Your message dated Tue, 20 Jun 2023 00:27:28 +0000 with message-id <E1qBPDU-000v8T-6W@fasolo.debian.org> and subject line Bug#1001186: fixed in openssh 1:9.3p1-1 has caused the Debian Bug report #1001186, regarding ssh-agent: SSH_AUTH_SOCK temporary directory uses 6 template chars out of 12 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1001186: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001186 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: ssh-agent: SSH_AUTH_SOCK temporary directory uses 6 template chars out of 12
- From: Étienne Mollier <emollier@emlwks999.eu>
- Date: Sun, 5 Dec 2021 23:10:25 +0100
- Message-id: <Ya040dLrqsxy1Nt+@fusion>
Package: openssh-client Version: 1:8.7p1-2 Severity: minor Tags: sid bookworm Dear Maintainer, I recently noticed on sid and testing, that when starting an ssh-agent, the SSH_AUTH_SOCK is located in a temporary directory which only has it's six last "X" in the template effectively set random. Here is an example of annotated output from testing: (testing-amd64-sbuild)$ ssh-agent | grep AUTH SSH_AUTH_SOCK=/tmp/ssh-XXXXXXTNMzUg/agent.1753865; export SSH_AUTH_SOCK; ^^^^^^ (testing-amd64-sbuild)$ ssh-agent | grep AUTH SSH_AUTH_SOCK=/tmp/ssh-XXXXXXwkcH8n/agent.1753867; export SSH_AUTH_SOCK; ^^^^^^ (testing-amd64-sbuild)$ ssh-agent | grep AUTH SSH_AUTH_SOCK=/tmp/ssh-XXXXXXMZou0x/agent.1753869; export SSH_AUTH_SOCK; ^^^^^^ (testing-amd64-sbuild)$ ssh-agent | grep AUTH SSH_AUTH_SOCK=/tmp/ssh-XXXXXXQQyooG/agent.1753871; export SSH_AUTH_SOCK; ^^^^^^ Earlier versions of ssh-agent in Debian, such as the one delivered in bullseye, do have effectively all X's from the template set random: (bullseye-amd64-sbuild)$ ssh-agent | grep AUTH SSH_AUTH_SOCK=/tmp/ssh-6iy9xiW14kJD/agent.1754856; export SSH_AUTH_SOCK; ^^^^^^ (bullseye-amd64-sbuild)$ ssh-agent | grep AUTH SSH_AUTH_SOCK=/tmp/ssh-S8YSIDoV32GR/agent.1754858; export SSH_AUTH_SOCK; ^^^^^^ The bookworm behavior is consistent with mkdtemp(3), which only changes the last six XXXXXX of the template string, so I suppose earlier versions were using another mkdtemp implementation to create the temporary directory. I don't believe the issue is a big deal to be honest, but I think it might raise some eyebrows. Thank you for taking the time to maintain openssh in Debian! Have a nice day, :) Étienne. -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.15.0-2-amd64 (SMP w/12 CPU threads) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openssh-client depends on: ii adduser 3.118 ii dpkg 1.20.9 ii libc6 2.32-5 ii libedit2 3.1-20210910-1 ii libfido2-1 1.9.0-1 ii libgssapi-krb5-2 1.18.3-7 ii libselinux1 3.3-1+b1 ii libssl1.1 1.1.1l-1 ii passwd 1:4.8.1-2 ii zlib1g 1:1.2.11.dfsg-2 Versions of packages openssh-client recommends: ii xauth 1:1.1-1 Versions of packages openssh-client suggests: pn keychain <none> pn libpam-ssh <none> pn monkeysphere <none> pn ssh-askpass <none> -- debconf-show failed -- Étienne Mollier <emollier@emlwks999.eu> Fingerprint: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da Sent from /dev/pts/3, please excuse my verbosity.Attachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 1001186-close@bugs.debian.org
- Subject: Bug#1001186: fixed in openssh 1:9.3p1-1
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Tue, 20 Jun 2023 00:27:28 +0000
- Message-id: <E1qBPDU-000v8T-6W@fasolo.debian.org>
- Reply-to: Colin Watson <cjwatson@debian.org>
Source: openssh Source-Version: 1:9.3p1-1 Done: Colin Watson <cjwatson@debian.org> We believe that the bug you reported is fixed in the latest version of openssh, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1001186@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Colin Watson <cjwatson@debian.org> (supplier of updated openssh package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 20 Jun 2023 01:01:48 +0100 Source: openssh Architecture: source Version: 1:9.3p1-1 Distribution: unstable Urgency: medium Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> Changed-By: Colin Watson <cjwatson@debian.org> Closes: 909022 959726 1001186 1033166 1033178 1034425 Changes: openssh (1:9.3p1-1) unstable; urgency=medium . * Debconf translations: - Romanian (thanks, Remus-Gabriel Chelu; closes: #1033178). * Properly fix date of 1:3.0.2p1-2 changelog entry (closes: #1034425). * New upstream release (https://www.openssh.com/releasenotes.html#9.3p1): - [CVE-2023-28531] ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu (closes: #1033166). - [SECURITY] ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of-service to the ssh(1) client. - ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when outputting SSHFP fingerprints to allow algorithm selection. - sshd(8): add a `sshd -G` option that parses and prints the effective configuration without attempting to load private keys and perform other checks. This allows usage of the option before keys have been generated and for configuration evaluation and verification by unprivileged users. - scp(1), sftp(1): fix progressmeter corruption on wide displays. - ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability of private keys as some systems are starting to disable RSA/SHA1 in libcrypto. - sftp-server(8): fix a memory leak. - ssh(1), sshd(8), ssh-keyscan(1): remove vestigial protocol compatibility code and simplify what's left. - Fix a number of low-impact Coverity static analysis findings. - ssh_config(5), sshd_config(5): mention that some options are not first-match-wins. - Rework logging for the regression tests. Regression tests will now capture separate logs for each ssh and sshd invocation in a test. - ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage says it should. - ssh(1): ensure that there is a terminating newline when adding a new entry to known_hosts. - sshd(8): harden Linux seccomp sandbox. Move to an allowlist of mmap(2), madvise(2) and futex(2) flags, removing some concerning kernel attack surface. * debian/README.Debian: Clarify that you need to restart ssh.socket after overriding its ListenStream= option (LP: #2020560). * debian/openssh-server.postinst: Use "sshd -G" to parse the server configuration file (closes: #959726). * Fix incorrect RRSET_FORCE_EDNS0 flags validation in SSHFP DNSSEC patch (thanks, Ben Hutchings; closes: #909022). * Always use the internal mkdtemp implementation, since it substitutes more randomness into the template string than glibc's version (closes: #1001186). Checksums-Sha1: ab3a7ebc6246958e15896b814213ca3e6a612f63 3312 openssh_9.3p1-1.dsc 610959871bf8d6baafc3525811948f85b5dd84ab 1856839 openssh_9.3p1.orig.tar.gz 31e40d5a0769d4febc8493f354b273eff0d9cab5 833 openssh_9.3p1.orig.tar.gz.asc b989715aa2088f32af0845b5fb6a116e80598028 183616 openssh_9.3p1-1.debian.tar.xz Checksums-Sha256: a16311299ca945c2818aa4a4f2847c70a68eb3a677cfef1efd2837c4ba05faff 3312 openssh_9.3p1-1.dsc e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8 1856839 openssh_9.3p1.orig.tar.gz 6d96d2ff60d8d3545f0fa1709cb4c273d9a2fe086afa90f70951cffc01c8fa68 833 openssh_9.3p1.orig.tar.gz.asc 523656c543f08138ad65665020b34ec157fefc0117bf8b81fbea57655b73e463 183616 openssh_9.3p1-1.debian.tar.xz Files: 6bda98b24abb25577ce0cdd42ac849da 3312 net standard openssh_9.3p1-1.dsc 3430d5e6e71419e28f440a42563cb553 1856839 net standard openssh_9.3p1.orig.tar.gz 8a1aef9314a4224cf3f2936430733796 833 net standard openssh_9.3p1.orig.tar.gz.asc 9ce700b7d9908a542ffdb28dab37387a 183616 net standard openssh_9.3p1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmSQ7KYACgkQOTWH2X2G UAs68w/9HBZKKTXOJK+jOGfomE3XmqZUBgbSHv2hw6m9lk3PwudZWbfOpSBY5WY2 8k2FP8XbztxAevBizoPzC17+autWXxZtAsOlJaNElZRYBPQNuKDCg8GlMkI0v6M3 iu4UPx5FDuULyle8a5VZ995LXjrCzJni4KUDR7MFb0p8Qm+JaBBhMG39273C695e AvdIdbh8l/Gk86ug11sb4+YSaUfkLuN/kD98TrVzYBtwpDGCaKJ8mBPiF3hMC2Og LUpXnFvOMFC154y2XN5S27TrkLzOW8m8nUssfna0yVgcdMDOU9ymhPPeTNxe1Wpr hMQBqyQnDvrIrYTRVx5z0fECR5YZv3vUyYWiUYsLWN53EEX0XUjcDozsnMwCqOHk dsqZoX81sBRYeIgOLJMqkKHY59h1IeZBXxlkqdUnUiJdRoFaaWcBNHoKpLIpu5Gj clLHIjAlmAy+MVTi0Fx88X142DRnKYm9yckVOZo1jMcYpYVITrqK44e/X/dd+/nT P79zRydRNcwdJnGLAy4rdF4oJwhLq+v05F6I75gYdRl6W5aEB3rTb7IfhC+PMTfi +RchHBKALvzo/1Cbv+TU0hVbdsq0RmEF4q2+uC03XjdGMTutX6EDLi5UcaSeDCbI wwgrEYvnLc74t2sNDjzGu6dY/YfmEKAbN8snWgRag9J/bbrDQi0= =v5AT -----END PGP SIGNATURE-----
--- End Message ---