--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: openssh-server: SSH AuthorizedKeysCommand hangs when output is too large
- From: Dennis Schridde <dennis.schridde@uni-heidelberg.de>
- Date: Wed, 01 Aug 2018 17:37:20 +0200
- Message-id: <153313784014.29119.18019817284156223054.reportbug@fireserv.urz.uni-heidelberg.de>
Package: openssh-server
Version: 1:7.4p1-10+deb9u3
Severity: important
Tags: patch upstream
Dear Maintainer,
when sshd's AuthorizedKeysCommand outputs a lot of keys and the match is close to the beginning of the output sshd will deadlock. Upstream has a patch ready to fix this issue, which would need to be backported to OpenSSH 7.4p1 as used by Debian 9.5.
Patch: https://github.com/openssh/openssh-portable/commit/ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2
See-Also: https://bugzilla.mindrot.org/show_bug.cgi?id=2655
See-Also: https://bugzilla.redhat.com/show_bug.cgi?id=1496467
-- System Information:
Debian Release: 9.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-server depends on:
ii adduser 3.115
ii debconf [debconf-2.0] 1.5.61
ii dpkg 1.18.25
ii init-system-helpers 1.48
ii libaudit1 1:2.6.7-2
ii libc6 2.24-11+deb9u3
ii libcomerr2 1.43.4-2
ii libgssapi-krb5-2 1.15-1+deb9u1
ii libkrb5-3 1.15-1+deb9u1
ii libpam-modules 1.1.8-3.6
ii libpam-runtime 1.1.8-3.6
ii libpam0g 1.1.8-3.6
ii libselinux1 2.6-3+b3
ii libssl1.0.2 1.0.2l-2+deb9u3
ii libsystemd0 232-25+deb9u4
ii libwrap0 7.6.q-26
ii lsb-base 9.20161125
ii openssh-client 1:7.4p1-10+deb9u3
ii openssh-sftp-server 1:7.4p1-10+deb9u3
ii procps 2:3.3.12-3+deb9u1
ii ucf 3.0036
ii zlib1g 1:1.2.8.dfsg-5
Versions of packages openssh-server recommends:
ii libpam-systemd 232-25+deb9u4
ii ncurses-term 6.0+20161126-1+deb9u2
ii xauth 1:1.0.9-1+b2
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ssh-askpass <none>
pn ufw <none>
-- debconf information:
openssh-server/permit-root-login: true
>From ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 30 Dec 2016 22:08:02 +0000
Subject: [PATCH] upstream commit
fix deadlock when keys/principals command produces a lot of
output and a key is matched early; bz#2655, patch from jboning AT gmail.com
Upstream-ID: e19456429bf99087ea994432c16d00a642060afe
---
auth2-pubkey.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 20f3309e1..70c021589 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.60 2016/11/30 02:57:40 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.61 2016/12/30 22:08:02 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -727,6 +727,9 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key)
ok = process_principals(f, NULL, pw, cert);
+ fclose(f);
+ f = NULL;
+
if (exited_cleanly(pid, "AuthorizedPrincipalsCommand", command) != 0)
goto out;
@@ -1050,6 +1053,9 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
+ fclose(f);
+ f = NULL;
+
if (exited_cleanly(pid, "AuthorizedKeysCommand", command) != 0)
goto out;
--- End Message ---
--- Begin Message ---
- To: 905226-close@bugs.debian.org
- Subject: Bug#905226: fixed in openssh 1:7.4p1-10+deb9u7
- From: Moritz Mühlenhoff <jmm@debian.org>
- Date: Sun, 11 Aug 2019 13:32:49 +0000
- Message-id: <E1hwnxp-0002bb-Ru@fasolo.debian.org>
Source: openssh
Source-Version: 1:7.4p1-10+deb9u7
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 905226@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <jmm@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 15 Jul 2019 15:32:09 +0200
Source: openssh
Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source amd64 all
Version: 1:7.4p1-10+deb9u7
Distribution: stretch
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Moritz Mühlenhoff <jmm@debian.org>
Description:
openssh-client - secure shell (SSH) client, for secure access to remote machines
openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol
openssh-client-udeb - secure shell client for the Debian installer (udeb)
openssh-server - secure shell (SSH) server, for secure access from remote machines
openssh-server-udeb - secure shell server for the Debian installer (udeb)
openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
ssh - secure shell client and server (metapackage)
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
ssh-krb5 - secure shell client and server (transitional package)
Closes: 905226
Changes:
openssh (1:7.4p1-10+deb9u7) stretch; urgency=medium
.
