Bug#505330: marked as done (ssh: glibc detected double free or corruption with local forwarding)

To: Colin Watson <cjwatson@debian.org>
Subject: Bug#505330: marked as done (ssh: glibc detected double free or corruption with local forwarding)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 23 Nov 2008 15:33:17 +0000
Message-id: <[🔎] handler.505330.D505330.12274541126145.ackdone@bugs.debian.org>
References: <E1L4GTT-0001Qy-3p@ries.debian.org> <[🔎] 1226431300.17271.9.camel@sorbet.thuis.net>

Your message dated Sun, 23 Nov 2008 15:02:11 +0000
with message-id <E1L4GTT-0001Qy-3p@ries.debian.org>
and subject line Bug#505330: fixed in openssh 1:5.1p1-4
has caused the Debian Bug report #505330,
regarding ssh: glibc detected double free or corruption with local forwarding
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
505330: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505330
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ssh: glibc detected double free or corruption with local forwarding
From: Arthur de Jong <adejong@debian.org>
Date: Tue, 11 Nov 2008 20:21:40 +0100
Message-id: <[🔎] 1226431300.17271.9.camel@sorbet.thuis.net>

Subject: ssh: glibc detected double free or corruption with local forwarding
Package: ssh
Version: 1:5.1p1-3
Severity: normal

When starting a local forward in an existing session a double free cash
can be forced. This is simple to reproduce:

