[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#948695: marked as done (buster-pu: package openssh/1:7.9p1-10+deb10u2)

Your message dated Sat, 08 Feb 2020 14:21:36 +0000
with message-id <cf1cb2f35981916a86b98b83609df15c95aa378b.camel@adam-barratt.org.uk>
and subject line Closing requests included in 10.3 point release
has caused the Debian Bug report #948695,
regarding buster-pu: package openssh/1:7.9p1-10+deb10u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
948695: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948695
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

https://bugs.debian.org/946242 reports an OpenSSH regression on old
kernels on certain architectures (e.g. i386) prompted by the interaction
between an OpenSSL update and a seccomp filter.  It's essentially the
same as https://bugs.debian.org/941663, but at the time we didn't notice
that the exact set of syscalls involved varies between architectures due
to details of how the shm* library functions are implemented in glibc.
I've attached the diff and would like approval to upload it.

In https://bugs.debian.org/941810 we decided that it was best to issue
this via buster-security; I think that would be the correct thing to do
here as well, so I've CCed team@security.  However, I'm filing this as a
stable update request just in case there's disagreement about that for
some reason.

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

diff -Nru openssh-7.9p1/debian/.git-dpm openssh-7.9p1/debian/.git-dpm
--- openssh-7.9p1/debian/.git-dpm	2019-10-06 19:17:34.000000000 +0100
+++ openssh-7.9p1/debian/.git-dpm	2020-01-12 00:06:24.000000000 +0000
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-35956d8211ef0a606a117ca3f0ba3ae163c31a39
-35956d8211ef0a606a117ca3f0ba3ae163c31a39
+6f794127bd7d332c1d88a3e35eda97dac4530a15
+6f794127bd7d332c1d88a3e35eda97dac4530a15
 3d246f10429fc9a37b98eabef94fe8dc7c61002b
 3d246f10429fc9a37b98eabef94fe8dc7c61002b
 openssh_7.9p1.orig.tar.gz
diff -Nru openssh-7.9p1/debian/changelog openssh-7.9p1/debian/changelog
--- openssh-7.9p1/debian/changelog	2019-10-06 19:18:07.000000000 +0100
+++ openssh-7.9p1/debian/changelog	2020-01-12 00:06:36.000000000 +0000
@@ -1,3 +1,13 @@
+openssh (1:7.9p1-10+deb10u2) UNRELEASED; urgency=medium
+
+  * Apply upstream patch to deny (non-fatally) ipc in the seccomp sandbox,
+    fixing failures with OpenSSL 1.1.1d and Linux < 3.19 on some
+    architectures (closes: #946242).  Note that this also drops the previous
+    change to allow ipc on s390, since upstream has security concerns with
+    that and it doesn't currently seem to be needed.
+
+ -- Colin Watson <cjwatson@debian.org>  Sun, 12 Jan 2020 00:06:36 +0000
+
 openssh (1:7.9p1-10+deb10u1) buster-security; urgency=high
 
   * Apply upstream patch to deny (non-fatally) shmget/shmat/shmdt in preauth
diff -Nru openssh-7.9p1/debian/patches/sandbox-seccomp-ipc.patch openssh-7.9p1/debian/patches/sandbox-seccomp-ipc.patch
--- openssh-7.9p1/debian/patches/sandbox-seccomp-ipc.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.9p1/debian/patches/sandbox-seccomp-ipc.patch	2020-01-12 00:06:24.000000000 +0000
@@ -0,0 +1,48 @@
+From 6f794127bd7d332c1d88a3e35eda97dac4530a15 Mon Sep 17 00:00:00 2001
+From: Jeremy Drake <github@jdrake.com>
+Date: Fri, 11 Oct 2019 18:31:05 -0700
+Subject: Deny (non-fatal) ipc in preauth privsep child.
+
+As noted in openssh/openssh-portable#149, i386 does not have have
+_NR_shmget etc.  Instead, it has a single ipc syscall (see man 2 ipc,
+https://linux.die.net/man/2/ipc).  Add this syscall, if present, to the
+list of syscalls that seccomp will deny non-fatally.
+
+[cjwatson: For backporting to buster, I've dropped the previous change
+to allow ipc on s390.  Upstream refused that since it opens security
+weaknesses and doesn't currently seem to be needed, so I'd already
+dropped that for bullseye.]
+
+Bug-Debian: https://bugs.debian.org/946242
+Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=30f704ebc0e9e32b3d12f5d9e8c1b705fdde2c89
+Last-Update: 2020-01-11
+
+Patch-Name: sandbox-seccomp-ipc.patch
+---
+ sandbox-seccomp-filter.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index e8f31555e..9b6aea8db 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -158,6 +158,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_shmdt
+ 	SC_DENY(__NR_shmdt, EACCES),
+ #endif
++#ifdef __NR_ipc
++	SC_DENY(__NR_ipc, EACCES),
++#endif
+ 
+ 	/* Syscalls to permit */
+ #ifdef __NR_brk
+@@ -205,9 +208,6 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_getuid32
+ 	SC_ALLOW(__NR_getuid32),
+ #endif
+-#if defined(__NR_ipc) && defined(__s390__)
+-	SC_ALLOW(__NR_ipc),
+-#endif
+ #ifdef __NR_madvise
+ 	SC_ALLOW(__NR_madvise),
+ #endif
diff -Nru openssh-7.9p1/debian/patches/series openssh-7.9p1/debian/patches/series
--- openssh-7.9p1/debian/patches/series	2019-10-06 19:17:34.000000000 +0100
+++ openssh-7.9p1/debian/patches/series	2020-01-12 00:06:24.000000000 +0000
@@ -33,3 +33,4 @@
 scp-handle-braces.patch
 revert-ipqos-defaults.patch
 seccomp-handle-shm.patch
+sandbox-seccomp-ipc.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.3

Hi,

Each of the uploads referred to by these bugs was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: