Ubuntu
openssh package

Merge ~sergiodj/ubuntu/+source/openssh:lp1966591-ssh-keygen-permission-focal into ubuntu/+source/openssh:ubuntu/devel

  1. Git
  2. lp:~sergiodj/ubuntu/+source/openssh
  3. lp1966591-ssh-keygen-permission-focal
  4. Merge into ubuntu/devel
Proposed by Sergio Durigan Junior
Status: Superseded
Proposed branch: ~sergiodj/ubuntu/+source/openssh:lp1966591-ssh-keygen-permission-focal
Merge into: ubuntu/+source/openssh:ubuntu/devel
Diff against target: 294 lines (+206/-17) (has conflicts)
8 files modified
debian/changelog (+41/-0)
debian/control (+9/-0)
debian/patches/CVE-2021-28041.patch (+14/-0)
debian/patches/lp-1876320-upstream-Do-not-call-process_queued_listen_addrs-for.patch (+59/-0)
debian/patches/lp1966591-upstream-preserve-group-world-read-permission-on-kno.patch (+46/-0)
debian/patches/match-host-certs-w-public-keys.patch (+30/-0)
debian/patches/series (+7/-0)
dev/null (+0/-17)
Conflict in debian/changelog
Conflict in debian/control
Conflict in debian/patches/series
Reviewer Review Type Date Requested Status
Canonical Server packageset reviewers Pending
Canonical Server Pending
Review via email: mp+418100@code.launchpad.net

Description of the change

This MP fixes bug #1966591 on Focal.

From the SRU template:

When using "ssh-keygen -R" to remove a host from "known_hosts" the command changes permissions on the file. This can cause problems particularly when used on the global "known_hosts" file (/etc/ssh/ssh_known_hosts), because then only root can read it. Programs running non-interactively as non-root users suddenly fail to SSH and it's not immediately obvious why.

This bug has been fixed upstream (https://github.com/openssh/openssh-portable/commit/f2d84f1b3fa68d77c99238d4c645d0266fae2a74) and only impacts openssh on Bionic and Focal. The patch is simple and well contained.

The idea is to do a single SRU upload with this MP plus Athos' changes to fix bug #1903516.

There is a PPA with the proposed change here:

https://launchpad.net/~sergiodj/+archive/ubuntu/openssh-bugfix/+packages

autopkgtest is still running, but I don't expect any problems. I'll post the results when they're done.

To post a comment you must log in.

Unmerged commits

ecd0f59... by Sergio Durigan Junior

changelog for 1:8.2p1-4ubuntu0.5

8a0766a... by Sergio Durigan Junior

  * d/p/lp1966591-upstream-preserve-group-world-read-permission-on-kno.patch:
    Preserve group/world read permissions on known_hosts. (LP: #1966591)

a68d4d2... by Chloé Smith

* Update d/ch for 1:8.2p1-4ubuntu0.4 release

e1bb56d... by Chloé Smith

* d/p/match-host-certs-w-public-keys.patch: Add patch
  to match host certificates against host public keys.
  (LP: #1952421)

c6fdf00... by Athos Ribeiro

Update changelog for 1:8.2p1-4ubuntu0.3 release

9a979e5... by Athos Ribeiro

d/systemd/ssh@.service: preserve runtime directory

Preserve the systemd managed runtime directory to ensure parallel
processes will not disrupt one another when halting (LP: #1905285)

f34a84f... by Marc Deslauriers

1:8.2p1-4ubuntu0.2 (patches unapplied)

Imported using git-ubuntu import.

1ebd6b9... by Christian Ehrhardt 

1:8.2p1-4ubuntu0.1 (patches unapplied)

