Bug#941810: buster-pu: package openssh/1:7.9p1-10
Hi Colin, On Sun, Oct 06, 2019 at 09:32:26PM +0200, Salvatore Bonaccorso wrote: > Hi Colin, > > On Sun, Oct 06, 2019 at 08:03:19PM +0100, Colin Watson wrote: > > On Sun, Oct 06, 2019 at 04:22:23PM +0200, Salvatore Bonaccorso wrote: > > > On Sat, Oct 05, 2019 at 10:39:29PM +0100, Colin Watson wrote: > > > > https://bugs.debian.org/941663 reports an OpenSSH regression on old > > > > kernels prompted by the interaction between an OpenSSL update and a > > > > seccomp filter; https://bugs.debian.org/941665 and > > > > https://github.com/openssh/openssh-portable/pull/149 have more details. > > > > The patch is an easy one to cherry-pick, and I've attached the resulting > > > > diff. I'd like approval to upload it. > > > > > > > > I'm not sure where's best to upload this to. Although I've filed this > > > > as a stable update request, there's an argument that perhaps it should > > > > be issued through the same channels as the OpenSSL update > > > > (stable-security and then copied to stable-proposed-updates, according > > > > to https://tracker.debian.org/pkg/openssl), so I've CCed team@security. > > > > Any advice? > > > > > > Okay let's be on the safe side and update openssh for this functional > > > regression via buster-security. > > > > > > Can you adjust the changelog accordingly and upload to > > > security-master? (Make sure to build with -sa, and to not include a > > > _{arch}.buildinfo file in case you perform a source only upload). > > > > Done. I usually get something wrong in the mechanics of doing security > > uploads, but maybe I got it right for once. > > Looks good so far! > > > I don't have a pre-3.19 system around to test this on, but I at least > > made sure that an ordinary buster system (with 4.19) is fine. > > I was able to reproduce the issue in a buster LXC container running on > a host with < 3.19 kernel (specifically reproduced with a jessie > host). Will double check the fixed packages as well in that setup. Your update was released with DSA 4539-2. So I think #941810 can now be closed as there is no action needed to be taken for the next buster point release. Thanks for your work! Regards, Salvatore
Bug#941810: buster-pu: package openssh/1:7.9p1-10
Hi Colin, On Sun, Oct 06, 2019 at 08:03:19PM +0100, Colin Watson wrote: > On Sun, Oct 06, 2019 at 04:22:23PM +0200, Salvatore Bonaccorso wrote: > > On Sat, Oct 05, 2019 at 10:39:29PM +0100, Colin Watson wrote: > > > https://bugs.debian.org/941663 reports an OpenSSH regression on old > > > kernels prompted by the interaction between an OpenSSL update and a > > > seccomp filter; https://bugs.debian.org/941665 and > > > https://github.com/openssh/openssh-portable/pull/149 have more details. > > > The patch is an easy one to cherry-pick, and I've attached the resulting > > > diff. I'd like approval to upload it. > > > > > > I'm not sure where's best to upload this to. Although I've filed this > > > as a stable update request, there's an argument that perhaps it should > > > be issued through the same channels as the OpenSSL update > > > (stable-security and then copied to stable-proposed-updates, according > > > to https://tracker.debian.org/pkg/openssl), so I've CCed team@security. > > > Any advice? > > > > Okay let's be on the safe side and update openssh for this functional > > regression via buster-security. > > > > Can you adjust the changelog accordingly and upload to > > security-master? (Make sure to build with -sa, and to not include a > > _{arch}.buildinfo file in case you perform a source only upload). > > Done. I usually get something wrong in the mechanics of doing security > uploads, but maybe I got it right for once. Looks good so far! > I don't have a pre-3.19 system around to test this on, but I at least > made sure that an ordinary buster system (with 4.19) is fine. I was able to reproduce the issue in a buster LXC container running on a host with < 3.19 kernel (specifically reproduced with a jessie host). Will double check the fixed packages as well in that setup. Regards, Salvatore
Bug#941810: buster-pu: package openssh/1:7.9p1-10
On Sun, Oct 06, 2019 at 04:22:23PM +0200, Salvatore Bonaccorso wrote: > On Sat, Oct 05, 2019 at 10:39:29PM +0100, Colin Watson wrote: > > https://bugs.debian.org/941663 reports an OpenSSH regression on old > > kernels prompted by the interaction between an OpenSSL update and a > > seccomp filter; https://bugs.debian.org/941665 and > > https://github.com/openssh/openssh-portable/pull/149 have more details. > > The patch is an easy one to cherry-pick, and I've attached the resulting > > diff. I'd like approval to upload it. > > > > I'm not sure where's best to upload this to. Although I've filed this > > as a stable update request, there's an argument that perhaps it should > > be issued through the same channels as the OpenSSL update > > (stable-security and then copied to stable-proposed-updates, according > > to https://tracker.debian.org/pkg/openssl), so I've CCed team@security. > > Any advice? > > Okay let's be on the safe side and update openssh for this functional > regression via buster-security. > > Can you adjust the changelog accordingly and upload to > security-master? (Make sure to build with -sa, and to not include a > _{arch}.buildinfo file in case you perform a source only upload). Done. I usually get something wrong in the mechanics of doing security uploads, but maybe I got it right for once. I don't have a pre-3.19 system around to test this on, but I at least made sure that an ordinary buster system (with 4.19) is fine. -- Colin Watson [cjwat...@debian.org]
