Your message dated Mon, 7 Oct 2019 22:00:31 +0200
with message-id <20191007200031.GA7326@eldamar.local>
and subject line Re: Bug#941810: buster-pu: package openssh/1:7.9p1-10
has caused the Debian Bug report #941810,
regarding buster-pu: package openssh/1:7.9p1-10
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
941810: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941810
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
https://bugs.debian.org/941663 reports an OpenSSH regression on old
kernels prompted by the interaction between an OpenSSL update and a
seccomp filter; https://bugs.debian.org/941665 and
https://github.com/openssh/openssh-portable/pull/149 have more details.
The patch is an easy one to cherry-pick, and I've attached the resulting
diff. I'd like approval to upload it.
I'm not sure where's best to upload this to. Although I've filed this
as a stable update request, there's an argument that perhaps it should
be issued through the same channels as the OpenSSL update
(stable-security and then copied to stable-proposed-updates, according
to https://tracker.debian.org/pkg/openssl), so I've CCed team@security.
Any advice?
Thanks,
--
Colin Watson [cjwat...@debian.org]
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 65e73673d..60a2fe1b6 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-6b56cd57db9061296231f14d537f1ebaf25e8877
-6b56cd57db9061296231f14d537f1ebaf25e8877
+35956d8211ef0a606a117ca3f0ba3ae163c31a39
+35956d8211ef0a606a117ca3f0ba3ae163c31a39
3d246f10429fc9a37b98eabef94fe8dc7c61002b
3d246f10429fc9a37b98eabef94fe8dc7c61002b
openssh_7.9p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 8b18f3506..3456413eb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+openssh (1:7.9p1-10+deb10u1) UNRELEASED; urgency=medium
+
+ * Apply upstream patch to deny (non-fatally) shmget/shmat/shmdt in preauth
+ privsep child, coping with changes in OpenSSL 1.1.1d that broke OpenSSH
+ on Linux kernels before 3.19 (closes: #941663).
+
+ -- Colin Watson <cjwat...@debian.org> Sat, 05 Oct 2019 22:32:31 +0100
+
openssh (1:7.9p1-10) unstable; urgency=medium
* Temporarily revert IPQoS defaults to pre-7.8 values until issues with
diff --git a/debian/patches/seccomp-handle-shm.patch
b/debian/patches/seccomp-handle-shm.patch
new file mode 100644
index 000000000..56bc9414e
--- /dev/null
+++ b/debian/patches/seccomp-handle-shm.patch
@@ -0,0 +1,38 @@
+From 35956d8211ef0a606a117ca3f0ba3ae163c31a39 Mon Sep 17 00:00:00 2001
+From: Lonnie Abelbeck <lon...@abelbeck.com>
+Date: Tue, 1 Oct 2019 09:05:09 -0500
+Subject: Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child.
+
+New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and
shmdt
+in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox.
+
+Bug: https://github.com/openssh/openssh-portable/pull/149
+Bug-Debian: https://bugs.debian.org/941663
+Origin: upstream,
https://anongit.mindrot.org/openssh.git/commit/?id=3ef92a657444f172b61f92d5da66d94fa8265602
+Last-Update: 2019-10-05
+
+Patch-Name: seccomp-handle-shm.patch
+---
+ sandbox-seccomp-filter.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index ef4de8c65..e8f31555e 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -149,6 +149,15 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_stat64
+ SC_DENY(__NR_stat64, EACCES),
+ #endif
++#ifdef __NR_shmget
++ SC_DENY(__NR_shmget, EACCES),
++#endif
++#ifdef __NR_shmat
++ SC_DENY(__NR_shmat, EACCES),
++#endif
++#ifdef __NR_shmdt
++ SC_DENY(__NR_shmdt, EACCES),
++#endif
+
+ /* Syscalls to permit */
+ #ifdef __NR_brk
diff --git a/debian/patches/series b/debian/patches/series
index b0da97283..36d464989 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -32,3 +32,4 @@ fix-key-type-check.patch
request-rsa-sha2-cert-signatures.patch
scp-handle-braces.patch
revert-ipqos-defaults.patch
+seccomp-handle-shm.patch
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index ef4de8c65..e8f31555e 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -149,6 +149,15 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_stat64
SC_DENY(__NR_stat64, EACCES),
#endif
+#ifdef __NR_shmget
+ SC_DENY(__NR_shmget, EACCES),
+#endif
+#ifdef __NR_shmat
+ SC_DENY(__NR_shmat, EACCES),
+#endif
+#ifdef __NR_shmdt
+ SC_DENY(__NR_shmdt, EACCES),
+#endif
/* Syscalls to permit */
#ifdef __NR_brk
--- End Message ---
--- Begin Message ---
Hi Colin,
On Sun, Oct 06, 2019 at 09:32:26PM +0200, Salvatore Bonaccorso wrote:
> Hi Colin,
>
> On Sun, Oct 06, 2019 at 08:03:19PM +0100, Colin Watson wrote:
> > On Sun, Oct 06, 2019 at 04:22:23PM +0200, Salvatore Bonaccorso wrote:
> > > On Sat, Oct 05, 2019 at 10:39:29PM +0100, Colin Watson wrote:
> > > > https://bugs.debian.org/941663 reports an OpenSSH regression on old
> > > > kernels prompted by the interaction between an OpenSSL update and a
> > > > seccomp filter; https://bugs.debian.org/941665 and
> > > > https://github.com/openssh/openssh-portable/pull/149 have more details.
> > > > The patch is an easy one to cherry-pick, and I've attached the resulting
> > > > diff. I'd like approval to upload it.
> > > >
> > > > I'm not sure where's best to upload this to. Although I've filed this
> > > > as a stable update request, there's an argument that perhaps it should
> > > > be issued through the same channels as the OpenSSL update
> > > > (stable-security and then copied to stable-proposed-updates, according
> > > > to https://tracker.debian.org/pkg/openssl), so I've CCed team@security.
> > > > Any advice?
> > >
> > > Okay let's be on the safe side and update openssh for this functional
> > > regression via buster-security.
> > >
> > > Can you adjust the changelog accordingly and upload to
> > > security-master? (Make sure to build with -sa, and to not include a
> > > _{arch}.buildinfo file in case you perform a source only upload).
> >
> > Done. I usually get something wrong in the mechanics of doing security
> > uploads, but maybe I got it right for once.
>
> Looks good so far!
>
> > I don't have a pre-3.19 system around to test this on, but I at least
> > made sure that an ordinary buster system (with 4.19) is fine.
>
> I was able to reproduce the issue in a buster LXC container running on
> a host with < 3.19 kernel (specifically reproduced with a jessie
> host). Will double check the fixed packages as well in that setup.
Your update was released with DSA 4539-2.
So I think #941810 can now be closed as there is no action needed to
be taken for the next buster point release.
Thanks for your work!
Regards,
Salvatore
--- End Message ---
