[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#857741: marked as done (unblock: openssh/1:7.4p1-9)

Your message dated Thu, 16 Mar 2017 19:58:36 +0100
with message-id <ed3bdf15-ca7c-1ac8-49e3-ed005a74a84f@debian.org>
and subject line Re: Bug#857741: closed by Emilio Pozuelo Monfort <pochu@respighi.debian.org> (unblock openssh)
has caused the Debian Bug report #857741,
regarding unblock: openssh/1:7.4p1-9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
857741: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857741
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

I'd like to upload openssh 1:7.4p1-8 containing two fixes cherry-picked
from upstream, and am seeking pre-approval.  One of the fixes is for
data corruption in ssh-keygen and I think should be uncontroversial
(severity: serious).  The other is incorrect output from ssh-keyscan
that turned up in bug reports related to the ssh-keygen bug; I can't
quite justify severity: serious for it, but it's a small patch and I'd
like to include it while I'm here.

diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm
--- openssh-7.4p1/debian/.git-dpm	2017-03-05 02:11:08.000000000 +0000
+++ openssh-7.4p1/debian/.git-dpm	2017-03-14 13:41:39.000000000 +0000
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-e18d2ba71e6bf009c53e65509da84b712c300471
-e18d2ba71e6bf009c53e65509da84b712c300471
+a0f9daa9c3cc2b37b9707b228263eb717d201371
+a0f9daa9c3cc2b37b9707b228263eb717d201371
 971a7653746a6972b907dfe0ce139c06e4a6f482
 971a7653746a6972b907dfe0ce139c06e4a6f482
 openssh_7.4p1.orig.tar.gz
diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog
--- openssh-7.4p1/debian/changelog	2017-03-05 02:12:42.000000000 +0000
+++ openssh-7.4p1/debian/changelog	2017-03-14 13:49:14.000000000 +0000
@@ -1,3 +1,12 @@
+openssh (1:7.4p1-8) unstable; urgency=medium
+
+  * Fix ssh-keygen -H accidentally corrupting known_hosts that contained
+    already-hashed entries (closes: #851734, LP: #1668093).
+  * Fix ssh-keyscan to correctly hash hosts with a port number (closes:
+    #857736, LP: #1670745).
+
+ -- Colin Watson <cjwatson@debian.org>  Tue, 14 Mar 2017 13:49:14 +0000
+
 openssh (1:7.4p1-7) unstable; urgency=medium
 