Bug#941810: buster-pu: package openssh/1:7.9p1-10
Hi Colin, On Sat, Oct 05, 2019 at 10:39:29PM +0100, Colin Watson wrote: > Package: release.debian.org > Severity: normal > Tags: buster > User: release.debian@packages.debian.org > Usertags: pu > > https://bugs.debian.org/941663 reports an OpenSSH regression on old > kernels prompted by the interaction between an OpenSSL update and a > seccomp filter; https://bugs.debian.org/941665 and > https://github.com/openssh/openssh-portable/pull/149 have more details. > The patch is an easy one to cherry-pick, and I've attached the resulting > diff. I'd like approval to upload it. > > I'm not sure where's best to upload this to. Although I've filed this > as a stable update request, there's an argument that perhaps it should > be issued through the same channels as the OpenSSL update > (stable-security and then copied to stable-proposed-updates, according > to https://tracker.debian.org/pkg/openssl), so I've CCed team@security. > Any advice? Okay let's be on the safe side and update openssh for this functional regression via buster-security. Can you adjust the changelog accordingly and upload to security-master? (Make sure to build with -sa, and to not include a _{arch}.buildinfo file in case you perform a source only upload). Regards, Salvatore signature.asc Description: PGP signature
Bug#941810: buster-pu: package openssh/1:7.9p1-10
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu https://bugs.debian.org/941663 reports an OpenSSH regression on old kernels prompted by the interaction between an OpenSSL update and a seccomp filter; https://bugs.debian.org/941665 and https://github.com/openssh/openssh-portable/pull/149 have more details. The patch is an easy one to cherry-pick, and I've attached the resulting diff. I'd like approval to upload it. I'm not sure where's best to upload this to. Although I've filed this as a stable update request, there's an argument that perhaps it should be issued through the same channels as the OpenSSL update (stable-security and then copied to stable-proposed-updates, according to https://tracker.debian.org/pkg/openssl), so I've CCed team@security. Any advice? Thanks, -- Colin Watson [cjwat...@debian.org] diff --git a/debian/.git-dpm b/debian/.git-dpm index 65e73673d..60a2fe1b6 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -6b56cd57db9061296231f14d537f1ebaf25e8877 -6b56cd57db9061296231f14d537f1ebaf25e8877 +35956d8211ef0a606a117ca3f0ba3ae163c31a39 +35956d8211ef0a606a117ca3f0ba3ae163c31a39 3d246f10429fc9a37b98eabef94fe8dc7c61002b 3d246f10429fc9a37b98eabef94fe8dc7c61002b openssh_7.9p1.orig.tar.gz diff --git a/debian/changelog b/debian/changelog index 8b18f3506..3456413eb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +openssh (1:7.9p1-10+deb10u1) UNRELEASED; urgency=medium + + * Apply upstream patch to deny (non-fatally) shmget/shmat/shmdt in preauth +privsep child, coping with changes in OpenSSL 1.1.1d that broke OpenSSH +on Linux kernels before 3.19 (closes: #941663). + + -- Colin Watson Sat, 05 Oct 2019 22:32:31 +0100 + openssh (1:7.9p1-10) unstable; urgency=medium * Temporarily revert IPQoS defaults to pre-7.8 values until issues with diff --git a/debian/patches/seccomp-handle-shm.patch b/debian/patches/seccomp-handle-shm.patch new file mode 100644 index 0..56bc9414e --- /dev/null +++ b/debian/patches/seccomp-handle-shm.patch @@ -0,0 +1,38 @@ +From 35956d8211ef0a606a117ca3f0ba3ae163c31a39 Mon Sep 17 00:00:00 2001 +From: Lonnie Abelbeck +Date: Tue, 1 Oct 2019 09:05:09 -0500 +Subject: Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child. + +New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt +in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox. + +Bug: https://github.com/openssh/openssh-portable/pull/149 +Bug-Debian: https://bugs.debian.org/941663 +Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=3ef92a657444f172b61f92d5da66d94fa8265602 +Last-Update: 2019-10-05 + +Patch-Name: seccomp-handle-shm.patch +--- + sandbox-seccomp-filter.c | 9 + + 1 file changed, 9 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index ef4de8c65..e8f31555e 100644 +--- a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +@@ -149,6 +149,15 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_stat64 + SC_DENY(__NR_stat64, EACCES), + #endif ++#ifdef __NR_shmget ++ SC_DENY(__NR_shmget, EACCES), ++#endif ++#ifdef __NR_shmat ++ SC_DENY(__NR_shmat, EACCES), ++#endif ++#ifdef __NR_shmdt ++ SC_DENY(__NR_shmdt, EACCES), ++#endif + + /* Syscalls to permit */ + #ifdef __NR_brk diff --git a/debian/patches/series b/debian/patches/series index b0da97283..36d464989 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -32,3 +32,4 @@ fix-key-type-check.patch request-rsa-sha2-cert-signatures.patch scp-handle-braces.patch revert-ipqos-defaults.patch +seccomp-handle-shm.patch diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index ef4de8c65..e8f31555e 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -149,6 +149,15 @@ static const struct sock_filter preauth_insns[] = { #ifdef __NR_stat64 SC_DENY(__NR_stat64, EACCES), #endif +#ifdef __NR_shmget + SC_DENY(__NR_shmget, EACCES), +#endif +#ifdef __NR_shmat + SC_DENY(__NR_shmat, EACCES), +#endif +#ifdef __NR_shmdt + SC_DENY(__NR_shmdt, EACCES), +#endif /* Syscalls to permit */ #ifdef __NR_brk