Bug#498684: marked as done (openssh-server: sshd segfaults on system with badly configured SE Linux, ssh_selinux_getctxbyname() bug)
Your message dated Mon, 04 Jan 2010 15:44:23 +0000
with message-id <E1NRp6V-0006eS-CQ@ries.debian.org>
and subject line Bug#498684: fixed in openssh 1:5.2p1-1
has caused the Debian Bug report #498684,
regarding openssh-server: sshd segfaults on system with badly configured SE Linux, ssh_selinux_getctxbyname() bug
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
498684: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498684
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: openssh-server: sshd segfaults on system with badly configured SE Linux, ssh_selinux_getctxbyname() bug
- From: Vaclav Ovsik <vaclav.ovsik@i.cz>
- Date: Fri, 12 Sep 2008 10:59:59 +0200
- Message-id: <20080912085959.13942.1759.reportbug@xenbr0.localdomain>
Package: openssh-server
Version: 1:5.1p1-2
Severity: normal
Tags: patch
Hi,
while experimenting running sshd under bad SE Linux security context
I found, that it dies with the segmentation fault! This condition can
happen when someone builds and install SE Linux policy without
relabeling file system for example (/usr/sbin/sshd has old, now bad
context). The problem causes uninitialized variable in
ssh_selinux_getctxbyname().
The patch is attached and should be reported upstream probably.
There is how to reproduce the problem:
sid:~# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 23
Policy from config file: default
sid:~# chcon -t bin_t /usr/sbin/sshd
sid:~# ls -Z /usr/sbin/sshd
system_u:object_r:bin_t:s0 /usr/sbin/sshd
sid:~# /usr/sbin/sshd -oUsePrivilegeSeparation=no -d -p 2222
debug1: sshd version OpenSSH_5.1p1 Debian-2
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-oUsePrivilegeSeparation=no'
debug1: rexec_argv[2]='-d'
debug1: rexec_argv[3]='-p'
debug1: rexec_argv[4]='2222'
debug1: Bind to port 2222 on ::.
Server listening on :: port 2222.
debug1: Bind to port 2222 on 0.0.0.0.
Server listening on 0.0.0.0 port 2222.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 172.31.0.128 port 43786
debug1: Client protocol version 2.0; client software version OpenSSH_5.1p1 Debian-2
debug1: match: OpenSSH_5.1p1 Debian-2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-2
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user zito service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "zito"
debug1: PAM: setting PAM_RHOST to "xenbr0.localdomain"
debug1: PAM: setting PAM_TTY to "ssh"
Failed none for zito from 172.31.0.128 port 43786 ssh2
debug1: userauth-request for user zito service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: test whether pkalg/pkblob are acceptable
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/zito/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /home/zito/.ssh/authorized_keys, line 2
Found matching RSA key: 8f:23:fc:1f:01:49:a7:f8:93:f5:c0:bb:d2:fa:81:36
debug1: restore_uid: 0/0
Postponed publickey for zito from 172.31.0.128 port 43786 ssh2
debug1: userauth-request for user zito service ssh-connection method publickey
debug1: attempt 2 failures 0
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/zito/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /home/zito/.ssh/authorized_keys, line 2
Found matching RSA key: 8f:23:fc:1f:01:49:a7:f8:93:f5:c0:bb:d2:fa:81:36
debug1: restore_uid: 0/0
debug1: ssh_rsa_verify: signature correct
debug1: do_pam_account: called
Accepted publickey for zito from 172.31.0.128 port 43786 ssh2
debug1: PAM: establishing credentials
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0
debug1: server_input_channel_req: channel 0 request x11-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req x11-req
debug1: channel 1: new [X11 inet listener]
debug1: channel 2: new [X11 inet listener]
debug1: server_input_channel_req: channel 0 request auth-agent-req@openssh.com reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req auth-agent-req@openssh.com
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: restore_uid: 0/0
debug1: channel 3: new [auth socket]
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_pty_req: session 0 alloc /dev/pts/1
debug1: SELinux support enabled
ssh_selinux_getctxbyname: Failed to get default SELinux security context for zito
Segmentation fault
Thanks.
