Bug#932175: stretch-pu: package openssh/1:7.4p1-10+deb9u7

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#932175: stretch-pu: package openssh/1:7.4p1-10+deb9u7

Moritz Muehlenhoff
Package: release.debian.org
Severity: normal
Tags: stretch
User: [hidden email]
Usertags: pu

This update for OpenSSH fixes a dead lock in AuthorizedKeysCommand (#905226).

The fixed package is running fine on a formerly affected Stretch system
(https://phabricator.wikimedia.org)

(I'm not the maintainer, but acked by Colin in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905226#27)

Debdiff below.

Cheers,
        Moritz

diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog
--- openssh-7.4p1/debian/changelog 2019-03-01 17:19:28.000000000 +0100
+++ openssh-7.4p1/debian/changelog 2019-07-15 15:32:09.000000000 +0200
@@ -1,3 +1,11 @@
+openssh (1:7.4p1-10+deb9u7) stretch; urgency=medium
+
+  * Fix deadlock when the keys/principals command produces a lot of
+    output and a key is matched early (upstream commit
+    ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2). (Closes: #905226)
+
+ -- Moritz Mühlenhoff <[hidden email]>  Mon, 15 Jul 2019 15:32:09 +0200
+
 openssh (1:7.4p1-10+deb9u6) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru openssh-7.4p1/debian/patches/fix-deadlock-in-keys-principals-command.patch openssh-7.4p1/debian/patches/fix-deadlock-in-keys-principals-command.patch
--- openssh-7.4p1/debian/patches/fix-deadlock-in-keys-principals-command.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.4p1/debian/patches/fix-deadlock-in-keys-principals-command.patch 2019-07-15 15:31:41.000000000 +0200
@@ -0,0 +1,37 @@
+From ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2 Mon Sep 17 00:00:00 2001
+From: "[hidden email]" <[hidden email]>
+Date: Fri, 30 Dec 2016 22:08:02 +0000
+Subject: [PATCH] upstream commit
+
+fix deadlock when keys/principals command produces a lot of
+output and a key is matched early; bz#2655, patch from jboning AT gmail.com
+
+Upstream-ID: e19456429bf99087ea994432c16d00a642060afe
+---
+ auth2-pubkey.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/auth2-pubkey.c b/auth2-pubkey.c
+index 20f3309e1..70c021589 100644
+--- a/auth2-pubkey.c
++++ b/auth2-pubkey.c
+@@ -727,6 +727,9 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key)
+
+ ok = process_principals(f, NULL, pw, cert);
+
++ fclose(f);
++ f = NULL;
++
+ if (exited_cleanly(pid, "AuthorizedPrincipalsCommand", command) != 0)
+ goto out;
+
+@@ -1050,6 +1053,9 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
+
+ ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
+
++ fclose(f);
++ f = NULL;
++
+ if (exited_cleanly(pid, "AuthorizedKeysCommand", command) != 0)
+ goto out;
+
diff -Nru openssh-7.4p1/debian/patches/series openssh-7.4p1/debian/patches/series
--- openssh-7.4p1/debian/patches/series 2019-03-01 17:19:28.000000000 +0100
+++ openssh-7.4p1/debian/patches/series 2019-07-15 15:31:41.000000000 +0200
@@ -44,3 +44,4 @@
 have-progressmeter-force-update-at-beginning-and-end-transfer.patch
 check-filenames-in-scp-client.patch
 scp-handle-braces.patch
+fix-deadlock-in-keys-principals-command.patch
Reply | Threaded
Open this post in threaded view
|

Bug#932175: stretch-pu: package openssh/1:7.4p1-10+deb9u7

Adam D Barratt
Control: tags -1 + confirmed d-i

On 2019-07-16 06:36, Moritz Muehlenhoff wrote:
> This update for OpenSSH fixes a dead lock in AuthorizedKeysCommand
> (#905226).
>
> The fixed package is running fine on a formerly affected Stretch system
> (https://phabricator.wikimedia.org)

This looks OK to me, but will need a d-i ack due to the udeb; tagging
and CCing accordingly.

Regards,

Adam

Reply | Threaded
Open this post in threaded view
|

Bug#932175: stretch-pu: package openssh/1:7.4p1-10+deb9u7

Cyril Brulebois-4
Adam D. Barratt <[hidden email]> (2019-07-26):
> On 2019-07-16 06:36, Moritz Muehlenhoff wrote:
> > This update for OpenSSH fixes a dead lock in AuthorizedKeysCommand
> > (#905226).
> >
> > The fixed package is running fine on a formerly affected Stretch system
> > (https://phabricator.wikimedia.org)
>
> This looks OK to me, but will need a d-i ack due to the udeb; tagging and
> CCing accordingly.

No objections, thanks.


Cheers,
--
Cyril Brulebois ([hidden email])            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#932175: stretch-pu: package openssh/1:7.4p1-10+deb9u7

Moritz Mühlenhoff-2
On Sat, Jul 27, 2019 at 12:34:38PM +0200, Cyril Brulebois wrote:

> Adam D. Barratt <[hidden email]> (2019-07-26):
> > On 2019-07-16 06:36, Moritz Muehlenhoff wrote:
> > > This update for OpenSSH fixes a dead lock in AuthorizedKeysCommand
> > > (#905226).
> > >
> > > The fixed package is running fine on a formerly affected Stretch system
> > > (https://phabricator.wikimedia.org)
> >
> > This looks OK to me, but will need a d-i ack due to the udeb; tagging and
> > CCing accordingly.
>
> No objections, thanks.

Uploaded.

Cheers,
        Moritz

Reply | Threaded
Open this post in threaded view
|

Bug#932175: openssh 7.4p1-10+deb9u7 flagged for acceptance

Jonathan Wiltshire via nm
In reply to this post by Moritz Muehlenhoff
Control: tags -1 + pending

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian stretch.

Thanks for your contribution!

Upload details
==============

Package: openssh
Version: 7.4p1-10+deb9u7

Explanation: fix deadlock in key matching