% ssh somehost
[...]
% ~C
ssh> -L *.80:localhost:80
Bad forwarding specification.
*** glibc detected *** ssh: double free or corruption (fasttop): 0xb95431b0 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb7ada6b4]
/lib/i686/cmov/libc.so.6(cfree+0x96)[0xb7adc8b6]
ssh[0xb7ee3c7d]
ssh[0xb7ec014b]
ssh(client_simple_escape_filter+0x5f)[0xb7ec0e5f]
ssh[0xb7ed5145]
ssh[0xb7ed5655]
ssh[0xb7ed93fb]
ssh[0xb7ec1af8]
ssh(main+0x1885)[0xb7ebaaa5]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7a82455]
ssh[0xb7eb8b01]
======= Memory map: ========
b7800000-b7821000 rw-p b7800000 00:00 0 
b7821000-b7900000 ---p b7821000 00:00 0 
b79be000-b79ca000 r-xp 00000000 08:01 379003     /lib/libgcc_s.so.1
b79ca000-b79cb000 rw-p 0000b000 08:01 379003     /lib/libgcc_s.so.1
b79cb000-b79d5000 r-xp 00000000 08:01 331425     /lib/i686/cmov/libnss_files-2.7.so
b79d5000-b79d7000 rw-p 00009000 08:01 331425     /lib/i686/cmov/libnss_files-2.7.so
b79d7000-b7a0c000 r--s 00000000 08:01 62598      /var/cache/nscd/services
b7a0c000-b7a41000 r--s 00000000 08:01 60442      /var/cache/nscd/passwd
b7a41000-b7a43000 rw-p b7a41000 00:00 0 
b7a43000-b7a58000 r-xp 00000000 08:01 331472     /lib/i686/cmov/libpthread-2.7.so
b7a58000-b7a5a000 rw-p 00014000 08:01 331472     /lib/i686/cmov/libpthread-2.7.so
b7a5a000-b7a5c000 rw-p b7a5a000 00:00 0 
b7a5c000-b7a5e000 r-xp 00000000 08:01 116464     /lib/libkeyutils-1.2.so
b7a5e000-b7a5f000 rw-p 00001000 08:01 116464     /lib/libkeyutils-1.2.so
b7a5f000-b7a60000 rw-p b7a5f000 00:00 0 
b7a60000-b7a67000 r-xp 00000000 08:01 174787     /usr/lib/libkrb5support.so.0.1
b7a67000-b7a68000 rw-p 00006000 08:01 174787     /usr/lib/libkrb5support.so.0.1
b7a68000-b7a6a000 r-xp 00000000 08:01 328990     /lib/i686/cmov/libdl-2.7.so
b7a6a000-b7a6c000 rw-p 00001000 08:01 328990     /lib/i686/cmov/libdl-2.7.so
b7a6c000-b7bc1000 r-xp 00000000 08:01 328979     /lib/i686/cmov/libc-2.7.so
b7bc1000-b7bc2000 r--p 00155000 08:01 328979     /lib/i686/cmov/libc-2.7.so
b7bc2000-b7bc4000 rw-p 00156000 08:01 328979     /lib/i686/cmov/libc-2.7.so
b7bc4000-b7bc7000 rw-p b7bc4000 00:00 0 
b7bc7000-b7bc9000 r-xp 00000000 08:01 281074     /lib/libcom_err.so.2.1
b7bc9000-b7bca000 rw-p 00001000 08:01 281074     /lib/libcom_err.so.2.1
b7bca000-b7bed000 r-xp 00000000 08:01 166307     /usr/lib/libk5crypto.so.3.1
b7bed000-b7bee000 rw-p 00023000 08:01 166307     /usr/lib/libk5crypto.so.3.1
b7bee000-b7bef000 rw-p b7bee000 00:00 0 
b7bef000-b7c81000 r-xp 00000000 08:01 174550     /usr/lib/libkrb5.so.3.3
b7c81000-b7c83000 rw-p 00092000 08:01 174550     /usr/lib/libkrb5.so.3.3
b7c83000-b7cac000 r-xp 00000000 08:01 166306     /usr/lib/libgssapi_krb5.so.2.2
b7cac000-b7cad000 rw-p 00028000 08:01 166306     /usr/lib/libgssapi_krb5.so.2.2
b7cad000-b7cb6000 r-xp 00000000 08:01 328989     /lib/i686/cmov/libcrypt-2.7.so
b7cb6000-b7cb8000 rw-p 00008000 08:01 328989     /lib/i686/cmov/libcrypt-2.7.so
b7cb8000-b7cdf000 rw-p b7cb8000 00:00 0 
b7cdf000-b7cf4000 r-xp 00000000 08:01 328997     /lib/i686/cmov/libnsl-2.7.so
b7cf4000-b7cf6000 rw-p 00014000 08:01 328997     /lib/i686/cmov/libnsl-2.7.so
b7cf6000-b7cf8000 rw-p b7cf6000 00:00 0 
b7cf8000-b7d0c000 r-xp 00000000 08:01 281046     /usr/lib/libz.so.1.2.3.3
b7d0c000-b7d0d000 rw-p 00013000 08:01 281046     /usr/lib/libz.so.1.2.3.3
b7d0d000-b7d0f000 r-xp 00000000 08:01 331477     /lib/i686/cmov/libutil-2.7.so
b7d0f000-b7d11000 rw-p 00001000 08:01 331477     /lib/i686/cmov/libutil-2.7.so
b7d11000-b7d12000 rw-p b7d11000 00:00 0 
b7d12000-b7e4c000 r-xp 00000000 08:01 115944     /usr/lib/i686/cmov/libcrypto.so.0.9.8
b7e4c000-b7e62000 rw-p 0013a000 08:01 115944     /usr/lib/i686/cmov/libcrypto.so.0.9.8
b7e62000-b7e65000 rw-p b7e62000 00:00 0 
b7e65000-b7e75000 r-xp 00000000 08:01 331473     /lib/i686/cmov/libresolv-2.7.so
b7e75000-b7e77000 rw-p 0000f000 08:01 331473     /lib/i686/cmov/libresolv-2.7.so
b7e77000-b7e79000 rw-p b7e77000 00:00 0 
b7e94000-b7e96000 rw-p b7e94000 00:00 0 
b7e96000-b7e97000 r-xp b7e96000 00:00 0          [vdso]
b7e97000-b7eb1000 r-xp 00000000 08:01 374678     /lib/ld-2.7.so
b7eb1000-b7eb3000 rw-p 0001a000 08:01 374678     /lib/ld-2.7.so
b7eb3000-b7f03000 r-xp 00000000 08:01 Abort