--
Zito
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssh-server depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf-2.0] 1.5.23 Debian configuration management sy
ii dpkg 1.14.22 Debian package management system
ii libc6 2.7-13 GNU C Library: Shared libraries
ii libcomerr2 1.41.1-3 common error description library
ii libkrb53 1.6.dfsg.4~beta1-4 MIT Kerberos runtime libraries
ii libpam-modules 1.0.1-4 Pluggable Authentication Modules f
ii libpam-runtime 1.0.1-4 Runtime support for the PAM librar
ii libpam0g 1.0.1-4 Pluggable Authentication Modules l
ii libselinux1 2.0.65-4 SELinux shared libraries
ii libssl0.9.8 0.9.8g-13 SSL shared libraries
ii libwrap0 7.6.q-16 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS
ii openssh-client 1:5.1p1-2 secure shell client, an rlogin/rsh
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages openssh-server recommends:
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op
ii xauth 1:1.0.3-2 X authentication utility
Versions of packages openssh-server suggests:
pn molly-guard <none> (no description available)
pn rssh <none> (no description available)
pn ssh-askpass <none> (no description available)
-- debconf information excluded
--- openssh-5.1p1.orig/openbsd-compat/port-linux.c 2008-09-12 10:57:57.000000000 +0200
+++ openssh-5.1p1/openbsd-compat/port-linux.c 2008-09-12 10:22:20.000000000 +0200
@@ -69,7 +69,7 @@
static security_context_t
ssh_selinux_getctxbyname(char *pwname)
{
- security_context_t sc;
+ security_context_t sc = NULL;
char *sename = NULL, *role = NULL, *lvl = NULL;
int r;
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:5.2p1-1
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-client-udeb_5.2p1-1_i386.udeb
to main/o/openssh/openssh-client-udeb_5.2p1-1_i386.udeb
openssh-client_5.2p1-1_i386.deb
to main/o/openssh/openssh-client_5.2p1-1_i386.deb
openssh-server-udeb_5.2p1-1_i386.udeb
to main/o/openssh/openssh-server-udeb_5.2p1-1_i386.udeb
openssh-server_5.2p1-1_i386.deb
to main/o/openssh/openssh-server_5.2p1-1_i386.deb
openssh_5.2p1-1.diff.gz
to main/o/openssh/openssh_5.2p1-1.diff.gz
openssh_5.2p1-1.dsc
to main/o/openssh/openssh_5.2p1-1.dsc
openssh_5.2p1.orig.tar.gz
to main/o/openssh/openssh_5.2p1.orig.tar.gz
ssh-askpass-gnome_5.2p1-1_i386.deb
to main/o/openssh/ssh-askpass-gnome_5.2p1-1_i386.deb
ssh-krb5_5.2p1-1_all.deb
to main/o/openssh/ssh-krb5_5.2p1-1_all.deb
ssh_5.2p1-1_all.deb
to main/o/openssh/ssh_5.2p1-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 498684@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 04 Jan 2010 13:23:35 +0000
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source all i386
Version: 1:5.2p1-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client - secure shell (SSH) client, for secure access to remote machines
openssh-client-udeb - secure shell client for the Debian installer (udeb)
openssh-server - secure shell (SSH) server, for secure access from remote machines
openssh-server-udeb - secure shell server for the Debian installer (udeb)
ssh - secure shell client and server (metapackage)
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
ssh-krb5 - secure shell client and server (transitional package)
Closes: 154434 415008 420682 496017 498684 505378 506115 507541 512198 513417 514313 524423 530692 536182 540623 555951 556644 561887
Changes:
openssh (1:5.2p1-1) unstable; urgency=low
.
* New upstream release (closes: #536182). Yes, I know 5.3p1 has been out
for a while, but there's no GSSAPI patch available for it yet.
- Change the default cipher order to prefer the AES CTR modes and the
revised "arcfour256" mode to CBC mode ciphers that are susceptible to
CPNI-957037 "Plaintext Recovery Attack Against SSH".
- Add countermeasures to mitigate CPNI-957037-style attacks against the
SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid
packet length or Message Authentication Code, ssh/sshd will continue
reading up to the maximum supported packet length rather than
immediately terminating the connection. This eliminates most of the
known differences in behaviour that leaked information about the
plaintext of injected data which formed the basis of this attack
(closes: #506115, LP: #379329).
- ForceCommand directive now accepts commandline arguments for the
internal-sftp server (closes: #524423, LP: #362511).
- Add AllowAgentForwarding to available Match keywords list (closes:
#540623).
- Make ssh(1) send the correct channel number for
SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
avoid triggering 'Non-public channel' error messages on sshd(8) in
openssh-5.1.
- Avoid printing 'Non-public channel' warnings in sshd(8), since the
ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a
behaviour introduced in openssh-5.1; closes: #496017).
- Disable nonfunctional ssh(1) ~C escape handler in multiplex slave
connections (closes: #507541).
- Fix "whitepsace" typo in ssh_config(5) (closes: #514313, LP: #303835).
* Update to GSSAPI patch from
http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch,
including cascading credentials support (LP: #416958).
* Use x11.pc when compiling/linking gnome-ssh-askpass2 (closes: #555951).
* Moved to bzr.debian.org; add Vcs-Bzr and Vcs-Browser control fields.
* Add debian/README.source with instructions on bzr handling.
* Make ChrootDirectory work with SELinux (thanks, Russell Coker; closes:
#556644).
* Initialise sc to NULL in ssh_selinux_getctxbyname (thanks, Václav Ovsík;
closes: #498684).
* Don't duplicate backslashes when displaying server banner (thanks,
Michał Górny; closes: #505378, LP: #425346).
* Use hardening-includes for hardening logic (thanks, Kees Cook; closes:
#561887).
* Update OpenSSH FAQ to revision 1.110.
* Remove ssh/new_config, only needed for direct upgrades from potato which
are no longer particularly feasible anyway (closes: #420682).
* Cope with insserv reordering of init script links.
* Remove init script stop link in rc1, as killprocs handles it already.
* Adjust short descriptions to avoid relying on previous experience with
rsh, based on suggestions from Reuben Thomas (closes: #512198).