* Fix deadlock when the keys/principals command produces a lot of
output and a key is matched early (upstream commit
ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2). (Closes: #905226)
Checksums-Sha1:
a476da3693c7a0f8cb046ad5ee60c8fff1cd6dc2 2924 openssh_7.4p1-10+deb9u7.dsc
0968a046fe5bef6151358a3445cbebfff1af1ff4 171104 openssh_7.4p1-10+deb9u7.debian.tar.xz
c99b39e81e429a1cdff2f2e26b3cdf2cf45e347c 2955946 openssh-client-dbgsym_7.4p1-10+deb9u7_amd64.deb
65872c880cc4b34926ea144fdf42c0bf5523be40 1214780 openssh-client-ssh1-dbgsym_7.4p1-10+deb9u7_amd64.deb
13dfc3877fb13147b8631e73a7bdc25aca891fc6 339926 openssh-client-ssh1_7.4p1-10+deb9u7_amd64.deb
57115cc3847f6639657b706bb927d592f5fd3f80 280194 openssh-client-udeb_7.4p1-10+deb9u7_amd64.udeb
3a165960d3ac36afd403e172f289eef94603047b 779802 openssh-client_7.4p1-10+deb9u7_amd64.deb
ce43f288fe2f72aaf7773b6b7e9fd4e470f1aab2 876472 openssh-server-dbgsym_7.4p1-10+deb9u7_amd64.deb
878ec4287b35133e88cc570a340bfe2b5bd82fae 282446 openssh-server-udeb_7.4p1-10+deb9u7_amd64.udeb
3d5a15ee663c1402488ac669420aa8915d75f01d 332458 openssh-server_7.4p1-10+deb9u7_amd64.deb
35f79ef74a0b794801d2d0d0c0cd6eadc51898fa 107622 openssh-sftp-server-dbgsym_7.4p1-10+deb9u7_amd64.deb
fb09776414eb1d6b12adf0e571214a6c7682a846 39518 openssh-sftp-server_7.4p1-10+deb9u7_amd64.deb
fe2f3f5a7e1ef26177c8e77b8b3895af2f62349e 17559 openssh_7.4p1-10+deb9u7_amd64.buildinfo
a32ebefb9922a4d8bcdfaf9d2c7601d8ef77b1c2 11672 ssh-askpass-gnome-dbgsym_7.4p1-10+deb9u7_amd64.deb
2ddb6e6e060acdff0bcdc9baafcb145a9d2ef148 200836 ssh-askpass-gnome_7.4p1-10+deb9u7_amd64.deb
f3edf2f6be2714253f08c347f3c89913b9f47a63 187154 ssh-krb5_7.4p1-10+deb9u7_all.deb
c464f1065212ce23d0edd1906f516ef9c3e77e85 189496 ssh_7.4p1-10+deb9u7_all.deb
Checksums-Sha256:
8446f0cc09ef50c650188e674e0cefe77fcc853e874357b1c68e620dfee9dbf4 2924 openssh_7.4p1-10+deb9u7.dsc
3620c8d683ffa5e16361caed3339ea1c3064c6d456d6ff718e138e33786cc06d 171104 openssh_7.4p1-10+deb9u7.debian.tar.xz
9be97ef00aeb56a94ecaa0d64dad7a035be12c7b9a776f37f823e78923719efd 2955946 openssh-client-dbgsym_7.4p1-10+deb9u7_amd64.deb
5ba060e1b1e780fda4a56d93e215908c6d215554e71f5394f309a8c86ef562c9 1214780 openssh-client-ssh1-dbgsym_7.4p1-10+deb9u7_amd64.deb
93f0cbdb4a61e2e3983e2830c5ad447ff820ab327556a33368358a4c64566e2b 339926 openssh-client-ssh1_7.4p1-10+deb9u7_amd64.deb
5dc475f0a2fd20c99545f1c723010df819b426fe0fed108e3c69232aad32d839 280194 openssh-client-udeb_7.4p1-10+deb9u7_amd64.udeb
31d4b1316e01416b20f202ca7d3208edc2e530b28fa229fe15707fafa6d100a7 779802 openssh-client_7.4p1-10+deb9u7_amd64.deb
7284fb0e5058c1e9db88e10b1da19c1fa499c77fe41734d2beb02c8d241118b9 876472 openssh-server-dbgsym_7.4p1-10+deb9u7_amd64.deb
1fea8cfd9c945a3e696821f32760a95f98c06d7ac364060d74686201097bf12e 282446 openssh-server-udeb_7.4p1-10+deb9u7_amd64.udeb
f3bc484182f0e8f232781c255becc56821a58c50171f7a2a0764a0e020057492 332458 openssh-server_7.4p1-10+deb9u7_amd64.deb
6cc7b50f13ce531e9fddb9ba6ec74a5c2653c48cc5e36443adcb310778676e0c 107622 openssh-sftp-server-dbgsym_7.4p1-10+deb9u7_amd64.deb