(the backtrace is formatted a little because the output is a little
messed up)

The problem does not occur when invoked in the command line or when used
in ~/.ssh/config.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages ssh depends on:
ii  openssh-client                1:5.1p1-3  secure shell client, an rlogin/rsh
ii  openssh-server                1:5.1p1-3  secure shell server, an rshd repla

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --

Attachment: signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message ---

To: 505330-close@bugs.debian.org
Subject: Bug#505330: fixed in openssh 1:5.1p1-4
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 23 Nov 2008 15:02:11 +0000
Message-id: <E1L4GTT-0001Qy-3p@ries.debian.org>

Source: openssh
Source-Version: 1:5.1p1-4

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_5.1p1-4_i386.udeb
  to pool/main/o/openssh/openssh-client-udeb_5.1p1-4_i386.udeb
openssh-client_5.1p1-4_i386.deb
  to pool/main/o/openssh/openssh-client_5.1p1-4_i386.deb
openssh-server-udeb_5.1p1-4_i386.udeb
  to pool/main/o/openssh/openssh-server-udeb_5.1p1-4_i386.udeb
openssh-server_5.1p1-4_i386.deb
  to pool/main/o/openssh/openssh-server_5.1p1-4_i386.deb
openssh_5.1p1-4.diff.gz
  to pool/main/o/openssh/openssh_5.1p1-4.diff.gz
openssh_5.1p1-4.dsc
  to pool/main/o/openssh/openssh_5.1p1-4.dsc
ssh-askpass-gnome_5.1p1-4_i386.deb
  to pool/main/o/openssh/ssh-askpass-gnome_5.1p1-4_i386.deb
ssh-krb5_5.1p1-4_all.deb
  to pool/main/o/openssh/ssh-krb5_5.1p1-4_all.deb
ssh_5.1p1-4_all.deb
  to pool/main/o/openssh/ssh_5.1p1-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 505330@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 23 Nov 2008 14:46:10 +0000
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source all i386
Version: 1:5.1p1-4
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - secure shell client, an rlogin/rsh/rcp replacement
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell server, an rshd replacement
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 226172 495917 505330
Changes: 
 openssh (1:5.1p1-4) unstable; urgency=low
 .
   * ssh-copy-id: Strip trailing colons from hostname (closes: #226172,
     LP: #249706; thanks to Karl Goetz for nudging this along; forwarded
     upstream as https://bugzilla.mindrot.org/show_bug.cgi?id=1530).
   * Backport from upstream CVS (Markus Friedl):
     - Only send eow and no-more-sessions requests to openssh 5 and newer;
       fixes interop problems with broken ssh v2 implementations (closes:
       #495917).
   * Fix double-free when failing to parse a forwarding specification given
     using ~C (closes: #505330; forwarded upstream as
     https://bugzilla.mindrot.org/show_bug.cgi?id=1539).
Checksums-Sha1: 
 56eb2414098de3c598fc0152d86c7cefd6d8fabc 1500 openssh_5.1p1-4.dsc
 09d556c0772e15bc39330312d2b7ef939c0519d0 215803 openssh_5.1p1-4.diff.gz
