Bug#932175: stretch-pu: package openssh/1:7.4p1-10+deb9u7

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#932175: stretch-pu: package openssh/1:7.4p1-10+deb9u7
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Tue, 16 Jul 2019 11:36:29 +0200
Message-id: <[🔎] 156326978968.8452.12187659755492889444.reportbug@hullmann.westfalen.local>
Reply-to: Moritz Muehlenhoff <jmm@debian.org>, 932175@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

This update for OpenSSH fixes a dead lock in AuthorizedKeysCommand (#905226).

The fixed package is running fine on a formerly affected Stretch system
(https://phabricator.wikimedia.org)

(I'm not the maintainer, but acked by Colin in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905226#27)

Debdiff below.

Cheers,
        Moritz

diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog
--- openssh-7.4p1/debian/changelog	2019-03-01 17:19:28.000000000 +0100
+++ openssh-7.4p1/debian/changelog	2019-07-15 15:32:09.000000000 +0200
@@ -1,3 +1,11 @@
+openssh (1:7.4p1-10+deb9u7) stretch; urgency=medium
+
+  * Fix deadlock when the keys/principals command produces a lot of
+    output and a key is matched early (upstream commit
+    ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2). (Closes: #905226)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Mon, 15 Jul 2019 15:32:09 +0200
+
 openssh (1:7.4p1-10+deb9u6) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru openssh-7.4p1/debian/patches/fix-deadlock-in-keys-principals-command.patch openssh-7.4p1/debian/patches/fix-deadlock-in-keys-principals-command.patch
--- openssh-7.4p1/debian/patches/fix-deadlock-in-keys-principals-command.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.4p1/debian/patches/fix-deadlock-in-keys-principals-command.patch	2019-07-15 15:31:41.000000000 +0200
@@ -0,0 +1,37 @@
+From ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 30 Dec 2016 22:08:02 +0000
+Subject: [PATCH] upstream commit
+
+fix deadlock when keys/principals command produces a lot of
+output and a key is matched early; bz#2655, patch from jboning AT gmail.com
+
+Upstream-ID: e19456429bf99087ea994432c16d00a642060afe
+---
+ auth2-pubkey.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/auth2-pubkey.c b/auth2-pubkey.c
+index 20f3309e1..70c021589 100644
+--- a/auth2-pubkey.c
++++ b/auth2-pubkey.c
+@@ -727,6 +727,9 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key)
+ 
+ 	ok = process_principals(f, NULL, pw, cert);
+ 
++	fclose(f);
++	f = NULL;
++
+ 	if (exited_cleanly(pid, "AuthorizedPrincipalsCommand", command) != 0)
+ 		goto out;
+ 
+@@ -1050,6 +1053,9 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
+ 
+ 	ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
+ 
++	fclose(f);
++	f = NULL;
++
+ 	if (exited_cleanly(pid, "AuthorizedKeysCommand", command) != 0)
+ 		goto out;
+ 
diff -Nru openssh-7.4p1/debian/patches/series openssh-7.4p1/debian/patches/series
--- openssh-7.4p1/debian/patches/series	2019-03-01 17:19:28.000000000 +0100
+++ openssh-7.4p1/debian/patches/series	2019-07-15 15:31:41.000000000 +0200
@@ -44,3 +44,4 @@
 have-progressmeter-force-update-at-beginning-and-end-transfer.patch
 check-filenames-in-scp-client.patch
 scp-handle-braces.patch
+fix-deadlock-in-keys-principals-command.patch

Reply to:

Follow-Ups:
- Bug#932175: stretch-pu: package openssh/1:7.4p1-10+deb9u7
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#932175: stretch-pu: package openssh/1:7.4p1-10+deb9u7
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: fix meta data
Next by Date: Bug#932193: buster-pu: package netdata/1.12.0-1+deb10u1
Previous by thread: Processed: fix meta data
Next by thread: Bug#932175: stretch-pu: package openssh/1:7.4p1-10+deb9u7
Index(es):
- Date
- Thread