Bug#857741: unblock (pre-approval): openssh/1:7.4p1-8

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#857741: unblock (pre-approval): openssh/1:7.4p1-8
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 14 Mar 2017 15:00:07 +0000
Message-id: <[🔎] 20170314150007.GA27509@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 857741@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

I'd like to upload openssh 1:7.4p1-8 containing two fixes cherry-picked
from upstream, and am seeking pre-approval.  One of the fixes is for
data corruption in ssh-keygen and I think should be uncontroversial
(severity: serious).  The other is incorrect output from ssh-keyscan
that turned up in bug reports related to the ssh-keygen bug; I can't
quite justify severity: serious for it, but it's a small patch and I'd
like to include it while I'm here.

diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm
--- openssh-7.4p1/debian/.git-dpm	2017-03-05 02:11:08.000000000 +0000
+++ openssh-7.4p1/debian/.git-dpm	2017-03-14 13:41:39.000000000 +0000
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-e18d2ba71e6bf009c53e65509da84b712c300471
-e18d2ba71e6bf009c53e65509da84b712c300471
+a0f9daa9c3cc2b37b9707b228263eb717d201371
+a0f9daa9c3cc2b37b9707b228263eb717d201371
 971a7653746a6972b907dfe0ce139c06e4a6f482
 971a7653746a6972b907dfe0ce139c06e4a6f482
 openssh_7.4p1.orig.tar.gz
diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog
--- openssh-7.4p1/debian/changelog	2017-03-05 02:12:42.000000000 +0000
+++ openssh-7.4p1/debian/changelog	2017-03-14 13:49:14.000000000 +0000
@@ -1,3 +1,12 @@
+openssh (1:7.4p1-8) unstable; urgency=medium
+
+  * Fix ssh-keygen -H accidentally corrupting known_hosts that contained
+    already-hashed entries (closes: #851734, LP: #1668093).
+  * Fix ssh-keyscan to correctly hash hosts with a port number (closes:
+    #857736, LP: #1670745).
+
+ -- Colin Watson <cjwatson@debian.org>  Tue, 14 Mar 2017 13:49:14 +0000
+
 openssh (1:7.4p1-7) unstable; urgency=medium
 
   * Don't set "PermitRootLogin yes" on fresh installations (regression
diff -Nru openssh-7.4p1/debian/patches/series openssh-7.4p1/debian/patches/series
--- openssh-7.4p1/debian/patches/series	2017-03-05 02:11:08.000000000 +0000
+++ openssh-7.4p1/debian/patches/series	2017-03-14 13:41:39.000000000 +0000
@@ -30,3 +30,5 @@
 sandbox-x32-workaround.patch
 no-dsa-host-key-by-default.patch
 restore-authorized_keys2.patch
+ssh-keygen-hash-corruption.patch
+ssh-keyscan-hash-port.patch
diff -Nru openssh-7.4p1/debian/patches/ssh-keygen-hash-corruption.patch openssh-7.4p1/debian/patches/ssh-keygen-hash-corruption.patch
--- openssh-7.4p1/debian/patches/ssh-keygen-hash-corruption.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.4p1/debian/patches/ssh-keygen-hash-corruption.patch	2017-03-14 13:41:32.000000000 +0000
@@ -0,0 +1,44 @@
+From 78800aa252da1ebbfb55f7e593f43c337e694cc3 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 3 Mar 2017 06:13:11 +0000
+Subject: upstream commit
+
+fix ssh-keygen -H accidentally corrupting known_hosts that
+contained already-hashed entries. HKF_MATCH_HOST_HASHED is only set by
+hostkeys_foreach() when hostname matching is in use, so we need to look for
+the hash marker explicitly.
+
+Upstream-ID: da82ad653b93e8a753580d3cf5cd448bc2520528
+
+Origin: https://anongit.mindrot.org/openssh.git/commit/?id=12d3767ba4c84c32150cbe6ff6494498780f12c9
+Bug-Debian: https://bugs.debian.org/851734
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1668093
+Last-Update: 2017-03-09
+
+Patch-Name: ssh-keygen-hash-corruption.patch
+---
+ ssh-keygen.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ssh-keygen.c b/ssh-keygen.c
+index 2a7939bf..0833ee61 100644
+--- a/ssh-keygen.c
++++ b/ssh-keygen.c
+@@ -1082,6 +1082,7 @@ known_hosts_hash(struct hostkey_foreach_line *l, void *_ctx)
+ 	struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx;
+ 	char *hashed, *cp, *hosts, *ohosts;
+ 	int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts);
++	int was_hashed = l->hosts[0] == HASH_DELIM;
+ 
+ 	switch (l->status) {
+ 	case HKF_STATUS_OK:
+@@ -1090,8 +1091,7 @@ known_hosts_hash(struct hostkey_foreach_line *l, void *_ctx)
+ 		 * Don't hash hosts already already hashed, with wildcard
+ 		 * characters or a CA/revocation marker.
+ 		 */
+-		if ((l->match & HKF_MATCH_HOST_HASHED) != 0 ||
+-		    has_wild || l->marker != MRK_NONE) {
++		if (was_hashed || has_wild || l->marker != MRK_NONE) {
+ 			fprintf(ctx->out, "%s\n", l->line);
+ 			if (has_wild && !find_host) {
+ 				logit("%s:%ld: ignoring host name "
diff -Nru openssh-7.4p1/debian/patches/ssh-keyscan-hash-port.patch openssh-7.4p1/debian/patches/ssh-keyscan-hash-port.patch
--- openssh-7.4p1/debian/patches/ssh-keyscan-hash-port.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.4p1/debian/patches/ssh-keyscan-hash-port.patch	2017-03-14 13:41:39.000000000 +0000
@@ -0,0 +1,48 @@
+From a0f9daa9c3cc2b37b9707b228263eb717d201371 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 10 Mar 2017 03:18:24 +0000
+Subject: upstream commit
+
+correctly hash hosts with a port number. Reported by Josh
+Powers in bz#2692; ok dtucker@
+
+Upstream-ID: 468e357ff143e00acc05bdd2803a696b3d4b6442
+
+Origin: https://anongit.mindrot.org/openssh.git/commit/?id=8a2834454c73dfc1eb96453c0e97690595f3f4c2
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2692
+Bug-Debian: https://bugs.debian.org/857736
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1670745
+Last-Update: 2017-03-14
+
+Patch-Name: ssh-keyscan-hash-port.patch
+---
+ ssh-keyscan.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/ssh-keyscan.c b/ssh-keyscan.c
+index c30d54e6..24b51ff1 100644
+--- a/ssh-keyscan.c
++++ b/ssh-keyscan.c
+@@ -321,16 +321,17 @@ keygrab_ssh2(con *c)
+ }
+ 
+ static void
+-keyprint_one(char *host, struct sshkey *key)
++keyprint_one(const char *host, struct sshkey *key)
+ {
+ 	char *hostport;
+-
+-	if (hash_hosts && (host = host_hash(host, NULL, 0)) == NULL)
+-		fatal("host_hash failed");
++	const char *known_host, *hashed;
+ 
+ 	hostport = put_host_port(host, ssh_port);
++	if (hash_hosts && (hashed = host_hash(host, NULL, 0)) == NULL)
++		fatal("host_hash failed");
++	known_host = hash_hosts ? hashed : hostport;
+ 	if (!get_cert)
+-		fprintf(stdout, "%s ", hostport);
++		fprintf(stdout, "%s ", known_host);
+ 	sshkey_write(key, stdout);
+ 	fputs("\n", stdout);
+ 	free(hostport);

unblock openssh/1:7.4p1-8

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#857741: unblock (pre-approval): openssh/1:7.4p1-8
  - From: Niels Thykier <niels@thykier.net>
- Processed: Re: Bug#857741: unblock (pre-approval): openssh/1:7.4p1-8
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#857741: unblock (pre-approval): openssh/1:7.4p1-8
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#857741: marked as done (unblock (pre-approval): openssh/1:7.4p1-8)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#857741 closed by Emilio Pozuelo Monfort <pochu@respighi.debian.org> (unblock openssh)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#857741: marked as done (unblock: openssh/1:7.4p1-9)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#857739: unblock: kde-gtk-config/4:5.8.6-1
Next by Date: Bug#857633: unblock: kscreen/4:5.8.5-2
Previous by thread: Processed: Re: Bug#857739: unblock: kde-gtk-config/4:5.8.6-1
Next by thread: Bug#857741: unblock (pre-approval): openssh/1:7.4p1-8
Index(es):
- Date
- Thread