 ba334b7acf58316460e3a6b5e34b1e2356a12ace 1202 ssh_5.1p1-4_all.deb
 9ee8b102d55ff44bb7c0cd81495d61ae5d5d5020 115316 ssh-krb5_5.1p1-4_all.deb
 9dd317a1487bcc50fc39df0f0fbd46dcbb1c8121 815804 openssh-client_5.1p1-4_i386.deb
 b42a22d64f8214e4f83f16b4aac762a337a3d106 294982 openssh-server_5.1p1-4_i386.deb
 43c618ff8514739dc396df8f350d31a5700aa45d 122846 ssh-askpass-gnome_5.1p1-4_i386.deb
 be2955a313e2ca3f87df21c500ead5b3ae452515 177222 openssh-client-udeb_5.1p1-4_i386.udeb
 e4e83ee4496aba9992b38374283aaafd58ec2cdd 198788 openssh-server-udeb_5.1p1-4_i386.udeb
Checksums-Sha256: 
 f367771afac21a1f33089627cbeb2d7e5fcf55aeac12ddaf5c734d652e154e21 1500 openssh_5.1p1-4.dsc
 e399bd90838350cc2a0ba15f936a85a432fd75e9f5f1aeb8df3d05a0d76be043 215803 openssh_5.1p1-4.diff.gz
 935fa746ac6c7320605f7c3cf9c378dedaa53058a45af5dc5fde978ab63730cc 1202 ssh_5.1p1-4_all.deb
 e3911ab85be44f97c2d4875a84ffe9d4e26ac8e5fca45e3c2eeaa2a8276964bb 115316 ssh-krb5_5.1p1-4_all.deb
 61969b9dac1d6f9bb7c3aaffe5baf39ec3e2fb0b2ffce03c7ea7df4a52d8fcb0 815804 openssh-client_5.1p1-4_i386.deb
 ce8c408d4a9d112f6ca30c95e835fddff46bc25ab4319a6fbb3c007952ecb49f 294982 openssh-server_5.1p1-4_i386.deb
 46c6932c747b1b1eb49d3f75fe73795c717fe11503254a65a5c75a2958398bd8 122846 ssh-askpass-gnome_5.1p1-4_i386.deb
 ba7912ef93ccabb554acccdcc24bd6657771a9da8409278b0a21cbdf504f4955 177222 openssh-client-udeb_5.1p1-4_i386.udeb
 af7ee2e663f656edeb9aa146f0edb6d7355a81c76cee9e77646037c8a7c79119 198788 openssh-server-udeb_5.1p1-4_i386.udeb
Files: 
 744b60d3a77bdb2e66d9077e80af9704 1500 net standard openssh_5.1p1-4.dsc
 4ece2314205ae8e012c38382dd7aff3c 215803 net standard openssh_5.1p1-4.diff.gz
 781923a1c6484a520f04ccca8450e6ca 1202 net extra ssh_5.1p1-4_all.deb
 1ceecc544c110721dc4dc1206c523c4a 115316 net extra ssh-krb5_5.1p1-4_all.deb
 c6612644a1a0d8df4307ba7cd042767a 815804 net standard openssh-client_5.1p1-4_i386.deb
 18dc57c2b6aaffac1554f0b5a361601e 294982 net optional openssh-server_5.1p1-4_i386.deb
 513af730861cf977537633e778582dc4 122846 gnome optional ssh-askpass-gnome_5.1p1-4_i386.deb
 fe0168f27cbe343bed4cd7a41e516e59 177222 debian-installer optional openssh-client-udeb_5.1p1-4_i386.udeb
 d1a88b498e5c3043ba9e85ad07e353a6 198788 debian-installer optional openssh-server-udeb_5.1p1-4_i386.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iD8DBQFJKW4t9t0zAhD6TNERAg7rAJ9wMGX8o92RYSbQ7rONpNkU6q6oNwCePy7U
P2cUat67UOkHS/Qa7CTHjmU=
=qKcl
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#505330: ssh: glibc detected double free or corruption with local forwarding
  - From: Arthur de Jong <adejong@debian.org>

Prev by Date: Accepted openssh 1:5.1p1-4 (source all i386)
Next by Date: Bug#226172: marked as done (ssh-copy-id should strip colon at the end)
Previous by thread: Processed: Re: Bug#505330: ssh: glibc detected double free or corruption with local forwarding
Next by thread: Bug#505378: openssh-client: Backslashes from a banner are printed twice
Index(es):
- Date
- Thread