Bug#714526: marked as done (Should close stderr when becoming multiplex master)

To: Colin Watson <cjwatson@debian.org>
Subject: Bug#714526: marked as done (Should close stderr when becoming multiplex master)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Fri, 22 Jul 2016 17:27:29 +0000
Message-id: <[🔎] handler.714526.D714526.14692083758850.ackdone@bugs.debian.org>
References: <E1bQeDG-0007N0-6U@franck.debian.org> <20130630131418.GA28796@bogon.sigxcpu.org>

Your message dated Fri, 22 Jul 2016 17:26:14 +0000
with message-id <E1bQeDG-0007N0-6U@franck.debian.org>
and subject line Bug#714526: fixed in openssh 1:7.2p2-6
has caused the Debian Bug report #714526,
regarding Should close stderr when becoming multiplex master
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
714526: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714526
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Should close stderr when becoming multiplex master
From: Guido Günther <agx@sigxcpu.org>
Date: Sun, 30 Jun 2013 15:14:18 +0200
Message-id: <20130630131418.GA28796@bogon.sigxcpu.org>

Package: openssh-client
Version: 1:6.2p2-5
Severity: wishlist
Tags: patch

Hi,
when becoming multiplex master and not closing stderr processes can hand
as described in #708296. This happens since Python's subprocess module
won't terminate Popen.communicate() when the chield dies but only when
it receives EOF on the fd.

While this is arguably a bug in python's subprocess module [1] being
"half" a daemon and closing most file descriptors like ssh currently
does is bad either.

I'm happy to modify the patch to not close stderr e.g. in case of
running in debug mode but wanted to get your feedback first.

Cheers,
 -- Guido

[1] http://bugs.python.org/issue4216



-- System Information:
Debian Release: jessie/sid
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'testing'), (50, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-client depends on:
ii  adduser           3.113+nmu3
ii  dpkg              1.16.10
ii  libc6             2.17-3
ii  libedit2          2.11-20080614-6
ii  libgssapi-krb5-2  1.10.1+dfsg-5+deb7u1
ii  libselinux1       2.1.13-2
ii  libssl1.0.0       1.0.1e-3
ii  passwd            1:4.1.5.1-1
ii  zlib1g            1:1.2.8.dfsg-1

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.7-1

Versions of packages openssh-client suggests:
pn  keychain                 <none>
pn  libpam-ssh               <none>
pn  monkeysphere             <none>
ii  openssh-blacklist        0.4.1+nmu1
ii  openssh-blacklist-extra  0.4.1+nmu1
ii  ssh-askpass              1:1.2.4.1-9

-- no debconf information

-- debsums errors found:
debsums: changed file /usr/bin/ssh (from openssh-client package)

>From e10183e072dd2e815ffbc4d82e59a03cfa029099 Mon Sep 17 00:00:00 2001
Message-Id: <e10183e072dd2e815ffbc4d82e59a03cfa029099.1372597574.git.agx@sigxcpu.org>
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
Date: Sun, 30 Jun 2013 15:04:11 +0200
Subject: [PATCH] Close stderr iff multiplex master

When we're becoming the multiplex master we should close all file
descriptors by default including stderr. Everything else might
yield surprises to the user like:

    http://bugs.debian.org/708296

While this is arguably a bug in python's subprocess being "half"
a daemon and closing most file descriptors is bad either.
---
 ssh.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ssh.c b/ssh.c
index 5ec89f2..4552151 100644
--- a/ssh.c
+++ b/ssh.c
@@ -990,7 +990,8 @@ control_persist_detach(void)
 		    strerror(errno));
 	} else {
 		if (dup2(devnull, STDIN_FILENO) == -1 ||
-		    dup2(devnull, STDOUT_FILENO) == -1)
+		    dup2(devnull, STDOUT_FILENO) == -1 ||
+		    dup2(devnull, STDERR_FILENO) == -1)
 			error("%s: dup2: %s", __func__, strerror(errno));
 		if (devnull > STDERR_FILENO)
 			close(devnull);
-- 
1.8.3.1

--- End Message ---

--- Begin Message ---

To: 714526-close@bugs.debian.org
Subject: Bug#714526: fixed in openssh 1:7.2p2-6
From: Colin Watson <cjwatson@debian.org>
Date: Fri, 22 Jul 2016 17:26:14 +0000
Message-id: <E1bQeDG-0007N0-6U@franck.debian.org>

Source: openssh
Source-Version: 1:7.2p2-6

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 714526@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 22 Jul 2016 17:06:19 +0100
Source: openssh
Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.2p2-6
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 714526 751636 766887 822997 823827 831902
Changes:
 openssh (1:7.2p2-6) unstable; urgency=medium
 .
   * debian/watch: Switch to HTTP (thanks, Nicholas Luedtke; closes:
     #822997).
   * Copy summary of supported SFTP protocol versions from upstream's
     PROTOCOL file into the openssh-sftp-server package description (closes:
     #766887).
   * Set SSH_PROGRAM=/usr/bin/ssh1 when building openssh-client-ssh1 so that
     scp1 works (reported by Olivier MATZ).
   * Retroactively add a NEWS.Debian entry for the UseDNS change in 6.9 (see
     LP #1588457).
   * CVE-2016-6210: Mitigate user enumeration via covert timing channel
     (closes: #831902).
   * Backport upstream patch to close ControlPersist background process
     stderr when not in debug mode or when logging to a file or syslog
     (closes: #714526).
   * Add a session cleanup script and a systemd unit file to trigger it,
     which serves to terminate SSH sessions cleanly if systemd doesn't do
     that itself, often because libpam-systemd is not installed (thanks,
     Vivek Das Mohapatra, Tom Hutter, and others; closes: #751636).
   * Stop generating DSA host keys by default (thanks, Santiago Vila; closes:
     #823827).
Checksums-Sha1:
 2170a722d423c610aebff6c7d46851fb88316348 2837 openssh_7.2p2-6.dsc
 74c23afda7155665754613e32106434aa5ae105f 154028 openssh_7.2p2-6.debian.tar.xz
Checksums-Sha256:
 2e071288cb930a73414d8cd2c4050b8db583970df13ec7ee47a0150c87b8382e 2837 openssh_7.2p2-6.dsc
 d02a0ad674537b470348807e522496f3c06f7893bfd11b5de809a9cfa5b1176f 154028 openssh_7.2p2-6.debian.tar.xz
Files:
 6b199afe03c15f81d0e758383fee1200 2837 net standard openssh_7.2p2-6.dsc
 15f3b542b8e3378a329acd5eb86ac9a8 154028 net standard openssh_7.2p2-6.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBV5JHkDk1h9l9hlALAQj+hQ/+PBz3IIxgy7hxdy/H+j3nIBIk6nhRV3By
gVQIkNo7t0mnSlfQmQtyVrdzuPuiwItLgYzhNOODIyAqNBxuQVLbv3bNH1Y9n3Do
2SB+KTAxHoKIqF2323r1n0OjIlpot7aI8uX6jZ+Cv5BMQwwtZMqgmlwJll1PUeSL
LVbGVOwy3iOZcNpSAWi7LRcoRMdsNi5myqFB03exOq3026zDmjGEUgrpJC6Dhjyi
lQ64vS/neB97Ww8XtWRclmdnTA0d2VuTS5uvzTGVihV2VZtaRi6WTl4kbiABYRES
YnYFcKQnV4rI7yXTGLXzBeSmWowanzeGW8ppFg3HYQx43rR9pJ/UYX/g2PVVqVvx
Y+W9t10AMX7Fn9PnbY905nAig4kp3GgOWqV5tTaaupVzWXlPIlOmKNvvfnuCJJDk
P3U5vIMueTt+7FOapcbj6MnMktLeoqwrij0alD4CiLF0KTo1PCLM/mkQY76tBwEP
UcbSMBlFhsy4OBLq3qOR017NSo1TXdfSF7CpA/VB9bzbJkHULuVs17G/oHhBV4X/
6QH1AiH0bLReuTxCqbD/uoIjMbOkCjvUHCUbXGdXSMctyv1zYiw7uZJwpB6XU0Do
vmuKMn2IoDtow5OlSD0akLRaXTaNCH2N8Kg5pgPVzIG5XUiJZWoS4U6b8lzuzctz
/2yteQ0fDcQ=
=33BL
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Processed: reassign 822960 to openssh-client, forcibly merging 714526 822960
Next by Date: Bug#822960: marked as done (openssh: please consider to apply/backport upstream commit 4fb726f0fdcb155ad419913cea10dc4afd409d24)
Previous by thread: Processed: reassign 822960 to openssh-client, forcibly merging 714526 822960
Next by thread: Bug#822960: marked as done (openssh: please consider to apply/backport upstream commit 4fb726f0fdcb155ad419913cea10dc4afd409d24)
Index(es):
- Date
- Thread