Imported using git-ubuntu import.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/.gitignore b/debian/.gitignore
2deleted file mode 100644
3index 988323b..0000000
4--- a/debian/.gitignore
5+++ /dev/null
6@@ -1,17 +0,0 @@
7-/*.debhelper*
8-/*substvars
9-/build-deb
10-/build-udeb
11-/files
12-/keygen-test/key1
13-/keygen-test/key1.pub
14-/keygen-test/key2
15-/keygen-test/key2.pub
16-/openssh-client
17-/openssh-client-udeb
18-/openssh-server
19-/openssh-server-udeb
20-/ssh
21-/ssh-askpass-gnome
22-/ssh-krb5
23-/tmp
24diff --git a/debian/changelog b/debian/changelog
25index 9d6fadc..edf11ad 100644
26--- a/debian/changelog
27+++ b/debian/changelog
28@@ -1,3 +1,4 @@
29+<<<<<<< debian/changelog
30 openssh (1:8.9p1-3) unstable; urgency=medium
31
32 * Allow ppoll_time64 in seccomp filter (closes: #1006445).
33@@ -702,6 +703,46 @@ openssh (1:8.3p1-1) unstable; urgency=medium
34 Include (closes: #962035, LP: #1876320).
35
36 -- Colin Watson <cjwatson@debian.org> Sun, 07 Jun 2020 13:44:04 +0100
37+=======
38+openssh (1:8.2p1-4ubuntu0.5) focal; urgency=medium
39+
40+ * d/p/lp1966591-upstream-preserve-group-world-read-permission-on-kno.patch:
41+ Preserve group/world read permissions on known_hosts. (LP: #1966591)
42+
43+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Thu, 31 Mar 2022 16:56:00 -0400
44+
45+openssh (1:8.2p1-4ubuntu0.4) focal; urgency=medium
46+
47+ * d/p/match-host-certs-w-public-keys.patch: Add patch
48+ to match host certificates agianst host public keys.
49+ (LP: #1952421)
50+
51+ -- Chloé S <chloe.smith@canonical.com> Thu, 02 Dec 2021 22:38:52 +0000
52+
53+openssh (1:8.2p1-4ubuntu0.3) focal; urgency=medium
54+
55+ * d/systemd/ssh@.service: preserve the systemd managed runtime directory to
56+ ensure parallel processes will not disrupt one another when halting
57+ (LP: #1905285)
58+
59+ -- Athos Ribeiro <athos.ribeiro@canonical.com> Fri, 23 Jul 2021 09:55:12 -0300
60+
61+openssh (1:8.2p1-4ubuntu0.2) focal-security; urgency=medium
62+
63+ * SECURITY UPDATE: double-free memory corruption in ssh-agent
64+ - debian/patches/CVE-2021-28041.patch: set ext_name to NULL after
65+ freeing it so it doesn't get freed again later on in ssh-agent.c.
66+ - CVE-2021-28041
67+
68+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 09 Mar 2021 09:17:50 -0500
69+
70+openssh (1:8.2p1-4ubuntu0.1) focal; urgency=medium
71+
72+ * d/p/lp-1876320-*: avoid applying defaults for every include statement
73+ (LP: #1876320)
74+
75+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 29 May 2020 09:37:09 +0200
76+>>>>>>> debian/changelog
77
78 openssh (1:8.2p1-4) unstable; urgency=medium
79
80diff --git a/debian/control b/debian/control
81index f9dc5f7..165faca 100644
82--- a/debian/control
83+++ b/debian/control
84@@ -1,9 +1,18 @@
85 Source: openssh
86 Section: net
87 Priority: standard
88+<<<<<<< debian/control
89 Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
90 Build-Depends: debhelper (>= 13.1~),
91 debhelper-compat (= 13),
92+=======
93+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
94+XSBC-Original-Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
95+Build-Depends: autotools-dev,
96+ debhelper (>= 9.20160709~),
97+ debhelper-compat (= 9),
98+ dh-autoreconf,
99+>>>>>>> debian/control
100 dh-exec,
101 dh-runit (>= 2.8.8),
102 dpkg-dev (>= 1.16.1~),
103diff --git a/debian/patches/CVE-2021-28041.patch b/debian/patches/CVE-2021-28041.patch
104new file mode 100644
105index 0000000..731b821
106--- /dev/null
107+++ b/debian/patches/CVE-2021-28041.patch
108@@ -0,0 +1,14 @@
109+Description: fix double-free memory corruption in ssh-agent
110+Author: Marc Deslauriers <marc.deslauriers@canonical.com>
111+Origin: minimal fix for https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db
112+
113+--- a/ssh-agent.c
114++++ b/ssh-agent.c
115+@@ -496,6 +496,7 @@ process_add_identity(SocketEntry *e)
116+ goto err;
117+ }
118+ free(ext_name);
119++ ext_name = NULL;
120+ break;
121+ default:
122+ error("%s: Unknown constraint %d", __func__, ctype);
123diff --git a/debian/patches/lp-1876320-upstream-Do-not-call-process_queued_listen_addrs-for.patch b/debian/patches/lp-1876320-upstream-Do-not-call-process_queued_listen_addrs-for.patch
124new file mode 100644
125index 0000000..43865f5
126--- /dev/null
127+++ b/debian/patches/lp-1876320-upstream-Do-not-call-process_queued_listen_addrs-for.patch
128@@ -0,0 +1,59 @@
129+From 0a9a611619b0a1fecd0195ec86a9885f5d681c84 Mon Sep 17 00:00:00 2001
130+From: "djm@openbsd.org" <djm@openbsd.org>
131+Date: Wed, 27 May 2020 21:59:11 +0000
132+Subject: [PATCH] upstream: Do not call process_queued_listen_addrs() for every
133+
134+included file from sshd_config; patch from Jakub Jelen
135+
136+OpenBSD-Commit-ID: 0ff603d6f06a7fab4881f12503b53024799d0a49
137+
138+Backport-Note:
139+ upstreams auto-tagging at the top of the file didn't
140+ match, everything else applied as-is
141+
142+Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=0a9a611619b0a1fecd0195ec86a9885f5d681c84
143+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1876320
144+Last-Update: 2020-05-29
145+
146+---
147+ servconf.c | 10 +++++-----
148+ 1 file changed, 5 insertions(+), 5 deletions(-)
149+
150+--- a/servconf.c
151++++ b/servconf.c
152+@@ -75,8 +75,8 @@ static void add_listen_addr(ServerOption
153+ const char *, int);
154+ static void add_one_listen_addr(ServerOptions *, const char *,
155+ const char *, int);
156+-void parse_server_config_depth(ServerOptions *options, const char *filename,
157+- struct sshbuf *conf, struct include_list *includes,
158++static void parse_server_config_depth(ServerOptions *options,
159++ const char *filename, struct sshbuf *conf, struct include_list *includes,
160+ struct connection_info *connectinfo, int flags, int *activep, int depth);
161+
162+ /* Use of privilege separation or not */
163+@@ -2611,7 +2611,7 @@ copy_set_server_options(ServerOptions *d
164+ #undef M_CP_STRARRAYOPT
165+
166+ #define SERVCONF_MAX_DEPTH 16
167+-void
168++static void
169+ parse_server_config_depth(ServerOptions *options, const char *filename,
170+ struct sshbuf *conf, struct include_list *includes,
171+ struct connection_info *connectinfo, int flags, int *activep, int depth)
172+@@ -2637,7 +2637,6 @@ parse_server_config_depth(ServerOptions
173+ if (bad_options > 0)
174+ fatal("%s: terminating, %d bad configuration options",
175+ filename, bad_options);
176+- process_queued_listen_addrs(options);
177+ }
178+
179+ void
180+@@ -2648,6 +2647,7 @@ parse_server_config(ServerOptions *optio
181+ int active = connectinfo ? 0 : 1;
182+ parse_server_config_depth(options, filename, conf, includes,
183+ connectinfo, 0, &active, 0);
184++ process_queued_listen_addrs(options);
185+ }
186+
187+ static const char *
188diff --git a/debian/patches/lp1966591-upstream-preserve-group-world-read-permission-on-kno.patch b/debian/patches/lp1966591-upstream-preserve-group-world-read-permission-on-kno.patch
189new file mode 100644
190index 0000000..433ebfb
191--- /dev/null
192+++ b/debian/patches/lp1966591-upstream-preserve-group-world-read-permission-on-kno.patch
193@@ -0,0 +1,46 @@
194+From: "djm@openbsd.org" <djm@openbsd.org>
195+Date: Wed, 13 May 2020 09:55:57 +0000
196+Subject: upstream: preserve group/world read permission on known_hosts
197+
198+file across runs of "ssh-keygen -Rf /path". The old behaviour was to remove
199+all rights for group/other. bz#3146 ok dtucker@
200+
201+OpenBSD-Commit-ID: dc369d0e0b5dd826430c63fd5f4b269953448a8a
202+
203+Origin: backport, https://github.com/openssh/openssh-portable/commit/f2d84f1b3fa68d77c99238d4c645d0266fae2a74
204+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=3146
205+Bug-Ubuntu: https://bugs.launchpad.net/openssh/+bug/1966591
206+Applied-Upstream: 8.4
207+---
208+ ssh-keygen.c | 4 ++++
209+ 1 file changed, 4 insertions(+)
210+
211+diff --git a/ssh-keygen.c b/ssh-keygen.c
212+index 835f7d0..bfc5233 100644
213+--- a/ssh-keygen.c
214++++ b/ssh-keygen.c
215+@@ -1235,6 +1235,7 @@ do_known_hosts(struct passwd *pw, const char *name)
216+ int r, fd, oerrno, inplace = 0;
217+ struct known_hosts_ctx ctx;
218+ u_int foreach_options;
219++ struct stat sb;
220+
221+ if (!have_identity) {
222+ cp = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid);
223+@@ -1244,6 +1245,8 @@ do_known_hosts(struct passwd *pw, const char *name)
224+ free(cp);
225+ have_identity = 1;
226+ }
227++ if (stat(identity_file, &sb) != 0)
228++ fatal("Cannot stat %s: %s", identity_file, strerror(errno));
229+
230+ memset(&ctx, 0, sizeof(ctx));
231+ ctx.out = stdout;
232+@@ -1267,6 +1270,7 @@ do_known_hosts(struct passwd *pw, const char *name)
233+ unlink(tmp);
234+ fatal("fdopen: %s", strerror(oerrno));
235+ }
236++ fchmod(fd, sb.st_mode & 0644);
237+ inplace = 1;
238+ }
239+
240diff --git a/debian/patches/match-host-certs-w-public-keys.patch b/debian/patches/match-host-certs-w-public-keys.patch
241new file mode 100644
242index 0000000..2f4d509
243--- /dev/null
244+++ b/debian/patches/match-host-certs-w-public-keys.patch
245@@ -0,0 +1,30 @@
246+Description: Match host certificates against host public keys
247+ not private keys. Allows use of certificates with private keys
248+ held in a ssh-agent.
249+Origin: upstream
250+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=3254
251+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421
252+Forwarded: not-needed
253+Applied-Upstream: https://github.com/openssh/openssh-portable/commit/530739d4
254+
255+From 530739d42f6102668aecd699be0ce59815c1eceb Mon Sep 17 00:00:00 2001
256+From: "djm@openbsd.org" <djm@openbsd.org>
257+Date: Sun, 6 Jun 2021 11:34:16 +0000
258+Reported by Miles Zhou in bz3524; ok dtucker@
259+OpenBSD-Commit-ID: 25f5bf70003126d19162862d9eb380bf34bac22a
260+
261+---
262+ sshd.c | 4 ++--
263+ 1 file changed, 2 insertions(+), 2 deletions(-)
264+
265+--- a/sshd.c
266++++ b/sshd.c
267+@@ -1896,7 +1896,7 @@
268+ /* Find matching private key */
269+ for (j = 0; j < options.num_host_key_files; j++) {
270+ if (sshkey_equal_public(key,
271+- sensitive_data.host_keys[j])) {
272++ sensitive_data.host_pubkeys[j])) {
273+ sensitive_data.host_certificates[j] = key;
274+ break;
275+ }
276diff --git a/debian/patches/series b/debian/patches/series
277index 580b919..f193587 100644
278--- a/debian/patches/series
279+++ b/debian/patches/series
280@@ -22,7 +22,14 @@ systemd-readiness.patch
281 debian-config.patch
282 restore-authorized_keys2.patch
283 revert-ipqos-defaults.patch
284+<<<<<<< debian/patches/series
285 maxhostnamelen.patch
286 conch-ssh-rsa.patch
287 improve-zero-call-used-regs-detection.patch
288 sandbox-ppoll_time64.patch
289+=======
290+lp-1876320-upstream-Do-not-call-process_queued_listen_addrs-for.patch
291+CVE-2021-28041.patch
292+match-host-certs-w-public-keys.patch
293+lp1966591-upstream-preserve-group-world-read-permission-on-kno.patch
294+>>>>>>> debian/patches/series

Subscribers

People subscribed via source and target branches