[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#844494: marked as done (reopen: Should close stderr when becoming multiplex master)

Your message dated Sun, 21 Oct 2018 10:04:53 +0000
with message-id <E1gEAbN-0007is-9c@fasolo.debian.org>
and subject line Bug#844494: fixed in openssh 1:7.9p1-1
has caused the Debian Bug report #844494,
regarding reopen: Should close stderr when becoming multiplex master
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
844494: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844494
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: openssh-client
Version: 1:7.3p1-3+b1
Severity: normal

Dear Maintainer,

I think that the bug
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714526 is still
live, after upgrading to 1:7.3p1-3+b1 (should have been fixed still
1:7.2p2-6).

I straced SSH with and without `ControlMaster` and extracted revelant
bits of information, redacting it, and removing useless lines. First,
without `ControlMaster`:

```
# Here, Python 3 Popen prepares pipes for stdin, stdout, and stderr:
7880  1479228055.059186 pipe2([8, 9], O_CLOEXEC) = 0
7880  1479228055.059226 pipe2([10, 11], O_CLOEXEC) = 0
7880  1479228055.059258 pipe2([12, 13], O_CLOEXEC) = 0
# Then ssh is cloned:
7880  1479228055.060158 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f7bfd7fa9d0) = 7949
7949  1479228055.121259 <... clone resumed> child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fd3f2a63650) = 7954
7954  1479228055.121135 execve("/bin/sh", ["/bin/sh", "-c", "exec ssh user@gate.redacted -W dev2.redacted:22"], [/* 16 vars */] <unfinished ...>
# Normal exit
7949  1479228055.592488 +++ exited with 0 +++
7871  1479228055.592519 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=7949, si_uid=1003, si_status=0, si_utime=0, si_stime=2} ---
7954  1479228055.592786 exit_group(129) = ?
# Python receive EOF on stdout AND stderr
7880  1479228055.694455 read(12,  <unfinished ...>
7880  1479228055.694480 <... read resumed> "", 32768) = 0
7880  1479228055.738380 read(10,  <unfinished ...>
7880  1479228055.738410 <... read resumed> "", 32768) = 0
# So, as the process is exited, AND stdout/stderr had their EOF, Python 3 subprocess.Popen.communicate allows itself to wait for it:
7880  1479228055.924898 wait4(7949,  <unfinished ...>
7880  1479228055.925334 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 7949
```

Now, with `ControlMaster`:

```
# Same pipes for stdin, stdout, and stderr from Python Popen:
6749  1479227922.771783 pipe2([8, 9], O_CLOEXEC) = 0
6749  1479227922.771831 pipe2([10, 11], O_CLOEXEC) = 0
6749  1479227922.771865 pipe2([12, 13], O_CLOEXEC) = 0
# A bunch of clones, SSH starting its master process:
6749  1479227922.774839 <... clone resumed> child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fa1957fa9d0) = 6824
6824  1479227922.818219 <... clone resumed> child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7ff4c6f11650) = 6827
6827  1479227922.820940 execve("/bin/sh", ["/bin/sh", "-c", "exec ssh user@redacted -W redacted:22"], [/* 16 vars */] <unfinished ...>
6824  1479227923.204918 <... clone resumed> child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7ff4c6f11650) = 6856
6856  1479227923.205441 <... clone resumed> child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7ff4c6f11650) = 6857
6857  1479227923.206004 <... clone resumed> child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7ff4c6f11650) = 6858
# Normal exit after work is done:
6824  1479227923.335999 +++ exited with 0 +++
6749  1479227923.336042 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=6824, si_uid=1003, si_status=0, si_utime=0, si_stime=0} ---
# Python is getting EOF on STDOUT
6749  1479227923.336086 read(10, "", 32768) = 0
# But here, process is a zombie (dead but not awaited), after like a minute,
# I send a SIGINT and a SIGQUIT to the Python process, so everyone dies and finally:
6749  1479227986.358448 read(12, "", 32768) = 0
6827  1479227986.328027 exit_group(130) = ?
6858  1479227986.329254 exit_group(255) = ?
6749  1479227986.578489 wait4(6824,  <unfinished ...>
6749  1479227986.578546 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 6824
```

So here it looks like the bug is exactly the same as before: stdout is
closed but stderr is kept open. As Python's
``subprocess.Popen.communicate`` want to wait for both to be closed before
waiting for the process, it yields to stuck Python process and zombies.

-- System Information:
Debian Release: 8.6
  APT prefers stable
  APT policy: (900, 'stable'), (200, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.utf8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-client depends on:
ii  adduser           3.113+nmu3
ii  dpkg              1.17.27
ii  libc6             2.24-5
ii  libedit2          3.1-20140620-2
ii  libgssapi-krb5-2  1.14.3+dfsg-2
ii  libselinux1       2.3-2
ii  libssl1.0.2       1.0.2j-1
ii  passwd            1:4.2-3+deb8u1
ii  zlib1g            1:1.2.8.dfsg-2+b1

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.9-1

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: openssh
Source-Version: 1:7.9p1-1

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 844494@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 21 Oct 2018 10:39:24 +0100
Source: openssh
Binary: openssh-client openssh-server openssh-sftp-server ssh ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.9p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
Closes: 177406 789532 828475 844494
Changes:
 openssh (1:7.9p1-1) unstable; urgency=medium
 .
   * New upstream release (https://www.openssh.com/txt/release-7.9):
     - ssh(1), sshd(8): allow most port numbers to be specified using service
       names from getservbyname(3) (typically /etc/services; closes:
       #177406).
     - ssh(1): allow the IdentityAgent configuration directive to accept
       environment variable names.  This supports the use of multiple agent
       sockets without needing to use fixed paths.
     - sshd(8): support signalling sessions via the SSH protocol.  A limited
       subset of signals is supported and only for login or command sessions
       (i.e. not subsystems) that were not subject to a forced command via
       authorized_keys or sshd_config.
     - ssh(1): support "ssh -Q sig" to list supported signature options.
       Also "ssh -Q help" to show the full set of supported queries.
     - ssh(1), sshd(8): add a CASignatureAlgorithms option for the client and
       server configs to allow control over which signature formats are
       allowed for CAs to sign certificates.  For example, this allows
       banning CAs that sign certificates using the RSA-SHA1 signature
       algorithm.
     - sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to revoke
       keys specified by SHA256 hash.
     - ssh-keygen(1): allow creation of key revocation lists directly from
       base64-encoded SHA256 fingerprints.  This supports revoking keys using
       only the information contained in sshd(8) authentication log messages.
     - ssh(1), ssh-keygen(1): avoid spurious "invalid format" errors when
       attempting to load PEM private keys while using an incorrect
       passphrase.
     - sshd(8): when a channel closed message is received from a client,
       close the stderr file descriptor at the same time stdout is closed.
       This avoids stuck processes if they were waiting for stderr to close
       and were insensitive to stdin/out closing (closes: #844494).
     - ssh(1): allow ForwardX11Timeout=0 to disable the untrusted X11
       forwarding timeout and support X11 forwarding indefinitely.
       Previously the behaviour of ForwardX11Timeout=0 was undefined.
     - sshd(8): when compiled with GSSAPI support, cache supported method
       OIDs regardless of whether GSSAPI authentication is enabled in the
       main section of sshd_config.  This avoids sandbox violations if GSSAPI
       authentication was later enabled in a Match block.
