Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu

After upgrade openssh client from 8.8 to 8.9 rejects tinyssh
connections.

[ Reason ]
Tinyssh has very strict packet_length checking and when 
client doesn't horor max. packet lenght, closes the connection.

[ Impact ]
Using new openss client 8.9 stoped tinyssh working,
rejects all connections.

[ Tests ]
The bug was catched by autopkgtest e.g. here:
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/amd64/t/tinyssh/20220226_180547_e244f@/log.gz

And can be triggered manually using 2 versions openssh:
~~~
openssh-8.8p1# ./ssh test@127.0.0.1 "cat >/tmp/testfile2" < /tmp/testfile1 && 
echo OK || echo BAD
OK

openssh-8.9p1# ./ssh test@127.0.0.1 "cat >/tmp/testfile2" < /tmp/testfile1 && 
echo OK || echo BAD
client_loop: send disconnect: Broken pipe
BAD
~~~

After fix:
~~~
openssh-8.9p1# ./ssh test@127.0.0.1 "cat >/tmp/testfile2" < /tmp/testfile1 && 
echo OK || echo BAD
OK
~~~


[ Risks ]
Patch is trivial.
And already applied in ubuntu: 
http://launchpadlibrarian.net/590133636/tinyssh_20190101-1build1_20190101-1ubuntu1.diff.gz

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

diff -Nru tinyssh-20190101/debian/changelog tinyssh-20190101/debian/changelog
--- tinyssh-20190101/debian/changelog   2019-01-02 06:01:58.000000000 +0100
+++ tinyssh-20190101/debian/changelog   2022-03-19 08:28:29.000000000 +0100
@@ -1,3 +1,10 @@
+tinyssh (20190101-1+deb11u1) bullseye; urgency=medium
+
+  * Workaround for incoming packets that doesn't honor
+      the max. packet length (Closes: 1006801)
+
+ -- Jan Mojžíš <jan.moj...@gmail.com>  Sat, 19 Mar 2022 08:28:29 +0100
+
 tinyssh (20190101-1) unstable; urgency=medium
 
   * d/tests - added 03exitcodes test, it creates ssh connection, exits
diff -Nru tinyssh-20190101/debian/patches/series 
tinyssh-20190101/debian/patches/series
--- tinyssh-20190101/debian/patches/series      1970-01-01 01:00:00.000000000 
+0100
+++ tinyssh-20190101/debian/patches/series      2022-03-19 08:28:29.000000000 
+0100
@@ -0,0 +1 @@
+workaround-1006801-packet-length.patch
diff -Nru 
tinyssh-20190101/debian/patches/workaround-1006801-packet-length.patch 
tinyssh-20190101/debian/patches/workaround-1006801-packet-length.patch
--- tinyssh-20190101/debian/patches/workaround-1006801-packet-length.patch      
1970-01-01 01:00:00.000000000 +0100
+++ tinyssh-20190101/debian/patches/workaround-1006801-packet-length.patch      
2022-03-19 08:28:29.000000000 +0100
@@ -0,0 +1,24 @@
+From: Jan Mojzis <jan.moj...@gmail.com>
+Date: Sat, 19 Mar 2022 08:36:48 +0100
+Origin: 
https://github.com/janmojzis/tinyssh/commit/0613ae9ef2fbac88522c8312456fb64d14020597
+Subject: Workaround for incoming packets that doesn't honor
+      the max. packet length
+
+Index: tinyssh-20190101/tinyssh/packet_channel_open.c
+===================================================================
+--- tinyssh-20190101.orig/tinyssh/packet_channel_open.c
++++ tinyssh-20190101/tinyssh/packet_channel_open.c
+@@ -49,7 +49,12 @@ int packet_channel_open(struct buf *b1,
+             buf_putnum32(b2, id);                                   /* uint32 
   recipient channel */
+             buf_putnum32(b2, id);                                   /* uint32 
   sender channel */
+             buf_putnum32(b2, localwindow);                          /* uint32 
   initial window size */
+-            buf_putnum32(b2, PACKET_LIMIT);                         /* uint32 
   maximum packet size */
++            /*
++            XXX
++            use PACKET_LIMIT/2 as maximum packet size,
++            workaround for miscalculated packet_length
++            */
++            buf_putnum32(b2, PACKET_LIMIT / 2);                     /* uint32 
   maximum packet size */
+             packet_put(b2);
+             buf_purge(b2);
+             return 1;

Reply via email to