1b7748a7e9c1ca4205458144c6e544688a0296b5fdb7bf3cc7751a834c89a647 39518 openssh-sftp-server_7.4p1-10+deb9u7_amd64.deb
61f84f30683db44ca400bb58b485f89d7f4a729243895b0c2295d1d63b4eeea3 17559 openssh_7.4p1-10+deb9u7_amd64.buildinfo
fb09a7483cab1e51217666fd5a26e74d316d24d933d5a8300f2c1a0e3426c108 11672 ssh-askpass-gnome-dbgsym_7.4p1-10+deb9u7_amd64.deb
2431de3de98ae154b11ee94bf57ed49ad70b48039515c8e755c208a4d60bae5d 200836 ssh-askpass-gnome_7.4p1-10+deb9u7_amd64.deb
657826a7cda26648bd5ba99dfdaae2593c6bf323504d199a96be4ad4c77e5bbd 187154 ssh-krb5_7.4p1-10+deb9u7_all.deb
7b3b9d57d18cadc286c1862e4459adece5017d37d54ca81ec4c23e3afd382a08 189496 ssh_7.4p1-10+deb9u7_all.deb
Files:
cb4d9750c6b77a1f138dbb35536d4feb 2924 net standard openssh_7.4p1-10+deb9u7.dsc
81d208639ef3e3013ea69c8cff9127a4 171104 net standard openssh_7.4p1-10+deb9u7.debian.tar.xz
51506264878264d63bce041d713e4420 2955946 debug extra openssh-client-dbgsym_7.4p1-10+deb9u7_amd64.deb
c370cf25ce2a4cc407f02523c553e789 1214780 debug extra openssh-client-ssh1-dbgsym_7.4p1-10+deb9u7_amd64.deb
4d2cc5d71ed6ae2221260552389e4e48 339926 net extra openssh-client-ssh1_7.4p1-10+deb9u7_amd64.deb
afc64aaf582eaaadfc86d0cf116365c2 280194 debian-installer optional openssh-client-udeb_7.4p1-10+deb9u7_amd64.udeb
c5fe7927ef582c8e73750ed5468977e2 779802 net standard openssh-client_7.4p1-10+deb9u7_amd64.deb
58ffb054adc7aae0633fc6ca2e762ebc 876472 debug extra openssh-server-dbgsym_7.4p1-10+deb9u7_amd64.deb
375d17a7e468b54565b29178ea28dfae 282446 debian-installer optional openssh-server-udeb_7.4p1-10+deb9u7_amd64.udeb
ff718a5ad497a955821e72c539459cab 332458 net optional openssh-server_7.4p1-10+deb9u7_amd64.deb
0432a49e083aa1f9f0ca5416651b5d2e 107622 debug extra openssh-sftp-server-dbgsym_7.4p1-10+deb9u7_amd64.deb
5d4d903ee746b64b108f7548ac570480 39518 net optional openssh-sftp-server_7.4p1-10+deb9u7_amd64.deb
79c1d3e5126fae36b2b46acba4d79628 17559 net standard openssh_7.4p1-10+deb9u7_amd64.buildinfo
6c7b6001f50b312e80d0dbbb5bf892e8 11672 debug extra ssh-askpass-gnome-dbgsym_7.4p1-10+deb9u7_amd64.deb
962633ee8adecd882770fe90dd914ff5 200836 gnome optional ssh-askpass-gnome_7.4p1-10+deb9u7_amd64.deb
a8adf4d78a895a7a4162f714d8031e21 187154 oldlibs extra ssh-krb5_7.4p1-10+deb9u7_all.deb
ec81ca700537e2d1c26e72367f48388d 189496 net extra ssh_7.4p1-10+deb9u7_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl1ILFMACgkQEMKTtsN8
TjafzQ//ShOwk7ZqPi7XLVKULC8fvjVNWnW5tYm+9K1rol7cGGO7TVzOV2lWbUOh
G282q3g3vxW3aawKxBANCmQB0EATA8WWKg3M7XNcQvEKu/todeAc+x0p6/ZQKvv3
a9nJseRD7DM9nfSpi8LxnERUROzKUx3P2zp2+ebPidTFRmRM5Gte4tXOoi2bQkkE
vzWXrJUM9KHdxw8xrgTtK5QilMop0tTThX/K0LIb1B5ti99fQaWKVSuJvE2KOMiv
gKmBzbQmJG+wJIhYCMnkYhFG0LMmBJEw4bmWMaJBOVdy3Jdtlu5BSdXKdXqyyt/Q
eh1pvGT+aaan0OxEXsJq9M4g8jzaxjCbfp5P7hk1lHmyX7EM9xgwM/PcoUOegMDb
VOx8nwCHKtCPUdI/S9HA/sltky9lI6mvR8iUknoKsue7PsXZIAxakwflWAckIX7n
fBDfEccE0MX/yciaBjU02p62sB0ntuqmjozPnqN6JFOc3qaLJtpqKctsNLtubVlR
ZsAwEdmDrBnacxuBYyfAn6QquNZX/tHhqCmSmMcF/ZwpKAV497Qb8CatiEoiN9cC
DrXWAmsT6baFOz2OZeoFpSKyDGdhYx2xdlegUWCbqkERN6KPdeGGZlRVNm0W8WnG
sgn02xq0cQsTFYQaF0FLgGKi4e7m8Uzr0uhck8Cw/efX+8uVh3g=
=QWKN
-----END PGP SIGNATURE-----
--- End Message ---