     - sshd(8): do not fail closed when configured with a text key revocation
       list that contains a too-short key.
     - ssh(1): treat connections with ProxyJump specified the same as ones
       with a ProxyCommand set with regards to hostname canonicalisation
       (i.e. don't try to canonicalise the hostname unless
       CanonicalizeHostname is set to 'always').
     - ssh(1): fix regression in OpenSSH 7.8 that could prevent public-key
       authentication using certificates hosted in a ssh-agent(1) or against
       sshd(8) from OpenSSH <7.8 (LP: #1790963).
     - All: support building against the openssl-1.1 API (releases 1.1.0g and
       later).  The openssl-1.0 API will remain supported at least until
       OpenSSL terminates security patch support for that API version
       (closes: #828475).
     - sshd(8): allow the futex(2) syscall in the Linux seccomp sandbox;
       apparently required by some glibc/OpenSSL combinations.
   * Remove dh_builddeb override to use xz compression; this has been the
     default since dpkg 1.17.0.
   * Simplify debian/rules using /usr/share/dpkg/default.mk.
   * Remove /etc/network/if-up.d/openssh-server, as it causes more problems
     than it solves (thanks, Christian Ehrhardt, Andreas Hasenack, and David
     Britton; closes: #789532, LP: #1037738, #1674330, #1718227).  Add an
     "if-up hook removed" section to README.Debian documenting the corner
     case that may need configuration adjustments.
Checksums-Sha1:
 02f65cb5d41cb680cdbd59533b4e1ca8e6e706f6 3121 openssh_7.9p1-1.dsc
 993aceedea8ecabb1d0dd7293508a361891c4eaa 1565384 openssh_7.9p1.orig.tar.gz
 e23d601363ab5ff0daae5714e77d06539a9aebe9 683 openssh_7.9p1.orig.tar.gz.asc
 0420173569b37d7f64df25cde2981147ee735870 163012 openssh_7.9p1-1.debian.tar.xz
 9f824d07b600b84035802712a43e83923b4db7e7 14938 openssh_7.9p1-1_source.buildinfo
Checksums-Sha256:
 dcf0986f38bead63c956b8c75cee6cd6263d5f836faedf8a3a34f1976e6907fa 3121 openssh_7.9p1-1.dsc
 6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad 1565384 openssh_7.9p1.orig.tar.gz
 4fd584498595450d68f5514b3d79eb14425a3d6aa9e9021d9e928fdd7b4469eb 683 openssh_7.9p1.orig.tar.gz.asc
 7b2ca8e1fac29e7a42141fdb6efb05c12ac3c98c4018478377d301098a7762da 163012 openssh_7.9p1-1.debian.tar.xz
 aa8896c424a4357f4e3f70c9498d1226df96d029913e3afce40e27a392ef0f04 14938 openssh_7.9p1-1_source.buildinfo
Files:
 169fdfded198d365193f03a2d8f2b616 3121 net standard openssh_7.9p1-1.dsc
 c6af50b7a474d04726a5aa747a5dce8f 1565384 net standard openssh_7.9p1.orig.tar.gz
 36f798ff56b24004e16c08bf4a5fc021 683 net standard openssh_7.9p1.orig.tar.gz.asc
 f9fe15f8723a54a2072d7222dcd6f0d9 163012 net standard openssh_7.9p1-1.debian.tar.xz
 acb341421aa0f910d6308e6f1465c502 14938 net standard openssh_7.9p1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlvMSYAACgkQOTWH2X2G
UAsUMA//ewIH7+cPTzKVeQpmMDwIESrYoqRALoehigkz49fQ1iYcOB5R/Bb9ap8Y
3EVwlh5ryxclHbADuPkbQJEtyX7jLhW050tpholKTJsaCdNLn0/5Kojg39EGPSXq
u54vzm7j+OsWPFavzC/gjKVwqAOTdmOUXBg6rwTP1rjHrrKcX+olrTHMQ5V9bUqc
BedfpqM0eneO0Ei3mREXjoGMooXBg7AcQaUEImewdeMJLdFRWeg8Pk9pDIxpo4cE
SHKIC3UYqbUZnlJ/eqLHyACBKpsRWW3TYwyjDnNV8J8dJaeiPvlOoYiM/+ARuYDj
iC+KsP6DBWtjpunGHh32prok0ZTqpSXnZdg4Kog+AGVxzfPb8RzRGATOOjmvqXR/
5mhRWAZFdLqzRoC/Vltt6+ljumv1ewksOM5iY4bLuL18S50wOvdWMDdyZG64sLXm
BnVd2wNiIW08tIghNp3NjxyQKwI74iF2yfJcFE5AqULkPI7mWZvi/bIDjEJDgSlA
AtYyvuyUVLIZzYKs1Ic27RG5TnZZCVPmX1uqxR+B3NIsFDJtGHcJsO5azCMtevV/
gHK1Wx2bcN1JEUNS/DOPLB9GZQk7hlmAgG6MREmC2QAQg7Zo8TZeIW4mf6OELHqx
JRpHjJM+BH/9THJbweSy/yjLQ7PVyngGX0wxxxcbIvXWIV8HQdA=
=nwlI
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: