subject:"Bug#941810\: buster\-pu\: package openssh\/1\:7.9p1\-10"

Bug#941810: buster-pu: package openssh/1:7.9p1-10

2019-10-07 Thread Salvatore Bonaccorso

Hi Colin,

On Sun, Oct 06, 2019 at 09:32:26PM +0200, Salvatore Bonaccorso wrote:
> Hi Colin,
> 
> On Sun, Oct 06, 2019 at 08:03:19PM +0100, Colin Watson wrote:
> > On Sun, Oct 06, 2019 at 04:22:23PM +0200, Salvatore Bonaccorso wrote:
> > > On Sat, Oct 05, 2019 at 10:39:29PM +0100, Colin Watson wrote:
> > > > https://bugs.debian.org/941663 reports an OpenSSH regression on old
> > > > kernels prompted by the interaction between an OpenSSL update and a
> > > > seccomp filter; https://bugs.debian.org/941665 and
> > > > https://github.com/openssh/openssh-portable/pull/149 have more details.
> > > > The patch is an easy one to cherry-pick, and I've attached the resulting
> > > > diff.  I'd like approval to upload it.
> > > > 
> > > > I'm not sure where's best to upload this to.  Although I've filed this
> > > > as a stable update request, there's an argument that perhaps it should
> > > > be issued through the same channels as the OpenSSL update
> > > > (stable-security and then copied to stable-proposed-updates, according
> > > > to https://tracker.debian.org/pkg/openssl), so I've CCed team@security.
> > > > Any advice?
> > > 
> > > Okay let's be on the safe side and update openssh for this functional
> > > regression via buster-security.
> > > 
> > > Can you adjust the changelog accordingly and upload to
> > > security-master? (Make sure to build with -sa, and to not include a
> > > _{arch}.buildinfo file in case you perform a source only upload).
> > 
> > Done.  I usually get something wrong in the mechanics of doing security
> > uploads, but maybe I got it right for once.
> 
> Looks good so far!
> 
> > I don't have a pre-3.19 system around to test this on, but I at least
> > made sure that an ordinary buster system (with 4.19) is fine.
> 
> I was able to reproduce the issue in a buster LXC container running on
> a host with < 3.19 kernel (specifically reproduced with a jessie
> host). Will double check the fixed packages as well in that setup.

Your update was released with DSA 4539-2.

So I think #941810 can now be closed as there is no action needed to
be taken for the next buster point release.

Thanks for your work!

Regards,
Salvatore

Bug#941810: buster-pu: package openssh/1:7.9p1-10

2019-10-06 Thread Salvatore Bonaccorso

Hi Colin,

On Sun, Oct 06, 2019 at 08:03:19PM +0100, Colin Watson wrote:
> On Sun, Oct 06, 2019 at 04:22:23PM +0200, Salvatore Bonaccorso wrote:
> > On Sat, Oct 05, 2019 at 10:39:29PM +0100, Colin Watson wrote:
> > > https://bugs.debian.org/941663 reports an OpenSSH regression on old
> > > kernels prompted by the interaction between an OpenSSL update and a
> > > seccomp filter; https://bugs.debian.org/941665 and
> > > https://github.com/openssh/openssh-portable/pull/149 have more details.
> > > The patch is an easy one to cherry-pick, and I've attached the resulting
> > > diff.  I'd like approval to upload it.
> > > 
> > > I'm not sure where's best to upload this to.  Although I've filed this
> > > as a stable update request, there's an argument that perhaps it should
> > > be issued through the same channels as the OpenSSL update
> > > (stable-security and then copied to stable-proposed-updates, according
> > > to https://tracker.debian.org/pkg/openssl), so I've CCed team@security.
> > > Any advice?
> > 
> > Okay let's be on the safe side and update openssh for this functional
> > regression via buster-security.
> > 
> > Can you adjust the changelog accordingly and upload to
> > security-master? (Make sure to build with -sa, and to not include a
> > _{arch}.buildinfo file in case you perform a source only upload).
> 
> Done.  I usually get something wrong in the mechanics of doing security
> uploads, but maybe I got it right for once.

