Ubuntu
openssh package

Merge ~athos-ribeiro/ubuntu/+source/openssh:lp1903516-timeout-focal into ubuntu/+source/openssh:ubuntu/focal-devel

  1. Git
  2. lp:~athos-ribeiro/ubuntu/+source/openssh
  3. lp1903516-timeout-focal
  4. Merge into ubuntu/focal-devel
Proposed by Athos Ribeiro
Status: Needs review
Proposed branch: ~athos-ribeiro/ubuntu/+source/openssh:lp1903516-timeout-focal
Merge into: ubuntu/+source/openssh:ubuntu/focal-devel
Diff against target: 62 lines (+40/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/fix-connect-timeout-overflow.patch (+32/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Sergio Durigan Junior (community) Approve
Canonical Server packageset reviewers Pending
Review via email: mp+417972@code.launchpad.net

Description of the change

This is an SRU proposal for LP: #1903516 for focal. Due to its size and relevance, the idea is to stage the SRU.

A PPA with the proposed changes is available at

https://launchpad.net/~athos-ribeiro/+archive/ubuntu/openssh-lp1903516-timeout/+packages

I ran the autopkgtest suite locally, here is the result summary:

autopkgtest [14:02:04]: @@@@@@@@@@@@@@@@@@@@ summary
regress PASS

To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

LGTM, thanks!

review: Approve
Reply
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Something crossed my mind here.

I'm working on bug #1966591, which happens to be also a low-priority openssh issue that's been fixed by upstream. This bug apparently affects B/F. WDYT about waiting until I have a fix ready for it and then we can stage both SRUs together?

Reply
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

> Something crossed my mind here.
>
> I'm working on bug #1966591, which happens to be also a low-priority openssh
> issue that's been fixed by upstream. This bug apparently affects B/F. WDYT
> about waiting until I have a fix ready for it and then we can stage both SRUs
> together?

+1; there's no rush with this fix here (it would be staged anyway). I will let these MPs sit here until we get your MPs for #1966591 ready and approved so we can proceed with staging our changes :)

Reply
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

I've merged this into my change to fix bug #1966591 and uploaded the package:

$ dput openssh_8.2p1-4ubuntu0.5_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/openssh/openssh_8.2p1-4ubuntu0.5_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/openssh/openssh_8.2p1-4ubuntu0.5.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openssh_8.2p1-4ubuntu0.5.dsc: done.
  Uploading openssh_8.2p1-4ubuntu0.5.debian.tar.xz: done.
  Uploading openssh_8.2p1-4ubuntu0.5_source.buildinfo: done.
  Uploading openssh_8.2p1-4ubuntu0.5_source.changes: done.
Successfully uploaded packages.

Reply

Unmerged commits

96c6425... by Athos Ribeiro

Update changelog for 1:8.2p1-4ubuntu0.5 release

11a3302... by Athos Ribeiro

* d/p/fix-connect-timeout-overflow.patch: prevent ConnectTimeout overflow.
  (LP: #1903516)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 25aa57f..95c8f51 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+openssh (1:8.2p1-4ubuntu0.5) focal; urgency=medium
7+
8+ * d/p/fix-connect-timeout-overflow.patch: prevent ConnectTimeout overflow.
9+ (LP: #1903516)
10+
11+ -- Athos Ribeiro <athos.ribeiro@canonical.com> Wed, 30 Mar 2022 10:03:15 -0300
12+
13 openssh (1:8.2p1-4ubuntu0.4) focal; urgency=medium
14
15 * d/p/match-host-certs-w-public-keys.patch: Add patch
16diff --git a/debian/patches/fix-connect-timeout-overflow.patch b/debian/patches/fix-connect-timeout-overflow.patch
17new file mode 100644
18index 0000000..2e47932
19--- /dev/null
20+++ b/debian/patches/fix-connect-timeout-overflow.patch
21@@ -0,0 +1,32 @@
22+From 819b44e8b9af6ce18d3ec7505b9f461bf7991a1f Mon Sep 17 00:00:00 2001
23+From: "dtucker@openbsd.org" <dtucker@openbsd.org>
24+Date: Thu, 12 Nov 2020 22:38:57 +0000
25+Subject: [PATCH] upstream: Prevent integer overflow when ridiculously large
26+
27+ConnectTimeout is specified, capping the effective value (for most platforms)
28+at 24 days. bz#3229, ok djm@
29+
30+OpenBSD-Commit-ID: 62d4c4b7b87d111045f8e9f28b5b532d17ac5bc0
31+
32+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=3229
33+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1903516
34+Origin: upstream, http://anongit.mindrot.org/openssh.git/commit/?id=819b44e8b9af6ce18d3ec7505b9f461bf7991a1f
35+Last-Update: 2022-03-30
36+---
37+ ssh.c | 7 +++++--
38+ 1 file changed, 5 insertions(+), 2 deletions(-)
39+
40+--- a/ssh.c
41++++ b/ssh.c
42+@@ -1421,7 +1421,10 @@
43+ cleanup_exit(255); /* resolve_host logs the error */
44+ }
45+
46+- timeout_ms = options.connection_timeout * 1000;
47++ if (options.connection_timeout >= INT_MAX/1000)
48++ timeout_ms = INT_MAX;
49++ else
50++ timeout_ms = options.connection_timeout * 1000;
51+
52+ /* Open a connection to the remote host. */
53+ if (ssh_connect(ssh, host, host_arg, addrs, &hostaddr, options.port,
54diff --git a/debian/patches/series b/debian/patches/series
55index 0d109af..e6ed7ca 100644
56--- a/debian/patches/series
57+++ b/debian/patches/series
58@@ -26,3 +26,4 @@ revert-ipqos-defaults.patch
59 lp-1876320-upstream-Do-not-call-process_queued_listen_addrs-for.patch
60 CVE-2021-28041.patch
61 match-host-certs-w-public-keys.patch
62+fix-connect-timeout-overflow.patch

Subscribers

People subscribed via source and target branches