   * Don't set "PermitRootLogin yes" on fresh installations (regression
diff -Nru openssh-7.4p1/debian/patches/series openssh-7.4p1/debian/patches/series
--- openssh-7.4p1/debian/patches/series	2017-03-05 02:11:08.000000000 +0000
+++ openssh-7.4p1/debian/patches/series	2017-03-14 13:41:39.000000000 +0000
@@ -30,3 +30,5 @@
 sandbox-x32-workaround.patch
 no-dsa-host-key-by-default.patch
 restore-authorized_keys2.patch
+ssh-keygen-hash-corruption.patch
+ssh-keyscan-hash-port.patch
diff -Nru openssh-7.4p1/debian/patches/ssh-keygen-hash-corruption.patch openssh-7.4p1/debian/patches/ssh-keygen-hash-corruption.patch
--- openssh-7.4p1/debian/patches/ssh-keygen-hash-corruption.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.4p1/debian/patches/ssh-keygen-hash-corruption.patch	2017-03-14 13:41:32.000000000 +0000
@@ -0,0 +1,44 @@
+From 78800aa252da1ebbfb55f7e593f43c337e694cc3 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 3 Mar 2017 06:13:11 +0000
+Subject: upstream commit
+
+fix ssh-keygen -H accidentally corrupting known_hosts that
+contained already-hashed entries. HKF_MATCH_HOST_HASHED is only set by
+hostkeys_foreach() when hostname matching is in use, so we need to look for
+the hash marker explicitly.
+
+Upstream-ID: da82ad653b93e8a753580d3cf5cd448bc2520528
+
+Origin: https://anongit.mindrot.org/openssh.git/commit/?id=12d3767ba4c84c32150cbe6ff6494498780f12c9
+Bug-Debian: https://bugs.debian.org/851734
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1668093
+Last-Update: 2017-03-09
+
+Patch-Name: ssh-keygen-hash-corruption.patch
+---
+ ssh-keygen.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ssh-keygen.c b/ssh-keygen.c
+index 2a7939bf..0833ee61 100644
+--- a/ssh-keygen.c
++++ b/ssh-keygen.c
+@@ -1082,6 +1082,7 @@ known_hosts_hash(struct hostkey_foreach_line *l, void *_ctx)
+ 	struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx;
+ 	char *hashed, *cp, *hosts, *ohosts;
+ 	int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts);
++	int was_hashed = l->hosts[0] == HASH_DELIM;
+ 
+ 	switch (l->status) {
+ 	case HKF_STATUS_OK:
+@@ -1090,8 +1091,7 @@ known_hosts_hash(struct hostkey_foreach_line *l, void *_ctx)
+ 		 * Don't hash hosts already already hashed, with wildcard
+ 		 * characters or a CA/revocation marker.
+ 		 */
+-		if ((l->match & HKF_MATCH_HOST_HASHED) != 0 ||
+-		    has_wild || l->marker != MRK_NONE) {
++		if (was_hashed || has_wild || l->marker != MRK_NONE) {
+ 			fprintf(ctx->out, "%s\n", l->line);
+ 			if (has_wild && !find_host) {
+ 				logit("%s:%ld: ignoring host name "
diff -Nru openssh-7.4p1/debian/patches/ssh-keyscan-hash-port.patch openssh-7.4p1/debian/patches/ssh-keyscan-hash-port.patch
--- openssh-7.4p1/debian/patches/ssh-keyscan-hash-port.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.4p1/debian/patches/ssh-keyscan-hash-port.patch	2017-03-14 13:41:39.000000000 +0000
@@ -0,0 +1,48 @@
+From a0f9daa9c3cc2b37b9707b228263eb717d201371 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 10 Mar 2017 03:18:24 +0000
+Subject: upstream commit
+
+correctly hash hosts with a port number. Reported by Josh
+Powers in bz#2692; ok dtucker@
+
+Upstream-ID: 468e357ff143e00acc05bdd2803a696b3d4b6442
+
+Origin: https://anongit.mindrot.org/openssh.git/commit/?id=8a2834454c73dfc1eb96453c0e97690595f3f4c2
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2692
+Bug-Debian: https://bugs.debian.org/857736
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1670745
+Last-Update: 2017-03-14
+
+Patch-Name: ssh-keyscan-hash-port.patch
+---
+ ssh-keyscan.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/ssh-keyscan.c b/ssh-keyscan.c
+index c30d54e6..24b51ff1 100644
+--- a/ssh-keyscan.c
++++ b/ssh-keyscan.c
+@@ -321,16 +321,17 @@ keygrab_ssh2(con *c)
+ }
+ 
+ static void
+-keyprint_one(char *host, struct sshkey *key)
++keyprint_one(const char *host, struct sshkey *key)
+ {
+ 	char *hostport;
+-
+-	if (hash_hosts && (host = host_hash(host, NULL, 0)) == NULL)
+-		fatal("host_hash failed");
++	const char *known_host, *hashed;
+ 
+ 	hostport = put_host_port(host, ssh_port);
++	if (hash_hosts && (hashed = host_hash(host, NULL, 0)) == NULL)
++		fatal("host_hash failed");
++	known_host = hash_hosts ? hashed : hostport;
+ 	if (!get_cert)
+-		fprintf(stdout, "%s ", hostport);
++		fprintf(stdout, "%s ", known_host);
+ 	sshkey_write(key, stdout);
+ 	fputs("\n", stdout);
+ 	free(hostport);

unblock openssh/1:7.4p1-8

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
On 16/03/17 19:48, Cyril Brulebois wrote:
> Emilio Pozuelo Monfort <pochu@debian.org> (2017-03-16):
>> On 16/03/17 16:32, Colin Watson wrote:
>>> Control: reopen -1
>>> Control: retitle -1 unblock: openssh/1:7.4p1-9
>>>
>>> I'm afraid that 1:7.4p1-8 caused a CI failure, and on investigation this
>>> was a real problem easily reproduced in a local adt-run.  Sorry for not
>>> noticing this earlier.  I've uploaded 1:7.4p1-9 to fix this with the
>>> following diff.  This will presumably need another d-i ack, and
>>> certainly an adjustment to the existing hint.
>>
>> OK.
>>
>> Explicitly Cc'ing Cyril.
> 
> Thanks and ack as well.

Thanks. Unblocked.

Cheers,
Emilio

--- End Message ---
Reply to: