Bug#905227: marked as done (openssh-server: SSH AuthorizedKeysCommand hangs when output is too large)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 01 Aug 2018 17:50:32 +0200
with message-id <1714888.9ysFh9GC0X@c07060>
and subject line Re: Bug#905227: Acknowledgement (openssh-server: SSH AuthorizedKeysCommand hangs when output is too large)
has caused the Debian Bug report #905227,
regarding openssh-server: SSH AuthorizedKeysCommand hangs when output is too large
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
905227: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905227
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: openssh-server: SSH AuthorizedKeysCommand hangs when output is too large
• From: Dennis Schridde <dennis.schridde@uni-heidelberg.de>
• Date: Wed, 01 Aug 2018 17:13:48 +0200
• Message-id: <[🔎] 153313642823.24307.14872080838075083561.reportbug@fireserv.urz.uni-heidelberg.de>

Package: openssh-server
Version: 1:7.4p1-10+deb9u3
Severity: important
Tags: patch upstream

Dear Maintainer,

when sshd's AuthorizedKeysCommand outputs a lot of keys and the match is close to the beginning of the output sshd will deadlock.  Upstream has a patch ready to fix this issue, which would need to be backported to OpenSSH 7.4 as used by Debian 9.

Patch: https://github.com/openssh/openssh-portable/commit/ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2

See-Also: https://bugzilla.mindrot.org/show_bug.cgi?id=2655
See-Also: https://bugzilla.redhat.com/show_bug.cgi?id=1496467


-- System Information:
Debian Release: 9.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-server depends on:
ii  adduser                3.115
ii  debconf [debconf-2.0]  1.5.61
ii  dpkg                   1.18.25
ii  init-system-helpers    1.48
ii  libaudit1              1:2.6.7-2
ii  libc6                  2.24-11+deb9u3
ii  libcomerr2             1.43.4-2
ii  libgssapi-krb5-2       1.15-1+deb9u1
ii  libkrb5-3              1.15-1+deb9u1
ii  libpam-modules         1.1.8-3.6
ii  libpam-runtime         1.1.8-3.6
ii  libpam0g               1.1.8-3.6
ii  libselinux1            2.6-3+b3
ii  libssl1.0.2            1.0.2l-2+deb9u3
ii  libsystemd0            232-25+deb9u4
ii  libwrap0               7.6.q-26
ii  lsb-base               9.20161125
ii  openssh-client         1:7.4p1-10+deb9u3
ii  openssh-sftp-server    1:7.4p1-10+deb9u3
ii  procps                 2:3.3.12-3+deb9u1
ii  ucf                    3.0036
ii  zlib1g                 1:1.2.8.dfsg-5

Versions of packages openssh-server recommends:
ii  libpam-systemd  232-25+deb9u4
ii  ncurses-term    6.0+20161126-1+deb9u2
ii  xauth           1:1.0.9-1+b2

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  rssh          <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- debconf information:
  openssh-server/permit-root-login: true

>From ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 30 Dec 2016 22:08:02 +0000
Subject: [PATCH] upstream commit

fix deadlock when keys/principals command produces a lot of
output and a key is matched early; bz#2655, patch from jboning AT gmail.com

Upstream-ID: e19456429bf99087ea994432c16d00a642060afe
---
 auth2-pubkey.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 20f3309e1..70c021589 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.60 2016/11/30 02:57:40 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.61 2016/12/30 22:08:02 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -727,6 +727,9 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key)
 
 	ok = process_principals(f, NULL, pw, cert);
 
+	fclose(f);
+	f = NULL;
+
 	if (exited_cleanly(pid, "AuthorizedPrincipalsCommand", command) != 0)
 		goto out;
 
@@ -1050,6 +1053,9 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
 
 	ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
 
+	fclose(f);
+	f = NULL;
+
 	if (exited_cleanly(pid, "AuthorizedKeysCommand", command) != 0)
 		goto out;
 

--- End Message ---

--- Begin Message ---

• To: 905227-done@bugs.debian.org
• Subject: Re: Bug#905227: Acknowledgement (openssh-server: SSH AuthorizedKeysCommand hangs when output is too large)
• From: Dennis Schridde <dennis.schridde@uni-heidelberg.de>
• Date: Wed, 01 Aug 2018 17:50:32 +0200
• Message-id: <1714888.9ysFh9GC0X@c07060>
• In-reply-to: <handler.905227.B.153313797610027.ack@bugs.debian.org>
• References: <[🔎] 153313642823.24307.14872080838075083561.reportbug@fireserv.urz.uni-heidelberg.de> <handler.905227.B.153313797610027.ack@bugs.debian.org>

Duplicate of bug #905228

Attachment: signature.asc
Description: This is a digitally signed message part.

--- End Message ---