** Description changed: [Impact] Here's what has been brought to my attention by a UA customer: * Release: Xenial/16.04LTS * Openssh version: 7.2p2-4ubuntu2.10 * Fuzzer tool used: https://www.synopsys.com/software-integrity/security-testing/fuzz-testing.html (proprietary software) As of today, I have no access to a reproducer. * coredump: $ gdb $(which sshd) <OBFUSCATED>.sshd.20731 ... Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `sshd: [net] '. Program terminated with signal SIGSEGV, Segmentation fault. #0 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136 136 ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S: No such file or directory. (gdb) bt #0 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136 #1 0x00007fec25b241db in memcpy (__len=<optimized out>, __src=0x0, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string3.h:53 #2 aes_gcm_ctrl (c=0x558a7ae19758, type=<optimized out>, arg=<optimized out>, ptr=0x0) at e_aes.c:1189 #3 0x00007fec25b20897 in EVP_CIPHER_CTX_ctrl (ctx=ctx@entry=0x558a7ae19758, type=type@entry=18, arg=arg@entry=-1, ptr=ptr@entry=0x0) at evp_enc.c:619 #4 0x0000558a7953f54c in cipher_init (cc=cc@entry=0x558a7ae19750, cipher=0x558a797b3ef0 <ciphers+720>, key=0x0, keylen=32, iv=0x0, ivlen=<optimized out>, do_encrypt=0) at ../cipher.c:336 #5 0x0000558a7954521a in ssh_set_newkeys (ssh=ssh@entry=0x558a7ae18ef0, mode=mode@entry=0)at ../packet.c:919 #6 0x0000558a7955ae92 in kex_input_newkeys (type=<optimized out>, seq=<optimized out>, ctxt=0x558a7ae18ef0)at ../kex.c:434 #7 0x0000558a7954d269 in ssh_dispatch_run (ssh=ssh@entry=0x558a7ae18ef0, mode=0, done=0x558a7ae18278, ctxt=0x558a7ae18ef0) at ../dispatch.c:119 #8 0x0000558a7954d2b9 in ssh_dispatch_run_fatal (ssh=0x558a7ae18ef0, mode=<optimized out>, done=<optimized out>, ctxt=<optimized out>) at ../dispatch.c:140 #9 0x0000558a79502770 in do_ssh2_kex () at ../sshd.c:2744 #10 main (ac=<optimized out>, av=<optimized out>) at ../sshd.c:2301 (gdb) [Test plan] ** NOT REPRODUCIBLE ON MY SIDE ** This seems to be a corner case generated by the Defensics fuzzer test suite (proprietary software from synopsys). That's the only way this could have been reproduced so far. + Here's the details I could gather about the fuzzer test scenario: + + ------ + Test Suite: SSHv2 Server Test Suite by Synopsys + Test Case Description: + SSHv2.Key-Exchange.DH-GROUP-EXCHANGE-SHA256.message-sequence.duplicate-message: + Insert extra message 'message-2' before message 'client-newkeys' + ------ + [Where problem could occur] [Other information] Upstream fix: https://github.com/openssh/openssh-portable/commit/2adbe1e63bc313d03e8e84e652cc623af8ebb163 Only Xenial requires the fix: # git describe --contains 2adbe1e V_7_5_P1~7 # rmadison openssh => openssh | 1:7.2p2-4ubuntu2.10 | xenial-updates | source openssh | 1:7.6p1-4 | bionic | source openssh | 1:7.6p1-4ubuntu0.3 | bionic-security | source openssh | 1:7.6p1-4ubuntu0.3 | bionic-updates | source openssh | 1:7.6p1-4ubuntu0.4 | bionic-proposed | source openssh | 1:8.2p1-4 | focal | source openssh | 1:8.2p1-4ubuntu0.2 | focal-security | source openssh | 1:8.2p1-4ubuntu0.2 | focal-updates | source openssh | 1:8.3p1-1 | groovy | source openssh | 1:8.3p1-1ubuntu0.1 | groovy-security | source openssh | 1:8.3p1-1ubuntu0.1 | groovy-updates | source openssh | 1:8.4p1-5ubuntu1 | hirsute | source openssh | 1:8.4p1-5ubuntu1 | impish | source
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1930286 Title: Defensics' synopsys fuzzer testing tool cause openssh to segfault Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Xenial: In Progress Bug description: [Impact] Here's what has been brought to my attention by a UA customer: * Release: Xenial/16.04LTS * Openssh version: 7.2p2-4ubuntu2.10 * Fuzzer tool used: https://www.synopsys.com/software-integrity/security-testing/fuzz-testing.html (proprietary software) As of today, I have no access to a reproducer. * coredump: $ gdb $(which sshd) <OBFUSCATED>.sshd.20731 ... Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `sshd: [net] '. Program terminated with signal SIGSEGV, Segmentation fault. #0 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136 136 ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S: No such file or directory. (gdb) bt #0 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136 #1 0x00007fec25b241db in memcpy (__len=<optimized out>, __src=0x0, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string3.h:53 #2 aes_gcm_ctrl (c=0x558a7ae19758, type=<optimized out>, arg=<optimized out>, ptr=0x0) at e_aes.c:1189 #3 0x00007fec25b20897 in EVP_CIPHER_CTX_ctrl (ctx=ctx@entry=0x558a7ae19758, type=type@entry=18, arg=arg@entry=-1, ptr=ptr@entry=0x0) at evp_enc.c:619 #4 0x0000558a7953f54c in cipher_init (cc=cc@entry=0x558a7ae19750, cipher=0x558a797b3ef0 <ciphers+720>, key=0x0, keylen=32, iv=0x0, ivlen=<optimized out>, do_encrypt=0) at ../cipher.c:336 #5 0x0000558a7954521a in ssh_set_newkeys (ssh=ssh@entry=0x558a7ae18ef0, mode=mode@entry=0)at ../packet.c:919 #6 0x0000558a7955ae92 in kex_input_newkeys (type=<optimized out>, seq=<optimized out>, ctxt=0x558a7ae18ef0)at ../kex.c:434 #7 0x0000558a7954d269 in ssh_dispatch_run (ssh=ssh@entry=0x558a7ae18ef0, mode=0, done=0x558a7ae18278, ctxt=0x558a7ae18ef0) at ../dispatch.c:119 #8 0x0000558a7954d2b9 in ssh_dispatch_run_fatal (ssh=0x558a7ae18ef0, mode=<optimized out>, done=<optimized out>, ctxt=<optimized out>) at ../dispatch.c:140 #9 0x0000558a79502770 in do_ssh2_kex () at ../sshd.c:2744 #10 main (ac=<optimized out>, av=<optimized out>) at ../sshd.c:2301 (gdb) [Test plan] ** NOT REPRODUCIBLE ON MY SIDE ** This seems to be a corner case generated by the Defensics fuzzer test suite (proprietary software from synopsys). That's the only way this could have been reproduced so far. Here's the details I could gather about the fuzzer test scenario: ------ Test Suite: SSHv2 Server Test Suite by Synopsys Test Case Description: SSHv2.Key-Exchange.DH-GROUP-EXCHANGE-SHA256.message-sequence.duplicate-message: Insert extra message 'message-2' before message 'client-newkeys' ------ [Where problem could occur] [Other information] Upstream fix: https://github.com/openssh/openssh-portable/commit/2adbe1e63bc313d03e8e84e652cc623af8ebb163 Only Xenial requires the fix: # git describe --contains 2adbe1e V_7_5_P1~7 # rmadison openssh => openssh | 1:7.2p2-4ubuntu2.10 | xenial-updates | source openssh | 1:7.6p1-4 | bionic | source openssh | 1:7.6p1-4ubuntu0.3 | bionic-security | source openssh | 1:7.6p1-4ubuntu0.3 | bionic-updates | source openssh | 1:7.6p1-4ubuntu0.4 | bionic-proposed | source openssh | 1:8.2p1-4 | focal | source openssh | 1:8.2p1-4ubuntu0.2 | focal-security | source openssh | 1:8.2p1-4ubuntu0.2 | focal-updates | source openssh | 1:8.3p1-1 | groovy | source openssh | 1:8.3p1-1ubuntu0.1 | groovy-security | source openssh | 1:8.3p1-1ubuntu0.1 | groovy-updates | source openssh | 1:8.4p1-5ubuntu1 | hirsute | source openssh | 1:8.4p1-5ubuntu1 | impish | source To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1930286/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
