[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#352042: marked as done (openssh-server: incompatible pointer types break gssapi auth on alpha, possibly others)

Your message dated Fri, 12 May 2006 05:17:10 -0700
with message-id <E1FeWZy-0007QU-3T@spohr.debian.org>
and subject line Bug#352042: fixed in openssh 1:4.3p2-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---
Package: openssh-server
Version: 1:4.2p1-4bpo1juhaj1
Severity: normal
Tags: patch

OpenSSH's GSSAPI authentication routines pass addresses of OM_uint32 to
functions expecting a pointer to int. On alpha, int is 64 bits and the
values stored in the variables pointed by these pointers only have half
of their bits set. Results in broken GSSAPI authentication and a very
annoying "connection closed by remote host" -message without any other
info as to why. Even with -vvv you get no relevant info. Server side,
of course, shows what happens with -ddd. This probably affects other 64-bit
archs as well, but I only if they have 64-bit ints: ppc64 and x86_64, which
I have access to, both have 32-bit ints.

Patch below. Note that this only fixes the authentication process. There
is at least one logging function with the same problem. Reading the actual
build logs should reveal them since they show up as "passing arg N ... from
incompatible pointer type" or something equivalent.



--- monitor.c   2006-02-09 11:45:16 +0200
+++ monitor.c.orig      2006-02-09 11:44:27 +0200
@@ -1947,7 +1947,7 @@
        gss_buffer_desc data, hash;
        OM_uint32 major, minor;
-       data.value = buffer_get_string(m, (int *) &data.length);
+       data.value = buffer_get_string(m, &data.length);
        if (data.length != 20) 
                fatal("%s: data length incorrect: %d", __func__, data.length);

--- monitor.c.orig      2006-02-09 11:44:27 +0200
+++ monitor.c   2006-02-09 11:45:16 +0200
@@ -1947,7 +1947,7 @@
        gss_buffer_desc data, hash;
        OM_uint32 major, minor;
-       data.value = buffer_get_string(m, &data.length);
+       data.value = buffer_get_string(m, (int *) &data.length);
        if (data.length != 20) 
                fatal("%s: data length incorrect: %d", __func__, data.length);

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14+juhaj+v1.0
Locale: LANG=en_GB.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)

Versions of packages openssh-server depends on:
ii  adduser              3.81                Add and remove users and groups
ii  debconf [debconf-2.0 1.4.70              Debian configuration management sy
ii  dpkg                 1.13.13             package maintenance system for Deb
ii  libc6                2.3.5-13            GNU C Library: Shared libraries an
ii  libgssapi4-heimdal   0.7.1-1juhaj1       Libraries for Heimdal Kerberos
ii  libkafs0-heimdal     0.7.1-1juhaj1       Libraries for Heimdal Kerberos
ii  libkrb5-17-heimdal   0.7.1-1juhaj1       Libraries for Heimdal Kerberos
ii  libpam-modules       0.79-3              Pluggable Authentication Modules f
ii  libpam-runtime       0.79-3.1            Runtime support for the PAM librar
ii  libpam0g             0.79-3.1            Pluggable Authentication Modules l
ii  libselinux1          1.28-1              SELinux shared libraries
ii  libssl0.9.7          0.9.7g-5            SSL shared libraries
ii  libwrap0             7.6.dbs-8           Wietse Venema's TCP wrappers libra
ii  openssh-client       1:4.2p1-4bpo1juhaj1 Secure shell client, an rlogin/rsh
ii  zlib1g               1:1.2.3-9           compression library - runtime

openssh-server recommends no packages.

-- debconf information:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/disable_cr_auth: false

