Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
I'd like to upload openssh 1:7.4p1-8 containing two fixes cherry-picked from upstream, and am seeking pre-approval. One of the fixes is for data corruption in ssh-keygen and I think should be uncontroversial (severity: serious). The other is incorrect output from ssh-keyscan that turned up in bug reports related to the ssh-keygen bug; I can't quite justify severity: serious for it, but it's a small patch and I'd like to include it while I'm here. diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm --- openssh-7.4p1/debian/.git-dpm 2017-03-05 02:11:08.000000000 +0000 +++ openssh-7.4p1/debian/.git-dpm 2017-03-14 13:41:39.000000000 +0000 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -e18d2ba71e6bf009c53e65509da84b712c300471 -e18d2ba71e6bf009c53e65509da84b712c300471 +a0f9daa9c3cc2b37b9707b228263eb717d201371 +a0f9daa9c3cc2b37b9707b228263eb717d201371 971a7653746a6972b907dfe0ce139c06e4a6f482 971a7653746a6972b907dfe0ce139c06e4a6f482 openssh_7.4p1.orig.tar.gz diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog --- openssh-7.4p1/debian/changelog 2017-03-05 02:12:42.000000000 +0000 +++ openssh-7.4p1/debian/changelog 2017-03-14 13:49:14.000000000 +0000 @@ -1,3 +1,12 @@ +openssh (1:7.4p1-8) unstable; urgency=medium + + * Fix ssh-keygen -H accidentally corrupting known_hosts that contained + already-hashed entries (closes: #851734, LP: #1668093). + * Fix ssh-keyscan to correctly hash hosts with a port number (closes: + #857736, LP: #1670745). + + -- Colin Watson <cjwat...@debian.org> Tue, 14 Mar 2017 13:49:14 +0000 + openssh (1:7.4p1-7) unstable; urgency=medium * Don't set "PermitRootLogin yes" on fresh installations (regression diff -Nru openssh-7.4p1/debian/patches/series openssh-7.4p1/debian/patches/series --- openssh-7.4p1/debian/patches/series 2017-03-05 02:11:08.000000000 +0000 +++ openssh-7.4p1/debian/patches/series 2017-03-14 13:41:39.000000000 +0000 @@ -30,3 +30,5 @@ sandbox-x32-workaround.patch no-dsa-host-key-by-default.patch restore-authorized_keys2.patch +ssh-keygen-hash-corruption.patch +ssh-keyscan-hash-port.patch diff -Nru openssh-7.4p1/debian/patches/ssh-keygen-hash-corruption.patch openssh-7.4p1/debian/patches/ssh-keygen-hash-corruption.patch --- openssh-7.4p1/debian/patches/ssh-keygen-hash-corruption.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssh-7.4p1/debian/patches/ssh-keygen-hash-corruption.patch 2017-03-14 13:41:32.000000000 +0000 @@ -0,0 +1,44 @@ +From 78800aa252da1ebbfb55f7e593f43c337e694cc3 Mon Sep 17 00:00:00 2001 +From: "d...@openbsd.org" <d...@openbsd.org> +Date: Fri, 3 Mar 2017 06:13:11 +0000 +Subject: upstream commit + +fix ssh-keygen -H accidentally corrupting known_hosts that +contained already-hashed entries. HKF_MATCH_HOST_HASHED is only set by +hostkeys_foreach() when hostname matching is in use, so we need to look for +the hash marker explicitly. + +Upstream-ID: da82ad653b93e8a753580d3cf5cd448bc2520528 + +Origin: https://anongit.mindrot.org/openssh.git/commit/?id=12d3767ba4c84c32150cbe6ff6494498780f12c9 +Bug-Debian: https://bugs.debian.org/851734 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1668093 +Last-Update: 2017-03-09 + +Patch-Name: ssh-keygen-hash-corruption.patch +--- + ssh-keygen.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssh-keygen.c b/ssh-keygen.c +index 2a7939bf..0833ee61 100644 +--- a/ssh-keygen.c ++++ b/ssh-keygen.c +@@ -1082,6 +1082,7 @@ known_hosts_hash(struct hostkey_foreach_line *l, void *_ctx) + struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx; + char *hashed, *cp, *hosts, *ohosts; + int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts); ++ int was_hashed = l->hosts[0] == HASH_DELIM; + + switch (l->status) { + case HKF_STATUS_OK: +@@ -1090,8 +1091,7 @@ known_hosts_hash(struct hostkey_foreach_line *l, void *_ctx) + * Don't hash hosts already already hashed, with wildcard + * characters or a CA/revocation marker. + */ +- if ((l->match & HKF_MATCH_HOST_HASHED) != 0 || +- has_wild || l->marker != MRK_NONE) { ++ if (was_hashed || has_wild || l->marker != MRK_NONE) { + fprintf(ctx->out, "%s\n", l->line); + if (has_wild && !find_host) { + logit("%s:%ld: ignoring host name " diff -Nru openssh-7.4p1/debian/patches/ssh-keyscan-hash-port.patch openssh-7.4p1/debian/patches/ssh-keyscan-hash-port.patch --- openssh-7.4p1/debian/patches/ssh-keyscan-hash-port.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssh-7.4p1/debian/patches/ssh-keyscan-hash-port.patch 2017-03-14 13:41:39.000000000 +0000 @@ -0,0 +1,48 @@ +From a0f9daa9c3cc2b37b9707b228263eb717d201371 Mon Sep 17 00:00:00 2001 +From: "d...@openbsd.org" <d...@openbsd.org> +Date: Fri, 10 Mar 2017 03:18:24 +0000 +Subject: upstream commit + +correctly hash hosts with a port number. Reported by Josh +Powers in bz#2692; ok dtucker@ + +Upstream-ID: 468e357ff143e00acc05bdd2803a696b3d4b6442 + +Origin: https://anongit.mindrot.org/openssh.git/commit/?id=8a2834454c73dfc1eb96453c0e97690595f3f4c2 +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2692 +Bug-Debian: https://bugs.debian.org/857736 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1670745 +Last-Update: 2017-03-14 + +Patch-Name: ssh-keyscan-hash-port.patch +--- + ssh-keyscan.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/ssh-keyscan.c b/ssh-keyscan.c +index c30d54e6..24b51ff1 100644 +--- a/ssh-keyscan.c ++++ b/ssh-keyscan.c +@@ -321,16 +321,17 @@ keygrab_ssh2(con *c) + } + + static void +-keyprint_one(char *host, struct sshkey *key) ++keyprint_one(const char *host, struct sshkey *key) + { + char *hostport; +- +- if (hash_hosts && (host = host_hash(host, NULL, 0)) == NULL) +- fatal("host_hash failed"); ++ const char *known_host, *hashed; + + hostport = put_host_port(host, ssh_port); ++ if (hash_hosts && (hashed = host_hash(host, NULL, 0)) == NULL) ++ fatal("host_hash failed"); ++ known_host = hash_hosts ? hashed : hostport; + if (!get_cert) +- fprintf(stdout, "%s ", hostport); ++ fprintf(stdout, "%s ", known_host); + sshkey_write(key, stdout); + fputs("\n", stdout); + free(hostport); unblock openssh/1:7.4p1-8 Thanks, -- Colin Watson [cjwat...@debian.org]
signature.asc
Description: Digital signature
