** Changed in: openssh (Ubuntu Xenial)
Status: New => In Progress
** Description changed:
+ [Impact]
Here's what has been brought to my attention by a UA customer:
* Release:
Xenial/16.04LTS
* Openssh version:
7.2p2-4ubuntu2.10
* Fuzzer tool used:
https://www.synopsys.com/software-integrity/security-testing/fuzz-testing.html
(proprietary software)
As of today, I have no access to a reproducer. Still working on getting
access to one (if possible) in order to better understand what the
failing test scenario is doing.
* coredump:
$ gdb $(which sshd) core.cic-1.domain.tld.1612566260.sshd.20731
...
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `sshd: [net] '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __memcpy_avx_unaligned () at
../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136
136 ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S: No such file or
directory.
(gdb) bt
#0 __memcpy_avx_unaligned () at
../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136
#1 0x00007fec25b241db in memcpy (__len=<optimized out>, __src=0x0,
__dest=<optimized out>)
at /usr/include/x86_64-linux-gnu/bits/string3.h:53
#2 aes_gcm_ctrl (c=0x558a7ae19758, type=<optimized out>, arg=<optimized out>,
ptr=0x0) at e_aes.c:1189
#3 0x00007fec25b20897 in EVP_CIPHER_CTX_ctrl (ctx=ctx@entry=0x558a7ae19758,
type=type@entry=18, arg=arg@entry=-1, ptr=ptr@entry=0x0) at evp_enc.c:619
#4 0x0000558a7953f54c in cipher_init (cc=cc@entry=0x558a7ae19750,
cipher=0x558a797b3ef0 <ciphers+720>, key=0x0, keylen=32, iv=0x0,
ivlen=<optimized out>, do_encrypt=0) at ../cipher.c:336
#5 0x0000558a7954521a in ssh_set_newkeys (ssh=ssh@entry=0x558a7ae18ef0,
mode=mode@entry=0)at ../packet.c:919
#6 0x0000558a7955ae92 in kex_input_newkeys (type=<optimized out>,
seq=<optimized out>, ctxt=0x558a7ae18ef0)at ../kex.c:434
#7 0x0000558a7954d269 in ssh_dispatch_run (ssh=ssh@entry=0x558a7ae18ef0,
mode=0, done=0x558a7ae18278, ctxt=0x558a7ae18ef0) at ../dispatch.c:119
#8 0x0000558a7954d2b9 in ssh_dispatch_run_fatal (ssh=0x558a7ae18ef0,
mode=<optimized out>, done=<optimized out>, ctxt=<optimized out>) at
../dispatch.c:140
#9 0x0000558a79502770 in do_ssh2_kex () at ../sshd.c:2744
#10 main (ac=<optimized out>, av=<optimized out>) at ../sshd.c:2301
(gdb)
+
+ [Test plan]
+
+ ** NOT REPRODUCIBLE ON MY SIDE **
+
+ This seems to be a corner case generated by the Defensics fuzzer test
+ suite (proprietary software from synopsys).
+
+ That's the only way this could have been reproduced so far.
+
+ [Where problem could occur]
+
+ [Other information]
+
+ Upstream fix:
+
https://github.com/openssh/openssh-portable/commit/2adbe1e63bc313d03e8e84e652cc623af8ebb163
+
+ Only Xenial requires the fix:
+
+ # git describe --contains 2adbe1e
+ V_7_5_P1~7
+
+ # rmadison openssh
+ => openssh | 1:7.2p2-4ubuntu2.10 | xenial-updates | source
+ openssh | 1:7.6p1-4 | bionic | source
+ openssh | 1:7.6p1-4ubuntu0.3 | bionic-security | source
+ openssh | 1:7.6p1-4ubuntu0.3 | bionic-updates | source
+ openssh | 1:7.6p1-4ubuntu0.4 | bionic-proposed | source
+ openssh | 1:8.2p1-4 | focal | source
+ openssh | 1:8.2p1-4ubuntu0.2 | focal-security | source
+ openssh | 1:8.2p1-4ubuntu0.2 | focal-updates | source
+ openssh | 1:8.3p1-1 | groovy | source
+ openssh | 1:8.3p1-1ubuntu0.1 | groovy-security | source
+ openssh | 1:8.3p1-1ubuntu0.1 | groovy-updates | source
+ openssh | 1:8.4p1-5ubuntu1 | hirsute | source
+ openssh | 1:8.4p1-5ubuntu1 | impish | source
** Changed in: openssh (Ubuntu)
Status: New => Fix Released
** Changed in: openssh (Ubuntu Xenial)
Importance: Undecided => Medium
** Description changed:
- [Impact]
+ [Impact]
Here's what has been brought to my attention by a UA customer:
* Release:
Xenial/16.04LTS
* Openssh version:
7.2p2-4ubuntu2.10
* Fuzzer tool used:
https://www.synopsys.com/software-integrity/security-testing/fuzz-testing.html
(proprietary software)
- As of today, I have no access to a reproducer. Still working on getting
- access to one (if possible) in order to better understand what the
- failing test scenario is doing.
+ As of today, I have no access to a reproducer.
* coredump:
$ gdb $(which sshd) core.cic-1.domain.tld.1612566260.sshd.20731
...
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `sshd: [net] '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __memcpy_avx_unaligned () at
../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136
136 ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S: No such file or
directory.
(gdb) bt
#0 __memcpy_avx_unaligned () at
../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136
#1 0x00007fec25b241db in memcpy (__len=<optimized out>, __src=0x0,
__dest=<optimized out>)
at /usr/include/x86_64-linux-gnu/bits/string3.h:53
#2 aes_gcm_ctrl (c=0x558a7ae19758, type=<optimized out>, arg=<optimized out>,
ptr=0x0) at e_aes.c:1189
#3 0x00007fec25b20897 in EVP_CIPHER_CTX_ctrl (ctx=ctx@entry=0x558a7ae19758,
type=type@entry=18, arg=arg@entry=-1, ptr=ptr@entry=0x0) at evp_enc.c:619
#4 0x0000558a7953f54c in cipher_init (cc=cc@entry=0x558a7ae19750,
cipher=0x558a797b3ef0 <ciphers+720>, key=0x0, keylen=32, iv=0x0,
ivlen=<optimized out>, do_encrypt=0) at ../cipher.c:336
#5 0x0000558a7954521a in ssh_set_newkeys (ssh=ssh@entry=0x558a7ae18ef0,
mode=mode@entry=0)at ../packet.c:919
#6 0x0000558a7955ae92 in kex_input_newkeys (type=<optimized out>,
seq=<optimized out>, ctxt=0x558a7ae18ef0)at ../kex.c:434
#7 0x0000558a7954d269 in ssh_dispatch_run (ssh=ssh@entry=0x558a7ae18ef0,
mode=0, done=0x558a7ae18278, ctxt=0x558a7ae18ef0) at ../dispatch.c:119
#8 0x0000558a7954d2b9 in ssh_dispatch_run_fatal (ssh=0x558a7ae18ef0,
mode=<optimized out>, done=<optimized out>, ctxt=<optimized out>) at
../dispatch.c:140
#9 0x0000558a79502770 in do_ssh2_kex () at ../sshd.c:2744
#10 main (ac=<optimized out>, av=<optimized out>) at ../sshd.c:2301
(gdb)
[Test plan]
** NOT REPRODUCIBLE ON MY SIDE **
This seems to be a corner case generated by the Defensics fuzzer test
suite (proprietary software from synopsys).
That's the only way this could have been reproduced so far.
[Where problem could occur]
[Other information]
Upstream fix:
https://github.com/openssh/openssh-portable/commit/2adbe1e63bc313d03e8e84e652cc623af8ebb163
Only Xenial requires the fix:
# git describe --contains 2adbe1e
V_7_5_P1~7
# rmadison openssh
- => openssh | 1:7.2p2-4ubuntu2.10 | xenial-updates | source
- openssh | 1:7.6p1-4 | bionic | source
- openssh | 1:7.6p1-4ubuntu0.3 | bionic-security | source
- openssh | 1:7.6p1-4ubuntu0.3 | bionic-updates | source
- openssh | 1:7.6p1-4ubuntu0.4 | bionic-proposed | source
- openssh | 1:8.2p1-4 | focal | source
- openssh | 1:8.2p1-4ubuntu0.2 | focal-security | source
- openssh | 1:8.2p1-4ubuntu0.2 | focal-updates | source
- openssh | 1:8.3p1-1 | groovy | source
- openssh | 1:8.3p1-1ubuntu0.1 | groovy-security | source
- openssh | 1:8.3p1-1ubuntu0.1 | groovy-updates | source
- openssh | 1:8.4p1-5ubuntu1 | hirsute | source
- openssh | 1:8.4p1-5ubuntu1 | impish | source
+ => openssh | 1:7.2p2-4ubuntu2.10 | xenial-updates | source
+ openssh | 1:7.6p1-4 | bionic | source
+ openssh | 1:7.6p1-4ubuntu0.3 | bionic-security | source
+ openssh | 1:7.6p1-4ubuntu0.3 | bionic-updates | source
+ openssh | 1:7.6p1-4ubuntu0.4 | bionic-proposed | source
+ openssh | 1:8.2p1-4 | focal | source
+ openssh | 1:8.2p1-4ubuntu0.2 | focal-security | source
+ openssh | 1:8.2p1-4ubuntu0.2 | focal-updates | source
+ openssh | 1:8.3p1-1 | groovy | source
+ openssh | 1:8.3p1-1ubuntu0.1 | groovy-security | source
+ openssh | 1:8.3p1-1ubuntu0.1 | groovy-updates | source
+ openssh | 1:8.4p1-5ubuntu1 | hirsute | source
+ openssh | 1:8.4p1-5ubuntu1 | impish | source
** Description changed:
[Impact]
Here's what has been brought to my attention by a UA customer:
* Release:
Xenial/16.04LTS
* Openssh version:
7.2p2-4ubuntu2.10
* Fuzzer tool used:
https://www.synopsys.com/software-integrity/security-testing/fuzz-testing.html
(proprietary software)
As of today, I have no access to a reproducer.