Looks good so far!

> I don't have a pre-3.19 system around to test this on, but I at least
> made sure that an ordinary buster system (with 4.19) is fine.

I was able to reproduce the issue in a buster LXC container running on
a host with < 3.19 kernel (specifically reproduced with a jessie
host). Will double check the fixed packages as well in that setup.

Regards,
Salvatore

Bug#941810: buster-pu: package openssh/1:7.9p1-10

2019-10-06 Thread Colin Watson

On Sun, Oct 06, 2019 at 04:22:23PM +0200, Salvatore Bonaccorso wrote:
> On Sat, Oct 05, 2019 at 10:39:29PM +0100, Colin Watson wrote:
> > https://bugs.debian.org/941663 reports an OpenSSH regression on old
> > kernels prompted by the interaction between an OpenSSL update and a
> > seccomp filter; https://bugs.debian.org/941665 and
> > https://github.com/openssh/openssh-portable/pull/149 have more details.
> > The patch is an easy one to cherry-pick, and I've attached the resulting
> > diff.  I'd like approval to upload it.
> > 
> > I'm not sure where's best to upload this to.  Although I've filed this
> > as a stable update request, there's an argument that perhaps it should
> > be issued through the same channels as the OpenSSL update
> > (stable-security and then copied to stable-proposed-updates, according
> > to https://tracker.debian.org/pkg/openssl), so I've CCed team@security.
> > Any advice?
> 
> Okay let's be on the safe side and update openssh for this functional
> regression via buster-security.
> 
> Can you adjust the changelog accordingly and upload to
> security-master? (Make sure to build with -sa, and to not include a
> _{arch}.buildinfo file in case you perform a source only upload).

Done.  I usually get something wrong in the mechanics of doing security
uploads, but maybe I got it right for once.

I don't have a pre-3.19 system around to test this on, but I at least
made sure that an ordinary buster system (with 4.19) is fine.

-- 
Colin Watson   [cjwat...@debian.org]

Bug#941810: buster-pu: package openssh/1:7.9p1-10

2019-10-06 Thread Salvatore Bonaccorso

Hi Colin,

On Sat, Oct 05, 2019 at 10:39:29PM +0100, Colin Watson wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> https://bugs.debian.org/941663 reports an OpenSSH regression on old
> kernels prompted by the interaction between an OpenSSL update and a
> seccomp filter; https://bugs.debian.org/941665 and
> https://github.com/openssh/openssh-portable/pull/149 have more details.
> The patch is an easy one to cherry-pick, and I've attached the resulting
> diff.  I'd like approval to upload it.
> 
> I'm not sure where's best to upload this to.  Although I've filed this
> as a stable update request, there's an argument that perhaps it should
> be issued through the same channels as the OpenSSL update
> (stable-security and then copied to stable-proposed-updates, according
> to https://tracker.debian.org/pkg/openssl), so I've CCed team@security.
> Any advice?

Okay let's be on the safe side and update openssh for this functional
regression via buster-security.

Can you adjust the changelog accordingly and upload to
security-master? (Make sure to build with -sa, and to not include a
_{arch}.buildinfo file in case you perform a source only upload).

Regards,
Salvatore


signature.asc
Description: PGP signature

Bug#941810: buster-pu: package openssh/1:7.9p1-10

2019-10-05 Thread Colin Watson

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

https://bugs.debian.org/941663 reports an OpenSSH regression on old
kernels prompted by the interaction between an OpenSSL update and a
seccomp filter; https://bugs.debian.org/941665 and
https://github.com/openssh/openssh-portable/pull/149 have more details.
The patch is an easy one to cherry-pick, and I've attached the resulting
diff.  I'd like approval to upload it.

I'm not sure where's best to upload this to.  Although I've filed this
as a stable update request, there's an argument that perhaps it should
be issued through the same channels as the OpenSSL update
(stable-security and then copied to stable-proposed-updates, according
to https://tracker.debian.org/pkg/openssl), so I've CCed team@security.
Any advice?

