Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
https://bugs.debian.org/946242 reports an OpenSSH regression on old kernels on certain architectures (e.g. i386) prompted by the interaction between an OpenSSL update and a seccomp filter. It's essentially the same as https://bugs.debian.org/941663, but at the time we didn't notice that the exact set of syscalls involved varies between architectures due to details of how the shm* library functions are implemented in glibc. I've attached the diff and would like approval to upload it. In https://bugs.debian.org/941810 we decided that it was best to issue this via buster-security; I think that would be the correct thing to do here as well, so I've CCed team@security. However, I'm filing this as a stable update request just in case there's disagreement about that for some reason. Thanks, -- Colin Watson [cjwat...@debian.org]
diff -Nru openssh-7.9p1/debian/.git-dpm openssh-7.9p1/debian/.git-dpm --- openssh-7.9p1/debian/.git-dpm 2019-10-06 19:17:34.000000000 +0100 +++ openssh-7.9p1/debian/.git-dpm 2020-01-12 00:06:24.000000000 +0000 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -35956d8211ef0a606a117ca3f0ba3ae163c31a39 -35956d8211ef0a606a117ca3f0ba3ae163c31a39 +6f794127bd7d332c1d88a3e35eda97dac4530a15 +6f794127bd7d332c1d88a3e35eda97dac4530a15 3d246f10429fc9a37b98eabef94fe8dc7c61002b 3d246f10429fc9a37b98eabef94fe8dc7c61002b openssh_7.9p1.orig.tar.gz diff -Nru openssh-7.9p1/debian/changelog openssh-7.9p1/debian/changelog --- openssh-7.9p1/debian/changelog 2019-10-06 19:18:07.000000000 +0100 +++ openssh-7.9p1/debian/changelog 2020-01-12 00:06:36.000000000 +0000 @@ -1,3 +1,13 @@ +openssh (1:7.9p1-10+deb10u2) UNRELEASED; urgency=medium + + * Apply upstream patch to deny (non-fatally) ipc in the seccomp sandbox, + fixing failures with OpenSSL 1.1.1d and Linux < 3.19 on some + architectures (closes: #946242). Note that this also drops the previous + change to allow ipc on s390, since upstream has security concerns with + that and it doesn't currently seem to be needed. + + -- Colin Watson <cjwat...@debian.org> Sun, 12 Jan 2020 00:06:36 +0000 + openssh (1:7.9p1-10+deb10u1) buster-security; urgency=high * Apply upstream patch to deny (non-fatally) shmget/shmat/shmdt in preauth diff -Nru openssh-7.9p1/debian/patches/sandbox-seccomp-ipc.patch openssh-7.9p1/debian/patches/sandbox-seccomp-ipc.patch --- openssh-7.9p1/debian/patches/sandbox-seccomp-ipc.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssh-7.9p1/debian/patches/sandbox-seccomp-ipc.patch 2020-01-12 00:06:24.000000000 +0000 @@ -0,0 +1,48 @@ +From 6f794127bd7d332c1d88a3e35eda97dac4530a15 Mon Sep 17 00:00:00 2001 +From: Jeremy Drake <git...@jdrake.com> +Date: Fri, 11 Oct 2019 18:31:05 -0700 +Subject: Deny (non-fatal) ipc in preauth privsep child. + +As noted in openssh/openssh-portable#149, i386 does not have have +_NR_shmget etc. Instead, it has a single ipc syscall (see man 2 ipc, +https://linux.die.net/man/2/ipc). Add this syscall, if present, to the +list of syscalls that seccomp will deny non-fatally. + +[cjwatson: For backporting to buster, I've dropped the previous change +to allow ipc on s390. Upstream refused that since it opens security +weaknesses and doesn't currently seem to be needed, so I'd already +dropped that for bullseye.] + +Bug-Debian: https://bugs.debian.org/946242 +Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=30f704ebc0e9e32b3d12f5d9e8c1b705fdde2c89 +Last-Update: 2020-01-11 + +Patch-Name: sandbox-seccomp-ipc.patch +--- + sandbox-seccomp-filter.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index e8f31555e..9b6aea8db 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -158,6 +158,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_shmdt + SC_DENY(__NR_shmdt, EACCES), + #endif ++#ifdef __NR_ipc ++ SC_DENY(__NR_ipc, EACCES), ++#endif + + /* Syscalls to permit */ + #ifdef __NR_brk +@@ -205,9 +208,6 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_getuid32 + SC_ALLOW(__NR_getuid32), + #endif +-#if defined(__NR_ipc) && defined(__s390__) +- SC_ALLOW(__NR_ipc), +-#endif + #ifdef __NR_madvise + SC_ALLOW(__NR_madvise), + #endif diff -Nru openssh-7.9p1/debian/patches/series openssh-7.9p1/debian/patches/series --- openssh-7.9p1/debian/patches/series 2019-10-06 19:17:34.000000000 +0100 +++ openssh-7.9p1/debian/patches/series 2020-01-12 00:06:24.000000000 +0000 @@ -33,3 +33,4 @@ scp-handle-braces.patch revert-ipqos-defaults.patch seccomp-handle-shm.patch +sandbox-seccomp-ipc.patch
