Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
(Please provide enough information to help the release team to judge the request efficiently. E.g. by filling in the sections below.) [ Reason ] OpenSSH in stable breaks on 32-bit architectures (at least armhf, reportedly also i386) after upgrading libc6 to the version in bookworm, due to changes in its system call interface that affect OpenSSH's seccomp sandbox. See https://bugs.debian.org/1004427. [ Impact ] Without this change, I'm concerned that sshd may be unavailable during part of an upgrade from bullseye to bookworm (or even make the machine inaccessible, if it's headless and the upgrade fails). Getting the sandbox tweak into bullseye at this stage would reduce that risk. [ Tests ] Existing autopkgtests are quite comprehensive and ensure that normal connections to sshd continue to work. They don't cover the case of upgrading to bookworm's libc6 and restarting sshd; that would need to be done manually. [ Risks ] I think the only real risk here is the usual residual misbuild risk from any update, which autopkgtests would catch. The actual code change just adds another allow rule to a seccomp filter. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable (modulo finalizing the changelog) [x] the issue is verified as fixed in unstable (fixed upstream as of OpenSSH 8.5p1, which has been in unstable since November) [ Changes ] An extra SC_ALLOW(__NR_pselect6_time64) if that syscall is defined. -- Colin Watson (he/him) [cjwat...@debian.org]
diff -Nru openssh-8.4p1/debian/.git-dpm openssh-8.4p1/debian/.git-dpm --- openssh-8.4p1/debian/.git-dpm 2021-03-13 09:59:40.000000000 +0000 +++ openssh-8.4p1/debian/.git-dpm 2022-02-25 16:09:00.000000000 +0000 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -421db3656dcafbe810226463bf27a18a0b1c3186 -421db3656dcafbe810226463bf27a18a0b1c3186 +ed99ef256258d8556dbe39d976c2528ede050f14 +ed99ef256258d8556dbe39d976c2528ede050f14 2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb 2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb openssh_8.4p1.orig.tar.gz diff -Nru openssh-8.4p1/debian/changelog openssh-8.4p1/debian/changelog --- openssh-8.4p1/debian/changelog 2021-03-13 09:59:40.000000000 +0000 +++ openssh-8.4p1/debian/changelog 2022-02-25 16:09:00.000000000 +0000 @@ -1,3 +1,11 @@ +openssh (1:8.4p1-5+deb11u1) UNRELEASED; urgency=medium + + * Backport from upstream: + - Add new pselect6_time64 syscall on 32-bit architectures (closes: + #1004427). + + -- Colin Watson <cjwat...@debian.org> Fri, 25 Feb 2022 16:09:00 +0000 + openssh (1:8.4p1-5) unstable; urgency=high * CVE-2021-28041: Fix double free in ssh-agent(1) (closes: #984940). diff -Nru openssh-8.4p1/debian/patches/sandbox-pselect6_time64.patch openssh-8.4p1/debian/patches/sandbox-pselect6_time64.patch --- openssh-8.4p1/debian/patches/sandbox-pselect6_time64.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssh-8.4p1/debian/patches/sandbox-pselect6_time64.patch 2022-02-25 16:09:00.000000000 +0000 @@ -0,0 +1,32 @@ +From ed99ef256258d8556dbe39d976c2528ede050f14 Mon Sep 17 00:00:00 2001 +From: Darren Tucker <dtuc...@dtucker.net> +Date: Fri, 20 Nov 2020 13:37:54 +1100 +Subject: Add new pselect6_time64 syscall on ARM. + +This is apparently needed on armhfp/armv7hl. bz#3232, patch from +jjelen at redhat.com. + +Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=0f90440ca70abab947acbd77795e9f130967956c +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=3232 +Bug-Debian: https://bugs.debian.org/1004427 +Last-Update: 2022-02-25 + +Patch-Name: sandbox-pselect6_time64.patch +--- + sandbox-seccomp-filter.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index e0768c063..5065ae7ef 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_pselect6 + SC_ALLOW(__NR_pselect6), + #endif ++#ifdef __NR_pselect6_time64 ++ SC_ALLOW(__NR_pselect6_time64), ++#endif + #ifdef __NR_read + SC_ALLOW(__NR_read), + #endif diff -Nru openssh-8.4p1/debian/patches/series openssh-8.4p1/debian/patches/series --- openssh-8.4p1/debian/patches/series 2021-03-13 09:59:40.000000000 +0000 +++ openssh-8.4p1/debian/patches/series 2022-02-25 16:09:00.000000000 +0000 @@ -26,3 +26,4 @@ revert-x32-sandbox-breakage.patch ssh-copy-id-heredoc-syntax.patch ssh-agent-double-free.patch +sandbox-pselect6_time64.patch
