Ubuntu
openssh package

Merge ~athos-ribeiro/ubuntu/+source/openssh:lp1903516-timeout-bionic into ubuntu/+source/openssh:ubuntu/bionic-devel

  1. Git
  2. lp:~athos-ribeiro/ubuntu/+source/openssh
  3. lp1903516-timeout-bionic
  4. Merge into ubuntu/bionic-devel
Proposed by Athos Ribeiro
Status: Needs review
Proposed branch: ~athos-ribeiro/ubuntu/+source/openssh:lp1903516-timeout-bionic
Merge into: ubuntu/+source/openssh:ubuntu/bionic-devel
Diff against target: 62 lines (+40/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/fix-connect-timeout-overflow.patch (+32/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Sergio Durigan Junior (community) Approve
Canonical Server packageset reviewers Pending
Review via email: mp+417973@code.launchpad.net

Description of the change

This is an SRU proposal for LP: #1903516 for bionic. Due to its size and relevance, the idea is to stage the SRU.

A PPA with the proposed changes is available at

https://launchpad.net/~athos-ribeiro/+archive/ubuntu/openssh-lp1903516-timeout/+packages

I ran the autopkgtest suite locally, here is the result summary:

autopkgtest [13:53:18]: @@@@@@@@@@@@@@@@@@@@ summary
regress PASS

To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

LGTM, thanks!

review: Approve
Reply
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

I've merged this into my change to fix bug #1966591 and uploaded the package:

$ dput openssh_7.6p1-4ubuntu0.7_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/openssh/openssh_7.6p1-4ubuntu0.7_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/openssh/openssh_7.6p1-4ubuntu0.7.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openssh_7.6p1-4ubuntu0.7.dsc: done.
  Uploading openssh_7.6p1-4ubuntu0.7.debian.tar.xz: done.
  Uploading openssh_7.6p1-4ubuntu0.7_source.buildinfo: done.
  Uploading openssh_7.6p1-4ubuntu0.7_source.changes: done.
Successfully uploaded packages.

Reply

Unmerged commits

deea6cc... by Athos Ribeiro

Update changelog for 1:7.6p1-4ubuntu0.7 release

585aed6... by Athos Ribeiro

* d/p/fix-connect-timeout-overflow.patch: prevent ConnectTimeout overflow.
  (LP: #1903516)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index d729727..f0c46ae 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+openssh (1:7.6p1-4ubuntu0.7) bionic; urgency=medium
7+
8+ * d/p/fix-connect-timeout-overflow.patch: prevent ConnectTimeout overflow.
9+ (LP: #1903516)
10+
11+ -- Athos Ribeiro <athos.ribeiro@canonical.com> Wed, 30 Mar 2022 10:17:14 -0300
12+
13 openssh (1:7.6p1-4ubuntu0.6) bionic; urgency=medium
14
15 * fix clients advertising version 1.99 (LP: #1863930)
16diff --git a/debian/patches/fix-connect-timeout-overflow.patch b/debian/patches/fix-connect-timeout-overflow.patch
17new file mode 100644
18index 0000000..f4cb6a6
19--- /dev/null
20+++ b/debian/patches/fix-connect-timeout-overflow.patch
21@@ -0,0 +1,32 @@
22+From 819b44e8b9af6ce18d3ec7505b9f461bf7991a1f Mon Sep 17 00:00:00 2001
23+From: "dtucker@openbsd.org" <dtucker@openbsd.org>
24+Date: Thu, 12 Nov 2020 22:38:57 +0000
25+Subject: [PATCH] upstream: Prevent integer overflow when ridiculously large
26+
27+ConnectTimeout is specified, capping the effective value (for most platforms)
28+at 24 days. bz#3229, ok djm@
29+
30+OpenBSD-Commit-ID: 62d4c4b7b87d111045f8e9f28b5b532d17ac5bc0
31+
32+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=3229
33+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1903516
34+Origin: upstream, http://anongit.mindrot.org/openssh.git/commit/?id=819b44e8b9af6ce18d3ec7505b9f461bf7991a1f
35+Last-Update: 2022-03-30
36+---
37+ ssh.c | 7 +++++--
38+ 1 file changed, 5 insertions(+), 2 deletions(-)
39+
40+--- a/ssh.c
41++++ b/ssh.c
42+@@ -1279,7 +1279,10 @@
43+ cleanup_exit(255); /* resolve_host logs the error */
44+ }
45+
46+- timeout_ms = options.connection_timeout * 1000;
47++ if (options.connection_timeout >= INT_MAX/1000)
48++ timeout_ms = INT_MAX;
49++ else
50++ timeout_ms = options.connection_timeout * 1000;
51+
52+ /* Open a connection to the remote host. */
53+ if (ssh_connect(ssh, host, addrs, &hostaddr, options.port,
54diff --git a/debian/patches/series b/debian/patches/series
55index 6f678bd..ed60d3d 100644
56--- a/debian/patches/series
57+++ b/debian/patches/series
58@@ -37,3 +37,4 @@ CVE-2019-6111-2.patch
59 regress-2020.patch
60 lp-1863930-unbreak-clients-that-advertise-protocol.patch
61 lp-1863930-Fix-logic-bug-in-sshd_exchange_identification.patch
62+fix-connect-timeout-overflow.patch

Subscribers

People subscribed via source and target branches