Thanks,

-- 
Colin Watson   [cjwat...@debian.org]
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 65e73673d..60a2fe1b6 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-6b56cd57db9061296231f14d537f1ebaf25e8877
-6b56cd57db9061296231f14d537f1ebaf25e8877
+35956d8211ef0a606a117ca3f0ba3ae163c31a39
+35956d8211ef0a606a117ca3f0ba3ae163c31a39
 3d246f10429fc9a37b98eabef94fe8dc7c61002b
 3d246f10429fc9a37b98eabef94fe8dc7c61002b
 openssh_7.9p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 8b18f3506..3456413eb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+openssh (1:7.9p1-10+deb10u1) UNRELEASED; urgency=medium
+
+  * Apply upstream patch to deny (non-fatally) shmget/shmat/shmdt in preauth
+privsep child, coping with changes in OpenSSL 1.1.1d that broke OpenSSH
+on Linux kernels before 3.19 (closes: #941663).
+
+ -- Colin Watson   Sat, 05 Oct 2019 22:32:31 +0100
+
 openssh (1:7.9p1-10) unstable; urgency=medium
 
   * Temporarily revert IPQoS defaults to pre-7.8 values until issues with
diff --git a/debian/patches/seccomp-handle-shm.patch 
b/debian/patches/seccomp-handle-shm.patch
new file mode 100644
index 0..56bc9414e
--- /dev/null
+++ b/debian/patches/seccomp-handle-shm.patch
@@ -0,0 +1,38 @@
+From 35956d8211ef0a606a117ca3f0ba3ae163c31a39 Mon Sep 17 00:00:00 2001
+From: Lonnie Abelbeck 
+Date: Tue, 1 Oct 2019 09:05:09 -0500
+Subject: Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child.
+
+New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and 
shmdt
+in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox.
+
+Bug: https://github.com/openssh/openssh-portable/pull/149
+Bug-Debian: https://bugs.debian.org/941663
+Origin: upstream, 
https://anongit.mindrot.org/openssh.git/commit/?id=3ef92a657444f172b61f92d5da66d94fa8265602
+Last-Update: 2019-10-05
+
+Patch-Name: seccomp-handle-shm.patch
+---
+ sandbox-seccomp-filter.c | 9 +
+ 1 file changed, 9 insertions(+)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index ef4de8c65..e8f31555e 100644
+--- a/sandbox-seccomp-filter.c
 b/sandbox-seccomp-filter.c
+@@ -149,6 +149,15 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_stat64
+   SC_DENY(__NR_stat64, EACCES),
+ #endif
++#ifdef __NR_shmget
++  SC_DENY(__NR_shmget, EACCES),
++#endif
++#ifdef __NR_shmat
++  SC_DENY(__NR_shmat, EACCES),
++#endif
++#ifdef __NR_shmdt
++  SC_DENY(__NR_shmdt, EACCES),
++#endif
+ 
+   /* Syscalls to permit */
+ #ifdef __NR_brk
diff --git a/debian/patches/series b/debian/patches/series
index b0da97283..36d464989 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -32,3 +32,4 @@ fix-key-type-check.patch
 request-rsa-sha2-cert-signatures.patch
 scp-handle-braces.patch
 revert-ipqos-defaults.patch
+seccomp-handle-shm.patch
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index ef4de8c65..e8f31555e 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -149,6 +149,15 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_stat64
SC_DENY(__NR_stat64, EACCES),
 #endif
+#ifdef __NR_shmget
+   SC_DENY(__NR_shmget, EACCES),
+#endif
+#ifdef __NR_shmat
+   SC_DENY(__NR_shmat, EACCES),
+#endif
+#ifdef __NR_shmdt
+   SC_DENY(__NR_shmdt, EACCES),
+#endif
 
/* Syscalls to permit */
 #ifdef __NR_brk

Bug#941810: buster-pu: package openssh/1:7.9p1-10

Bug#941810: buster-pu: package openssh/1:7.9p1-10

Bug#941810: buster-pu: package openssh/1:7.9p1-10

Bug#941810: buster-pu: package openssh/1:7.9p1-10

Bug#941810: buster-pu: package openssh/1:7.9p1-10

5 matches

Site Navigation

Mail list logo

Footer information