Bug#1007714: bullseye-pu: package openssh/1:8.4p1-5+deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1007714: bullseye-pu: package openssh/1:8.4p1-5+deb11u1
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 15 Mar 2022 15:20:49 +0000
Message-id: <[🔎] YjCu0b8KKv73gbMT@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 1007714@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)

[ Reason ]
OpenSSH in stable breaks on 32-bit architectures (at least armhf,
reportedly also i386) after upgrading libc6 to the version in bookworm,
due to changes in its system call interface that affect OpenSSH's
seccomp sandbox.  See https://bugs.debian.org/1004427.

[ Impact ]
Without this change, I'm concerned that sshd may be unavailable during
part of an upgrade from bullseye to bookworm (or even make the machine
inaccessible, if it's headless and the upgrade fails).  Getting the
sandbox tweak into bullseye at this stage would reduce that risk.

[ Tests ]
Existing autopkgtests are quite comprehensive and ensure that normal
connections to sshd continue to work.  They don't cover the case of
upgrading to bookworm's libc6 and restarting sshd; that would need to be
done manually.

[ Risks ]
I think the only real risk here is the usual residual misbuild risk from
any update, which autopkgtests would catch.  The actual code change just
adds another allow rule to a seccomp filter.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable (modulo
      finalizing the changelog)
  [x] the issue is verified as fixed in unstable (fixed upstream as of
      OpenSSH 8.5p1, which has been in unstable since November)

[ Changes ]
An extra SC_ALLOW(__NR_pselect6_time64) if that syscall is defined.

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

diff -Nru openssh-8.4p1/debian/.git-dpm openssh-8.4p1/debian/.git-dpm
--- openssh-8.4p1/debian/.git-dpm	2021-03-13 09:59:40.000000000 +0000
+++ openssh-8.4p1/debian/.git-dpm	2022-02-25 16:09:00.000000000 +0000
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-421db3656dcafbe810226463bf27a18a0b1c3186
-421db3656dcafbe810226463bf27a18a0b1c3186
+ed99ef256258d8556dbe39d976c2528ede050f14
+ed99ef256258d8556dbe39d976c2528ede050f14
 2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb
 2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb
 openssh_8.4p1.orig.tar.gz
diff -Nru openssh-8.4p1/debian/changelog openssh-8.4p1/debian/changelog
--- openssh-8.4p1/debian/changelog	2021-03-13 09:59:40.000000000 +0000
+++ openssh-8.4p1/debian/changelog	2022-02-25 16:09:00.000000000 +0000
@@ -1,3 +1,11 @@
+openssh (1:8.4p1-5+deb11u1) UNRELEASED; urgency=medium
+
+  * Backport from upstream:
+    - Add new pselect6_time64 syscall on 32-bit architectures (closes:
+      #1004427).
+
+ -- Colin Watson <cjwatson@debian.org>  Fri, 25 Feb 2022 16:09:00 +0000
+
 openssh (1:8.4p1-5) unstable; urgency=high
 
   * CVE-2021-28041: Fix double free in ssh-agent(1) (closes: #984940).
diff -Nru openssh-8.4p1/debian/patches/sandbox-pselect6_time64.patch openssh-8.4p1/debian/patches/sandbox-pselect6_time64.patch
--- openssh-8.4p1/debian/patches/sandbox-pselect6_time64.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssh-8.4p1/debian/patches/sandbox-pselect6_time64.patch	2022-02-25 16:09:00.000000000 +0000
@@ -0,0 +1,32 @@
+From ed99ef256258d8556dbe39d976c2528ede050f14 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Fri, 20 Nov 2020 13:37:54 +1100
+Subject: Add new pselect6_time64 syscall on ARM.
+
+This is apparently needed on armhfp/armv7hl.  bz#3232, patch from
+jjelen at redhat.com.
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=0f90440ca70abab947acbd77795e9f130967956c
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=3232
+Bug-Debian: https://bugs.debian.org/1004427
+Last-Update: 2022-02-25
+
+Patch-Name: sandbox-pselect6_time64.patch
+---
+ sandbox-seccomp-filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index e0768c063..5065ae7ef 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_pselect6
+ 	SC_ALLOW(__NR_pselect6),
+ #endif
++#ifdef __NR_pselect6_time64
++	SC_ALLOW(__NR_pselect6_time64),
++#endif
+ #ifdef __NR_read
+ 	SC_ALLOW(__NR_read),
+ #endif
diff -Nru openssh-8.4p1/debian/patches/series openssh-8.4p1/debian/patches/series
--- openssh-8.4p1/debian/patches/series	2021-03-13 09:59:40.000000000 +0000
+++ openssh-8.4p1/debian/patches/series	2022-02-25 16:09:00.000000000 +0000
@@ -26,3 +26,4 @@
 revert-x32-sandbox-breakage.patch
 ssh-copy-id-heredoc-syntax.patch
 ssh-agent-double-free.patch
+sandbox-pselect6_time64.patch

Reply to:

Follow-Ups:
- Bug#1007714: bullseye-pu: package openssh/1:8.4p1-5+deb11u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#1007714: bullseye-pu: package openssh/1:8.4p1-5+deb11u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Re: Upcoming stable point release (11.3)
Next by Date: Re: Upcoming stable point release (11.3)
Previous by thread: Bug#1006446: nmu: libgdal-grass_3.2.2-1
Next by thread: Bug#1007714: bullseye-pu: package openssh/1:8.4p1-5+deb11u1
Index(es):
- Date
- Thread