date:20191030

[Bug 2988] Tracking bug for 8.1 release

2019-10-30 Thread bugzilla-daemon

https://bugzilla.mindrot.org/show_bug.cgi?id=2988

Damien Miller  changed:

   What|Removed |Added

 Depends on|3085|


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3085
[Bug 3085] seccomp issue after upgrading openssl
-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3079] Tracking bug for 8.2 release

2019-10-30 Thread bugzilla-daemon

https://bugzilla.mindrot.org/show_bug.cgi?id=3079

Damien Miller  changed:

   What|Removed |Added

 Depends on||3085


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3085
[Bug 3085] seccomp issue after upgrading openssl
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3085] seccomp issue after upgrading openssl

2019-10-30 Thread bugzilla-daemon

https://bugzilla.mindrot.org/show_bug.cgi?id=3085

Damien Miller  changed:

   What|Removed |Added

 Blocks|2988|3079


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2988
[Bug 2988] Tracking bug for 8.1 release
https://bugzilla.mindrot.org/show_bug.cgi?id=3079
[Bug 3079] Tracking bug for 8.2 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2988] Tracking bug for 8.1 release

2019-10-30 Thread bugzilla-daemon

https://bugzilla.mindrot.org/show_bug.cgi?id=2988

Damien Miller  changed:

   What|Removed |Added

 Depends on||3085


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3085
[Bug 3085] seccomp issue after upgrading openssl
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3085] seccomp issue after upgrading openssl

2019-10-30 Thread bugzilla-daemon

https://bugzilla.mindrot.org/show_bug.cgi?id=3085

Damien Miller  changed:

   What|Removed |Added

 CC||d...@mindrot.org
 Blocks||2988
   Severity|critical|major

--- Comment #3 from Damien Miller  ---
Please try -current, or cherry-pick this commit:

commit 3ef92a657444f172b61f92d5da66d94fa8265602
Author: Lonnie Abelbeck 
Date:   Tue Oct 1 09:05:09 2019 -0500

Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child.

New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget,
shmat, and shmdt
in the preauth codepath, deny (non-fatal) in seccomp_filter
sandbox.


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2988
[Bug 2988] Tracking bug for 8.1 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3085] seccomp issue after upgrading openssl

2019-10-30 Thread bugzilla-daemon

https://bugzilla.mindrot.org/show_bug.cgi?id=3085

--- Comment #2 from bru...@netestate.de ---
It won't compile with --with-cflags=-DSANDBOX_SECCOMP_FILTER_DEBUG
Kernel headers in /usr/include are from 4.9.195 - it looks like ggc
does not like them?

