 1:8.9p1-2 ii procps 2:3.3.17-6 ii runit-helper 2.10.3 ii ucf 3.0043 ii zlib1g 1:1.2.11.dfsg-2 Versions of packages openssh-server recommends: ii libpam-systemd [logind] 250.3-2 pn ncurses-term <none> ii xauth 1:1.1-1 Versions of packages openssh-server suggests: ii molly-guard 0.7.2 pn monkeysphere <none> pn ssh-askpass <none> pn ufw <none> -- debconf information: ssh/insecure_telnetd: ssh/vulnerable_host_keys: * ssh/use_old_init_script: true ssh/new_config: true ssh/insecure_rshd: * openssh-server/permit-root-login: true ssh/disable_cr_auth: false openssh-server/password-authentication: false ssh/encrypted_host_key_but_no_keygen:
diff -ur clean/sandbox-seccomp-filter.c openssh-8.9p1/sandbox-seccomp-filter.c --- clean/sandbox-seccomp-filter.c 2022-02-23 11:31:11.000000000 +0000 +++ openssh-8.9p1/sandbox-seccomp-filter.c 2022-02-25 13:16:17.319892443 +0000 @@ -273,6 +273,9 @@ #ifdef __NR__newselect SC_ALLOW(__NR__newselect), #endif +#ifdef __NR_ppoll_time64 + SC_ALLOW(__NR_ppoll_time64), +#endif #ifdef __NR_ppoll SC_ALLOW(__NR_ppoll), #endif