Bug#691293: marked as done (unblock: mosh/1.2.3-1)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 8 Dec 2012 15:59:03 +0100
with message-id <20121208145903.GN5634@radis.cristau.org>
and subject line Re: Bug#691293: unblock: mosh/1.2.3-1
has caused the Debian Bug report #691293,
regarding unblock: mosh/1.2.3-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
691293: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691293
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: mosh/1.2.3-1
• From: Keith Winstein <keithw@mit.edu>
• Date: Tue, 23 Oct 2012 18:44:11 -0400
• Message-id: <20121023224411.18147.98504.reportbug@trolley>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hello,

We respectfully request that you unblock mosh 1.2.3-1 and include it
in the wheezy release. A debdiff from mosh 1.2.2-1 is available at
http://mosh.mit.edu/mosh_1.2.2-1_to_mosh-1.2.3-1.debdiff.txt .

mosh 1.2.3 is an upstream microrelease that fixes several issues we
learned about during the first six months of widespread use. It is
well-tested and has passed the regressions tests.

Most prominently, mosh now links against OpenSSL and uses OpenSSL's
implementation of AES. Previously, Mosh 1.2.2 shipped its own AES
reference implementation for licensing reasons. The reference
implementation has been criticized for possible timing leakage, and it
is preferable to avoid shipping a duplicate cipher implementation.

Mosh 1.2.3 also includes several robustness fixes, including increased
resilience when transiting problematic NATs and VPNs and compatibility
with the KDE konsole and dual-stack IPv4/v6 sshds.

More security and robustness improvements are listed in the changelog.

I regret the lateness of this upstream release in the wheezy freeze
cycle. But given the expected lifetime of wheezy as a stable release,
upstream would much rather be supporting 1.2.3 instead of 1.2.2 for
the long term. We appreciate your consideration of our request.

unblock mosh/1.2.3-1

--- End Message ---

--- Begin Message ---

• To: Keith Winstein <keithw@mit.edu>, 691293-done@bugs.debian.org
• Subject: Re: Bug#691293: unblock: mosh/1.2.3-1
• From: Julien Cristau <jcristau@debian.org>
• Date: Sat, 8 Dec 2012 15:59:03 +0100
• Message-id: <20121208145903.GN5634@radis.cristau.org>
• In-reply-to: <20121023224411.18147.98504.reportbug@trolley>
• References: <20121023224411.18147.98504.reportbug@trolley>

On Tue, Oct 23, 2012 at 18:44:11 -0400, Keith Winstein wrote:

> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hello,
> 
> We respectfully request that you unblock mosh 1.2.3-1 and include it
> in the wheezy release. A debdiff from mosh 1.2.2-1 is available at
> http://mosh.mit.edu/mosh_1.2.2-1_to_mosh-1.2.3-1.debdiff.txt .
> 
> mosh 1.2.3 is an upstream microrelease that fixes several issues we
> learned about during the first six months of widespread use. It is
> well-tested and has passed the regressions tests.
> 
> Most prominently, mosh now links against OpenSSL and uses OpenSSL's
> implementation of AES. Previously, Mosh 1.2.2 shipped its own AES
> reference implementation for licensing reasons. The reference
> implementation has been criticized for possible timing leakage, and it
> is preferable to avoid shipping a duplicate cipher implementation.
> 
> Mosh 1.2.3 also includes several robustness fixes, including increased
> resilience when transiting problematic NATs and VPNs and compatibility
> with the KDE konsole and dual-stack IPv4/v6 sshds.
> 
> More security and robustness improvements are listed in the changelog.
> 
> I regret the lateness of this upstream release in the wheezy freeze
> cycle. But given the expected lifetime of wheezy as a stable release,
> upstream would much rather be supporting 1.2.3 instead of 1.2.2 for
> the long term. We appreciate your consideration of our request.
> 
> unblock mosh/1.2.3-1
> 
This is on the too big side, but unblocked anyway.

One comment though:

> @@ -361,11 +396,25 @@
>    /* close file descriptors */
>    if ( !verbose ) {
>      /* Necessary to properly detach on old versions of sshd (e.g. RHEL/CentOS 5.0). */
> -    fclose( stdin );
> -    fclose( stdout );
> -    fclose( stderr );
> +    int nullfd;
> +
> +    nullfd = open( "/dev/null", O_RDWR );
> +    if ( nullfd == -1 ) {
> +      perror( "dup2" );
> +      exit( 1 );
> +    }
> +
> +    if ( dup2 ( nullfd, STDIN_FILENO ) < 0 ||
> +         dup2 ( nullfd, STDOUT_FILENO ) < 0 ||
> +         dup2 ( nullfd, STDERR_FILENO ) < 0 ) {
> +      perror( "dup2" );
> +      exit( 1 );
> +    }
>    }
>  
> +  char utmp_entry[ 64 ] = { 0 };
> +  snprintf( utmp_entry, 64, "mosh [%d]", getpid() );
> +
>    /* Fork child process */
>    pid_t child = forkpty( &master, NULL, &child_termios, &window_size );
>  
This hunk seems to leak nullfd?

Cheers,
Julien

Attachment: signature.asc
Description: Digital signature

--- End Message ---