cc -g -O2 -pipe -Wno-error=format-truncation -Wall -Wpointer-arith
-Wuninitialized -Wsign-compare -Wformat-security
-Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result
-fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset
-fstack-protector-strong -DSANDBOX_SECCOMP_FILTER_DEBUG -fPIE   -I. -I.
-I/usr/lib/ssl/include  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE
-D_DEFAULT_SOURCE -DSSHDIR=\"/etc\"
-D_PATH_SSH_PROGRAM=\"/tmp/openssh/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/tmp/openssh/libexec/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/tmp/openssh/libexec/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/tmp/openssh/libexec/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/tmp/openssh/libexec/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c
sandbox-seccomp-filter.c -o sandbox-seccomp-filter.o
In file included from /usr/include/bits/types/siginfo_t.h:6:0,
 from /usr/include/signal.h:57,
 from /usr/include/sys/param.h:28,
 from includes.h:26,
 from sandbox-seccomp-filter.c:38:
/usr/include/bits/types/__sigval_t.h:24:7: error: redefinition of
'union sigval'
 union sigval
   ^~
In file included from /usr/include/asm/siginfo.h:14:0,
 from sandbox-seccomp-filter.c:32:
/usr/include/asm-generic/siginfo.h:7:15: note: originally defined here
 typedef union sigval {
   ^~
/usr/include/bits/types/siginfo_t.h:58:14: error: expected ':', ',',
';', '}' or '__attribute__' before '.' token
  __pid_t si_pid; /* Sending process ID.  */
  ^
/usr/include/bits/types/siginfo_t.h:65:10: error: expected ':', ',',
';', '}' or '__attribute__' before '.' token
  int si_tid;  /* Timer ID.  */
  ^
/usr/include/bits/types/siginfo_t.h:73:14: error: expected ':', ',',
';', '}' or '__attribute__' before '.' token
  __pid_t si_pid; /* Sending process ID.  */
  ^
/usr/include/bits/types/siginfo_t.h:81:14: error: expected ':', ',',
';', '}' or '__attribute__' before '.' token
  __pid_t si_pid; /* Which child.  */
  ^
/usr/include/bits/types/siginfo_t.h:91:12: error: expected ':', ',',
';', '}' or '__attribute__' before '.' token
  void *si_addr; /* Faulting insn/memory ref.  */
^
/usr/include/bits/types/siginfo_t.h:110:21: error: expected ':', ',',
';', '}' or '__attribute__' before '.' token
  __SI_BAND_TYPE si_band; /* Band event for SIGPOLL.  */
 ^
In file included from /usr/include/signal.h:57:0,
 from /usr/include/sys/param.h:28,
 from includes.h:26,
 from sandbox-seccomp-filter.c:38:
/usr/include/bits/types/siginfo_t.h:124:5: error: conflicting types for
'siginfo_t'
   } siginfo_t __SI_ALIGNMENT;
 ^
In file included from /usr/include/asm/siginfo.h:14:0,
 from sandbox-seccomp-filter.c:32:
/usr/include/asm-generic/siginfo.h:118:24: note: previous declaration
of 'siginfo_t' was here
 } __ARCH_SI_ATTRIBUTES siginfo_t;
^
/usr/include/bits/siginfo-consts.h:38:3: error: expected identifier
before '-' token
   SI_DETHREAD = -7,  /* Sent by execve killing subsidiary
   ^
/usr/include/bits/siginfo-consts.h:73:3: error: expected identifier
before '(' token
   ILL_ILLOPC = 1,  /* Illegal opcode.  */
   ^
/usr/include/bits/siginfo-consts.h:96:3: error: expected identifier
before '(' token
   FPE_INTDIV = 1,  /* Integer divide by zero.  */
   ^
/usr/include/bits/siginfo-consts.h:121:3: error: expected identifier
before '(' token
   SEGV_MAPERR = 1,  /* Address not mapped to object.  */
   ^
/usr/include/bits/siginfo-consts.h:140:3: error: expected identifier
before '(' token
   BUS_ADRALN = 1,  /* Invalid address alignment.  */
   ^
/usr/include/bits/siginfo-consts.h:157:3: error: expected identifier
before '(' token
   TRAP_BRKPT = 1,  /* Process breakpoint.  */
   ^
/usr/include/bits/siginfo-consts.h:174:3: error: expected identifier
before '(' token
   CLD_EXITED = 1,  /* Child has exited.  */
   ^
/usr/include/bits/siginfo-consts.h:191:3: error: expected identifier
before '(' token
   POLL_IN = 1,   /* Data input available.  */
   ^
In file included from /usr/include/signal.h:62:0,
 from /usr/include/sys/param.h:28,
 from includes.h:26,
 from sandbox-seccomp-filter.c:38:
/usr/include/bits/types/sigval_t.h:16:20: error: conflicting types for
'sigval_t'
 typedef __sigval_t sigval_t;
^~~~
In file included from /usr/include/asm/siginfo.h:14:0,
 from sandbox-seccomp-filter.c:32:
/usr/include/asm-generic/siginfo.h:10:3: note: previous declaration of

[Bug 3085] seccomp issue after upgrading openssl

2019-10-30 Thread bugzilla-daemon

https://bugzilla.mindrot.org/show_bug.cgi?id=3085

Darren Tucker  changed:

   What|Removed |Added

 CC||dtuc...@dtucker.net

--- Comment #1 from Darren Tucker  ---
>  Is it possible that there are still issues?

it's possible, but it depends on many variables.  If you build with

./configure --with-sandbox=seccomp_filter
--with-cflags=-DSANDBOX_SECCOMP_FILTER_DEBUG

then connect to it you should get a log message with the syscall that's
being denied (but note that the resulting binary is not signal safe, so
do not deploy it in production).

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2988] Tracking bug for 8.1 release

[Bug 3079] Tracking bug for 8.2 release

[Bug 3085] seccomp issue after upgrading openssl

[Bug 2988] Tracking bug for 8.1 release

[Bug 3085] seccomp issue after upgrading openssl

[Bug 3085] seccomp issue after upgrading openssl

[Bug 3085] seccomp issue after upgrading openssl

7 matches

Site Navigation

Mail list logo

Footer information