* Remove manual page references to login.conf, which aren't applicable on
non-BSD systems (closes: #154434).
* Remove/adjust manual page references to BSD-specific /etc/rc (closes:
#513417).
* Refer to sshd_config(5) rather than sshd(8) in postinst-written
/etc/ssh/sshd_config, and add UsePAM commentary from upstream-shipped
configuration file (closes: #415008, although unfortunately this will
only be conveniently visible on new installations).
* Include URL to OpenBSD's ssl(8) in ssh(1), since I don't see a better
source for the same information among Debian's manual pages (closes:
#530692, LP: #456660).
Checksums-Sha1:
dcfd8d5b9f2f28a0c7c5bfbc773cb3d6bbb6e314 1645 openssh_5.2p1-1.dsc
8273a0237db98179fbdc412207ff8eb14ff3d6de 1016612 openssh_5.2p1.orig.tar.gz
48c8d2b45c6b55004697ac2d3424b36820914457 231152 openssh_5.2p1-1.diff.gz
643bf9c4800636ddf25f6dddd1c0cfa4855cbf99 1206 ssh_5.2p1-1_all.deb
1c2874277d4b2e553c2462604094bc852c18d0a8 72730 ssh-krb5_5.2p1-1_all.deb
7866ae1fd2763e7b5eb437c39ec4123e2f2daef3 747462 openssh-client_5.2p1-1_i386.deb
5ea79b9ca3050439a0751c68b90bea1aa928583e 278672 openssh-server_5.2p1-1_i386.deb
e2e74e87b6243ecdf387d97686539cbed2477f76 80262 ssh-askpass-gnome_5.2p1-1_i386.deb
99f40e535037814aa7332437666f0ab23686e638 175744 openssh-client-udeb_5.2p1-1_i386.udeb
cbafe9341bfb14d561941d001936c02adbf76598 197886 openssh-server-udeb_5.2p1-1_i386.udeb
Checksums-Sha256:
d7b3aed3402ac67385faf91fe19ad04faaa9902fd5863dcc46c30f4372dabf14 1645 openssh_5.2p1-1.dsc
4023710c37d0b3d79e6299cb79b6de2a31db7d581fe59e775a5351784034ecae 1016612 openssh_5.2p1.orig.tar.gz
88878592bc4ed2f2cabc183a9efb2475704f0d7a2bb966c7828229efdf8f6683 231152 openssh_5.2p1-1.diff.gz
1f303238ddb46e4c94c26984dba47f1932770278896cfd54cd10dcd7401abf2f 1206 ssh_5.2p1-1_all.deb
16986d0b24d8211a0303de21627351a509ceab186b0857131462b5ed5f0cd378 72730 ssh-krb5_5.2p1-1_all.deb
b9842297f615f85dd7c2ef01f7eed2ca9f1b374b1972f3d3d152162b92c7e4e3 747462 openssh-client_5.2p1-1_i386.deb
f8f7e7a29cd05fe6787c2976e48b2e389b7ee12dd9b2d81b3a5170c35664ea4e 278672 openssh-server_5.2p1-1_i386.deb
cb4f258674ea4a408a9cc33789aa90ce804227e76615efed3c1aeebb2837ec64 80262 ssh-askpass-gnome_5.2p1-1_i386.deb
46f4acd8ba5b4fb58601e2cc357b4f4a561f07f50be9424f666427a0e186ceb4 175744 openssh-client-udeb_5.2p1-1_i386.udeb
02ec1defbc6ef4f5068c9c19eb735220837ab79838a6465b0d8550403c20075c 197886 openssh-server-udeb_5.2p1-1_i386.udeb
Files:
bdf4750700a34040c354a58fb3928f87 1645 net standard openssh_5.2p1-1.dsc
ada79c7328a8551bdf55c95e631e7dad 1016612 net standard openssh_5.2p1.orig.tar.gz
8b71afc010637d3145bbb60f92d5b471 231152 net standard openssh_5.2p1-1.diff.gz
c9352daad4b15ca1c5fb46cdaa30eb79 1206 net extra ssh_5.2p1-1_all.deb
d07b23f2478946bc53b906338dd6d7a5 72730 net extra ssh-krb5_5.2p1-1_all.deb
0c6bc933f6956693cc88bac78f1b471d 747462 net standard openssh-client_5.2p1-1_i386.deb
ca68b2ce567a74d8821ab7674e4ed248 278672 net optional openssh-server_5.2p1-1_i386.deb
dd3e7d6c11ae89f950afdf97453a96a7 80262 gnome optional ssh-askpass-gnome_5.2p1-1_i386.deb
6645f49bdcb0a5d71a74a69dca72393f 175744 debian-installer optional openssh-client-udeb_5.2p1-1_i386.udeb
334c4f56384deabe748e545d5c244e78 197886 debian-installer optional openssh-server-udeb_5.2p1-1_i386.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iD8DBQFLQe3i9t0zAhD6TNERAqowAJ4uwSXTnpo0RZx0YNFNqhGU6myhGgCeNodS
2eYKn0f2TMRt6piaVN2o8Cs=
=WfwE
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: