Bug#857741: marked as done (unblock (pre-approval): openssh/1:7.4p1-8)

Debian Bug Tracking System Wed, 15 Mar 2017 13:16:20 -0700

Your message dated Wed, 15 Mar 2017 20:13:27 +0000
with message-id <e1cofiv-0005hl...@respighi.debian.org>
and subject line unblock openssh
has caused the Debian Bug report #857741,
regarding unblock (pre-approval): openssh/1:7.4p1-8
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
857741: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857741
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

I'd like to upload openssh 1:7.4p1-8 containing two fixes cherry-picked
from upstream, and am seeking pre-approval.  One of the fixes is for
data corruption in ssh-keygen and I think should be uncontroversial
(severity: serious).  The other is incorrect output from ssh-keyscan
that turned up in bug reports related to the ssh-keygen bug; I can't
quite justify severity: serious for it, but it's a small patch and I'd
like to include it while I'm here.

diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm
--- openssh-7.4p1/debian/.git-dpm       2017-03-05 02:11:08.000000000 +0000
+++ openssh-7.4p1/debian/.git-dpm       2017-03-14 13:41:39.000000000 +0000
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-e18d2ba71e6bf009c53e65509da84b712c300471
-e18d2ba71e6bf009c53e65509da84b712c300471
+a0f9daa9c3cc2b37b9707b228263eb717d201371
+a0f9daa9c3cc2b37b9707b228263eb717d201371
 971a7653746a6972b907dfe0ce139c06e4a6f482
 971a7653746a6972b907dfe0ce139c06e4a6f482
 openssh_7.4p1.orig.tar.gz
diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog
--- openssh-7.4p1/debian/changelog      2017-03-05 02:12:42.000000000 +0000
+++ openssh-7.4p1/debian/changelog      2017-03-14 13:49:14.000000000 +0000
@@ -1,3 +1,12 @@
+openssh (1:7.4p1-8) unstable; urgency=medium
+
+  * Fix ssh-keygen -H accidentally corrupting known_hosts that contained
+    already-hashed entries (closes: #851734, LP: #1668093).
+  * Fix ssh-keyscan to correctly hash hosts with a port number (closes:
+    #857736, LP: #1670745).
+
+ -- Colin Watson <cjwat...@debian.org>  Tue, 14 Mar 2017 13:49:14 +0000
+
 openssh (1:7.4p1-7) unstable; urgency=medium
 
   * Don't set "PermitRootLogin yes" on fresh installations (regression
diff -Nru openssh-7.4p1/debian/patches/series 
openssh-7.4p1/debian/patches/series
--- openssh-7.4p1/debian/patches/series 2017-03-05 02:11:08.000000000 +0000
+++ openssh-7.4p1/debian/patches/series 2017-03-14 13:41:39.000000000 +0000
@@ -30,3 +30,5 @@
 sandbox-x32-workaround.patch
 no-dsa-host-key-by-default.patch
 restore-authorized_keys2.patch
+ssh-keygen-hash-corruption.patch
+ssh-keyscan-hash-port.patch
diff -Nru openssh-7.4p1/debian/patches/ssh-keygen-hash-corruption.patch 
openssh-7.4p1/debian/patches/ssh-keygen-hash-corruption.patch
--- openssh-7.4p1/debian/patches/ssh-keygen-hash-corruption.patch       
1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.4p1/debian/patches/ssh-keygen-hash-corruption.patch       
2017-03-14 13:41:32.000000000 +0000
@@ -0,0 +1,44 @@
+From 78800aa252da1ebbfb55f7e593f43c337e694cc3 Mon Sep 17 00:00:00 2001
+From: "d...@openbsd.org" <d...@openbsd.org>
+Date: Fri, 3 Mar 2017 06:13:11 +0000
+Subject: upstream commit
+
+fix ssh-keygen -H accidentally corrupting known_hosts that
+contained already-hashed entries. HKF_MATCH_HOST_HASHED is only set by
+hostkeys_foreach() when hostname matching is in use, so we need to look for
+the hash marker explicitly.
+
+Upstream-ID: da82ad653b93e8a753580d3cf5cd448bc2520528
+
+Origin: 
https://anongit.mindrot.org/openssh.git/commit/?id=12d3767ba4c84c32150cbe6ff6494498780f12c9
+Bug-Debian: https://bugs.debian.org/851734
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1668093
+Last-Update: 2017-03-09
+
+Patch-Name: ssh-keygen-hash-corruption.patch
+---
+ ssh-keygen.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ssh-keygen.c b/ssh-keygen.c
+index 2a7939bf..0833ee61 100644
+--- a/ssh-keygen.c
++++ b/ssh-keygen.c
+@@ -1082,6 +1082,7 @@ known_hosts_hash(struct hostkey_foreach_line *l, void 
*_ctx)
+       struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx;
+       char *hashed, *cp, *hosts, *ohosts;
+       int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts);
++      int was_hashed = l->hosts[0] == HASH_DELIM;
+ 
+       switch (l->status) {
+       case HKF_STATUS_OK:
+@@ -1090,8 +1091,7 @@ known_hosts_hash(struct hostkey_foreach_line *l, void 
*_ctx)
+                * Don't hash hosts already already hashed, with wildcard
+                * characters or a CA/revocation marker.
+                */
+-              if ((l->match & HKF_MATCH_HOST_HASHED) != 0 ||
+-                  has_wild || l->marker != MRK_NONE) {
++              if (was_hashed || has_wild || l->marker != MRK_NONE) {
+                       fprintf(ctx->out, "%s\n", l->line);
+                       if (has_wild && !find_host) {
+                               logit("%s:%ld: ignoring host name "
diff -Nru openssh-7.4p1/debian/patches/ssh-keyscan-hash-port.patch 
openssh-7.4p1/debian/patches/ssh-keyscan-hash-port.patch
--- openssh-7.4p1/debian/patches/ssh-keyscan-hash-port.patch    1970-01-01 
01:00:00.000000000 +0100
+++ openssh-7.4p1/debian/patches/ssh-keyscan-hash-port.patch    2017-03-14 
13:41:39.000000000 +0000
@@ -0,0 +1,48 @@
+From a0f9daa9c3cc2b37b9707b228263eb717d201371 Mon Sep 17 00:00:00 2001
+From: "d...@openbsd.org" <d...@openbsd.org>
+Date: Fri, 10 Mar 2017 03:18:24 +0000
+Subject: upstream commit
+
+correctly hash hosts with a port number. Reported by Josh
+Powers in bz#2692; ok dtucker@
+
+Upstream-ID: 468e357ff143e00acc05bdd2803a696b3d4b6442
+
+Origin: 
https://anongit.mindrot.org/openssh.git/commit/?id=8a2834454c73dfc1eb96453c0e97690595f3f4c2
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2692
+Bug-Debian: https://bugs.debian.org/857736
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1670745
+Last-Update: 2017-03-14
+
+Patch-Name: ssh-keyscan-hash-port.patch
+---
+ ssh-keyscan.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/ssh-keyscan.c b/ssh-keyscan.c
+index c30d54e6..24b51ff1 100644
+--- a/ssh-keyscan.c
++++ b/ssh-keyscan.c
+@@ -321,16 +321,17 @@ keygrab_ssh2(con *c)
+ }
+ 
+ static void
+-keyprint_one(char *host, struct sshkey *key)
++keyprint_one(const char *host, struct sshkey *key)
+ {
+       char *hostport;
+-
+-      if (hash_hosts && (host = host_hash(host, NULL, 0)) == NULL)
+-              fatal("host_hash failed");
++      const char *known_host, *hashed;
+ 
+       hostport = put_host_port(host, ssh_port);
++      if (hash_hosts && (hashed = host_hash(host, NULL, 0)) == NULL)
++              fatal("host_hash failed");
++      known_host = hash_hosts ? hashed : hostport;
+       if (!get_cert)
+-              fprintf(stdout, "%s ", hostport);
++              fprintf(stdout, "%s ", known_host);
+       sshkey_write(key, stdout);
+       fputs("\n", stdout);
+       free(hostport);

unblock openssh/1:7.4p1-8

Thanks,

-- 
Colin Watson                                       [cjwat...@debian.org]

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---
Unblocked.
--- End Message ---

Bug#857741: marked as done (unblock (pre-approval): openssh/1:7.4p1-8)

Reply via email to