Bug#999593: marked as done (ssh: segfaults when using -Y find-principals)

To: Colin Watson <cjwatson@debian.org>
Subject: Bug#999593: marked as done (ssh: segfaults when using -Y find-principals)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 13 Nov 2021 14:39:06 +0000
Message-id: <[🔎] handler.999593.D999593.16368140661194.ackdone@bugs.debian.org>
Reply-to: 999593@bugs.debian.org
References: <E1mlu6q-00063q-3p@fasolo.debian.org> <[🔎] YY8A6ZrAy04kE1M0@camp.crustytoothpaste.net>

Your message dated Sat, 13 Nov 2021 14:34:24 +0000
with message-id <E1mlu6q-00063q-3p@fasolo.debian.org>
and subject line Bug#999593: fixed in openssh 1:8.7p1-2
has caused the Debian Bug report #999593,
regarding ssh: segfaults when using -Y find-principals
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
999593: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=999593
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ssh: segfaults when using -Y find-principals
From: "brian m. carlson" <sandals@crustytoothpaste.net>
Date: Sat, 13 Nov 2021 00:03:53 +0000
Message-id: <[🔎] YY8A6ZrAy04kE1M0@camp.crustytoothpaste.net>

Package: openssh-client
Version: 1:8.7p1-1
Severity: normal

OpenSSH 8.7 has a bug where the -Y find-principals command segfaults.
This breaks the Git testsuite because the functionality is available but
doesn't work.  As a result, I'm impeded in doing Git development.  I am
also not the only person doing Git development on Debian unstable.

The bug is fixed in OpenSSH 8.8[0], so the easiest solution is to simply
upgrade the package to the new version.  I am fully aware that it
removes support for ssh-rsa (RSA with SHA-1) signatures by default, and
I am also fully aware that many clients and servers are broken by that,
including ones using the Go SSH library, and I've read #996391.

However, none of this should have been a surprise to those
implementations, since it was well announced in advance; all of those
implementations have been broken with Fedora for some time, which has a
default crypto policy excluding SHA-1 signatures; this is strictly a
significant improvement in security, since SHA-1 is known to be weak;
and there is a well documented workaround for those for whom
functionality is important than security.  Thus, I'm not especially
partial to the idea that we should wait to upgrade because
implementations are broken.

However, it would also be acceptable to me if the relevant patch were
backported to make OpenSSH not segfault, since my main goal is to make
the Git testsuite work (and I fundamentally believe that programs should
not segfault).

Steps to reproduce:

1. sudo apt-get build-dep git
2. sudo apt-get install git build-essential
3. git clone https://github.com/git/git.git
4. cd git
5. make && make test

[0] https://www.openssh.com/txt/release-8.8

-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.14.0-3-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-client depends on:
ii  adduser           3.118
ii  dpkg              1.20.9
ii  libc6             2.32-4
ii  libedit2          3.1-20210910-1
ii  libfido2-1        1.9.0-1
ii  libgssapi-krb5-2  1.18.3-7
ii  libselinux1       3.3-1
ii  libssl1.1         1.1.1l-1
ii  passwd            1:4.8.1-2
ii  zlib1g            1:1.2.11.dfsg-2

Versions of packages openssh-client recommends:
ii  xauth  1:1.1-1

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- no debconf information

-- 
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: 999593-close@bugs.debian.org
Subject: Bug#999593: fixed in openssh 1:8.7p1-2
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sat, 13 Nov 2021 14:34:24 +0000
Message-id: <E1mlu6q-00063q-3p@fasolo.debian.org>
Reply-to: Colin Watson <cjwatson@debian.org>

Source: openssh
Source-Version: 1:8.7p1-2
Done: Colin Watson <cjwatson@debian.org>

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 999593@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 13 Nov 2021 13:40:50 +0000
Source: openssh
Architecture: source
Version: 1:8.7p1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 999593
Changes:
 openssh (1:8.7p1-2) unstable; urgency=medium
 .
   * Backport from upstream:
     - Avoid NULL deref in -Y find-principals (closes: #999593).
Checksums-Sha1:
 041b9d382a6f9126c1ac9f136588970218ae4948 3382 openssh_8.7p1-2.dsc
 3f78b356f043407e7634e28004c44055f1decdd2 186492 openssh_8.7p1-2.debian.tar.xz
Checksums-Sha256:
 3fb75e98b98e1154c1d682c5b78e241a1ddd61a819913cc8fcf6a8be2e3bd1e7 3382 openssh_8.7p1-2.dsc
 0c35841b4096b6d6bda6b37c9d30f777888e256e90c15fa43f481520280222e1 186492 openssh_8.7p1-2.debian.tar.xz
Files:
 257a02ae202a00baca214d19d226c07c 3382 net standard openssh_8.7p1-2.dsc
 cf83dedf09dfcc8c6e76d72830f61c4f 186492 net standard openssh_8.7p1-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmGPwIoACgkQOTWH2X2G
UAvgoRAAm41yqatKAkq4vhd28twuKz34GaTdmCRQHkaXZCqO5tWSIorAMbRuW+Hc
4iZVzHq5fTKxYXGT1N3HIQ2d5czhRy7She28geN0DP9FMDeTOiTaojgsIZfKw/lx
M3eNMeTWsKeZIFBPavrTl+yYwnCH66s6DErkCbT/RpG3WGZ5vN7PKyedHYB5EpgP
tlcikfpw9gA82cVQNlfwbYok9dz/vFopRcPRxwANVtbj1pXPudJY5yc7/fei6Ovl
6WxlBkncvCejMMd1G8BDkRZDP2wF9P7shApbxZwG58NF5rji01o0mBPSUcT+XH7Y
yKQ+vrNc2FWx0pPH+9k8mwh7WL97Bmmj75e6du7YbyFt+TD4xkwejmpO3sFOXpzD
JHTe69n9ZpTcc0qlkw7qZCkjZ/jgUywFe+FnVj6tHv0W2v0juHO6MfbCU5toG4NV
z7RxjHGoGR/VbDPPYa4E0zWDhBxSzSHvVUP6mAuiMvXESPL6IGQUFZwjd8CVY+h3
6tDYiQibp+zeHAYObiEhRMHgXlwvfsKBcWI81lC+gFzIzQ4b1bcPE8iBpYKAhV+X
qB110eIMr6lAT37rac56/o9qbj/0pn/wl3hYtn4UFEwltp15+yQPcw0dv+rk2B7J
DIocdoqT1jlJ50Wr+aTyG1KOm8lWJ3X/RSZAyoGzSCWDFlFat0I=
=vBtM
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#999593: ssh: segfaults when using -Y find-principals
  - From: "brian m. carlson" <sandals@crustytoothpaste.net>

Prev by Date: Processing of openssh_8.7p1-2_source.changes
Next by Date: openssh_8.7p1-2_source.changes ACCEPTED into unstable
Previous by thread: Processed: Bug#999593 marked as pending in openssh
Next by thread: Processing of openssh_8.7p1-2_source.changes
Index(es):
- Date
- Thread