--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:4.3p2-1

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

  to pool/main/o/openssh/openssh-client-udeb_4.3p2-1_powerpc.udeb
  to pool/main/o/openssh/openssh-client_4.3p2-1_powerpc.deb
  to pool/main/o/openssh/openssh-server-udeb_4.3p2-1_powerpc.udeb
  to pool/main/o/openssh/openssh-server_4.3p2-1_powerpc.deb
  to pool/main/o/openssh/openssh_4.3p2-1.diff.gz
  to pool/main/o/openssh/openssh_4.3p2-1.dsc
  to pool/main/o/openssh/openssh_4.3p2.orig.tar.gz
  to pool/main/o/openssh/ssh-askpass-gnome_4.3p2-1_powerpc.deb
  to pool/main/o/openssh/ssh_4.3p2-1_all.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 352042@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.7
Date: Fri, 12 May 2006 12:48:24 +0100
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:4.3p2-1
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
 openssh-client - Secure shell client, an rlogin/rsh/rcp replacement
 openssh-client-udeb - Secure shell client for the Debian installer (udeb)
 openssh-server - Secure shell server, an rshd replacement
 openssh-server-udeb - Secure shell server for the Debian installer (udeb)
 ssh        - Secure shell client and server (transitional package)
 ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 114894 259865 349645 349896 352042 360348 361032 361220
 openssh (1:4.3p2-1) unstable; urgency=low
   * New upstream release (closes: #361032).
     - CVE-2006-0225: scp (as does rcp, on which it is based) invoked a
       subshell to perform local to local, and remote to remote copy
       operations. This subshell exposed filenames to shell expansion twice;
       allowing a local attacker to create filenames containing shell
       metacharacters that, if matched by a wildcard, could lead to execution
       of attacker-specified commands with the privilege of the user running
       scp (closes: #349645).
     - Add support for tunneling arbitrary network packets over a connection
       between an OpenSSH client and server via tun(4) virtual network
       interfaces. This allows the use of OpenSSH (4.3+) to create a true VPN
       between the client and server providing real network connectivity at
       layer 2 or 3. This feature is experimental.
     - Reduce default key length for new DSA keys generated by ssh-keygen
       back to 1024 bits. DSA is not specified for longer lengths and does
       not fully benefit from simply making keys longer. As per FIPS 186-2
       Change Notice 1, ssh-keygen will refuse to generate a new DSA key
       smaller or larger than 1024 bits.
     - Fixed X forwarding failing to start when the X11 client is executed in
       background at the time of session exit.
     - Change ssh-keygen to generate a protocol 2 RSA key when invoked
       without arguments (closes: #114894).
     - Fix timing variance for valid vs. invalid accounts when attempting
       Kerberos authentication.
     - Ensure that ssh always returns code 255 on internal error
       (closes: #259865).
     - Cleanup wtmp files on SIGTERM when not using privsep.
     - Set SO_REUSEADDR on X11 listeners to avoid problems caused by
       lingering sockets from previous session (X11 applications can
       sometimes not connect to (closes:
     - Ensure that fds 0, 1 and 2 are always attached in all programs, by
       duping /dev/null to them if necessary.
     - Xauth list invocation had bogus "." argument.
     - Remove internal assumptions on key exchange hash algorithm and output
       length, preparing OpenSSH for KEX methods with alternate hashes.
     - Ignore junk sent by a server before it sends the "SSH-" banner.
     - Many manual page improvements.
     - Lots of cleanups, including fixes to memory leaks on error paths and
       possible crashes.
   * Update to current GSSAPI patch from
     (closes: #352042).
   * debian/rules: Resynchronise CFLAGS with that generated by configure.
   * Restore pam_nologin to /etc/pam.d/ssh; sshd no longer checks this itself
     when PAM is enabled, but relies on PAM to do it.
   * Rename KeepAlive to TCPKeepAlive in default sshd_config
     (closes: #349896).
   * Rephrase ssh/new_config and ssh/encrypted_host_key_but_no_keygen debconf
     templates to make boolean short descriptions end with a question mark
     and to avoid use of the first person.
   * Ship README.tun.
   * Policy version 3.7.2: no changes required.
   * debconf template translations:
     - Update Italian (thanks, Luca Monducci; closes: #360348).
     - Add Galician (thanks, Jacobo Tarrio; closes: #361220).
 8d1f58e7d3b425bd1ef12e3371ffc68f 990 net standard openssh_4.3p2-1.dsc
 239fc801443acaffd4c1f111948ee69c 920186 net standard openssh_4.3p2.orig.tar.gz
 a8c086845a068a536ca0dc3321bd521a 162625 net standard openssh_4.3p2-1.diff.gz
 a22fdf533137fa2d03a61dde4d4f580f 1052 net extra ssh_4.3p2-1_all.deb
 d9ceadbb42d05c28581275e87038e6ec 623544 net standard openssh-client_4.3p2-1_powerpc.deb
 bd5163ae4860b2cbbe89eaaad7ad0a63 223824 net optional openssh-server_4.3p2-1_powerpc.deb
 c0f609fd7ba81691924e44da1c23106d 98662 gnome optional ssh-askpass-gnome_4.3p2-1_powerpc.deb
 9c37157b73710391a8e893b735732d68 165182 debian-installer optional openssh-client-udeb_4.3p2-1_powerpc.udeb
 b74fff399f1586d316f284454abef7a0 168630 debian-installer optional openssh-server-udeb_4.3p2-1_powerpc.udeb
Package-Type: udeb

Version: GnuPG v1.4.3 (GNU/Linux)


--- End Message ---

Reply to: