Ubuntu
openssh package

Merge ~athos-ribeiro/ubuntu/+source/openssh:lp1903516-timeout-focal into ubuntu/+source/openssh:ubuntu/focal-devel

  1. Git
  2. lp:~athos-ribeiro/ubuntu/+source/openssh
  3. lp1903516-timeout-focal
  4. Merge into ubuntu/focal-devel
Proposed by Athos Ribeiro
Status: Needs review
Proposed branch: ~athos-ribeiro/ubuntu/+source/openssh:lp1903516-timeout-focal
Merge into: ubuntu/+source/openssh:ubuntu/focal-devel
Diff against target: 62 lines (+40/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/fix-connect-timeout-overflow.patch (+32/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Sergio Durigan Junior (community) Approve
Canonical Server packageset reviewers Pending
Review via email: mp+417972@code.launchpad.net

Description of the change

This is an SRU proposal for LP: #1903516 for focal. Due to its size and relevance, the idea is to stage the SRU.

A PPA with the proposed changes is available at

https://launchpad.net/~athos-ribeiro/+archive/ubuntu/openssh-lp1903516-timeout/+packages

I ran the autopkgtest suite locally, here is the result summary:

autopkgtest [14:02:04]: @@@@@@@@@@@@@@@@@@@@ summary
regress PASS

To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

LGTM, thanks!

review: Approve
Reply
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Something crossed my mind here.

I'm working on bug #1966591, which happens to be also a low-priority openssh issue that's been fixed by upstream. This bug apparently affects B/F. WDYT about waiting until I have a fix ready for it and then we can stage both SRUs together?

Reply
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

> Something crossed my mind here.
>
> I'm working on bug #1966591, which happens to be also a low-priority openssh
> issue that's been fixed by upstream. This bug apparently affects B/F. WDYT
> about waiting until I have a fix ready for it and then we can stage both SRUs
> together?

+1; there's no rush with this fix here (it would be staged anyway). I will let these MPs sit here until we get your MPs for #1966591 ready and approved so we can proceed with staging our changes :)

Reply
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

I've merged this into my change to fix bug #1966591 and uploaded the package:

$ dput openssh_8.2p1-4ubuntu0.5_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/openssh/openssh_8.2p1-4ubuntu0.5_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/openssh/openssh_8.2p1-4ubuntu0.5.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openssh_8.2p1-4ubuntu0.5.dsc: done.
  Uploading openssh_8.2p1-4ubuntu0.5.debian.tar.xz: done.
  Uploading openssh_8.2p1-4ubuntu0.5_source.buildinfo: done.
  Uploading openssh_8.2p1-4ubuntu0.5_source.changes: done.
Successfully uploaded packages.

Reply

Unmerged commits

96c6425... by Athos Ribeiro

Update changelog for 1:8.2p1-4ubuntu0.5 release

11a3302... by Athos Ribeiro

* d/p/fix-connect-timeout-overflow.patch: prevent ConnectTimeout overflow.
  (LP: #1903516)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 25aa57f..95c8f51 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
1openssh (1:8.2p1-4ubuntu0.5) focal; urgency=medium
2
3 * d/p/fix-connect-timeout-overflow.patch: prevent ConnectTimeout overflow.
4 (LP: #1903516)
5
6 -- Athos Ribeiro <athos.ribeiro@canonical.com> Wed, 30 Mar 2022 10:03:15 -0300
7
1openssh (1:8.2p1-4ubuntu0.4) focal; urgency=medium8openssh (1:8.2p1-4ubuntu0.4) focal; urgency=medium
29
3 * d/p/match-host-certs-w-public-keys.patch: Add patch10 * d/p/match-host-certs-w-public-keys.patch: Add patch
diff --git a/debian/patches/fix-connect-timeout-overflow.patch b/debian/patches/fix-connect-timeout-overflow.patch
4new file mode 10064411new file mode 100644
index 0000000..2e47932
--- /dev/null
+++ b/debian/patches/fix-connect-timeout-overflow.patch
@@ -0,0 +1,32 @@
1From 819b44e8b9af6ce18d3ec7505b9f461bf7991a1f Mon Sep 17 00:00:00 2001
2From: "dtucker@openbsd.org" <dtucker@openbsd.org>
3Date: Thu, 12 Nov 2020 22:38:57 +0000
4Subject: [PATCH] upstream: Prevent integer overflow when ridiculously large
5
6ConnectTimeout is specified, capping the effective value (for most platforms)
7at 24 days. bz#3229, ok djm@
8
9OpenBSD-Commit-ID: 62d4c4b7b87d111045f8e9f28b5b532d17ac5bc0
10
11Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=3229
12Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1903516
13Origin: upstream, http://anongit.mindrot.org/openssh.git/commit/?id=819b44e8b9af6ce18d3ec7505b9f461bf7991a1f
14Last-Update: 2022-03-30
15---
16 ssh.c | 7 +++++--
17 1 file changed, 5 insertions(+), 2 deletions(-)
18
19--- a/ssh.c
20+++ b/ssh.c
21@@ -1421,7 +1421,10 @@
22 cleanup_exit(255); /* resolve_host logs the error */
23 }
24
25- timeout_ms = options.connection_timeout * 1000;
26+ if (options.connection_timeout >= INT_MAX/1000)
27+ timeout_ms = INT_MAX;
28+ else
29+ timeout_ms = options.connection_timeout * 1000;
30
31 /* Open a connection to the remote host. */
32 if (ssh_connect(ssh, host, host_arg, addrs, &hostaddr, options.port,
diff --git a/debian/patches/series b/debian/patches/series
index 0d109af..e6ed7ca 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -26,3 +26,4 @@ revert-ipqos-defaults.patch
26lp-1876320-upstream-Do-not-call-process_queued_listen_addrs-for.patch26lp-1876320-upstream-Do-not-call-process_queued_listen_addrs-for.patch
27CVE-2021-28041.patch27CVE-2021-28041.patch
28match-host-certs-w-public-keys.patch28match-host-certs-w-public-keys.patch
29fix-connect-timeout-overflow.patch

Subscribers

People subscribed via source and target branches