* coredump:
- $ gdb $(which sshd) core.cic-1.domain.tld.1612566260.sshd.20731
+ $ gdb $(which sshd) <OBFUSCATED>.sshd.20731
...
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `sshd: [net] '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __memcpy_avx_unaligned () at
../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136
136 ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S: No such file or
directory.
(gdb) bt
#0 __memcpy_avx_unaligned () at
../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136
#1 0x00007fec25b241db in memcpy (__len=<optimized out>, __src=0x0,
__dest=<optimized out>)
at /usr/include/x86_64-linux-gnu/bits/string3.h:53
#2 aes_gcm_ctrl (c=0x558a7ae19758, type=<optimized out>, arg=<optimized out>,
ptr=0x0) at e_aes.c:1189
#3 0x00007fec25b20897 in EVP_CIPHER_CTX_ctrl (ctx=ctx@entry=0x558a7ae19758,
type=type@entry=18, arg=arg@entry=-1, ptr=ptr@entry=0x0) at evp_enc.c:619
#4 0x0000558a7953f54c in cipher_init (cc=cc@entry=0x558a7ae19750,
cipher=0x558a797b3ef0 <ciphers+720>, key=0x0, keylen=32, iv=0x0,
ivlen=<optimized out>, do_encrypt=0) at ../cipher.c:336
#5 0x0000558a7954521a in ssh_set_newkeys (ssh=ssh@entry=0x558a7ae18ef0,
mode=mode@entry=0)at ../packet.c:919
#6 0x0000558a7955ae92 in kex_input_newkeys (type=<optimized out>,
seq=<optimized out>, ctxt=0x558a7ae18ef0)at ../kex.c:434
#7 0x0000558a7954d269 in ssh_dispatch_run (ssh=ssh@entry=0x558a7ae18ef0,
mode=0, done=0x558a7ae18278, ctxt=0x558a7ae18ef0) at ../dispatch.c:119
#8 0x0000558a7954d2b9 in ssh_dispatch_run_fatal (ssh=0x558a7ae18ef0,
mode=<optimized out>, done=<optimized out>, ctxt=<optimized out>) at
../dispatch.c:140
#9 0x0000558a79502770 in do_ssh2_kex () at ../sshd.c:2744
#10 main (ac=<optimized out>, av=<optimized out>) at ../sshd.c:2301
(gdb)
[Test plan]
** NOT REPRODUCIBLE ON MY SIDE **
This seems to be a corner case generated by the Defensics fuzzer test
suite (proprietary software from synopsys).
That's the only way this could have been reproduced so far.
[Where problem could occur]
[Other information]
Upstream fix:
https://github.com/openssh/openssh-portable/commit/2adbe1e63bc313d03e8e84e652cc623af8ebb163
Only Xenial requires the fix:
# git describe --contains 2adbe1e
V_7_5_P1~7
# rmadison openssh
=> openssh | 1:7.2p2-4ubuntu2.10 | xenial-updates | source
openssh | 1:7.6p1-4 | bionic | source
openssh | 1:7.6p1-4ubuntu0.3 | bionic-security | source
openssh | 1:7.6p1-4ubuntu0.3 | bionic-updates | source
openssh | 1:7.6p1-4ubuntu0.4 | bionic-proposed | source
openssh | 1:8.2p1-4 | focal | source
openssh | 1:8.2p1-4ubuntu0.2 | focal-security | source
openssh | 1:8.2p1-4ubuntu0.2 | focal-updates | source
openssh | 1:8.3p1-1 | groovy | source
openssh | 1:8.3p1-1ubuntu0.1 | groovy-security | source
openssh | 1:8.3p1-1ubuntu0.1 | groovy-updates | source
openssh | 1:8.4p1-5ubuntu1 | hirsute | source
openssh | 1:8.4p1-5ubuntu1 | impish | source
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1930286
Title:
Defensics' synopsys fuzzer testing tool cause openssh to segfault
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Xenial:
In Progress
Bug description:
[Impact]
Here's what has been brought to my attention by a UA customer:
* Release:
Xenial/16.04LTS
* Openssh version:
7.2p2-4ubuntu2.10
* Fuzzer tool used:
https://www.synopsys.com/software-integrity/security-testing/fuzz-testing.html
(proprietary software)
As of today, I have no access to a reproducer.
* coredump:
$ gdb $(which sshd) <OBFUSCATED>.sshd.20731
...
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `sshd: [net] '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __memcpy_avx_unaligned () at
../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136
136 ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S: No such file or
directory.
(gdb) bt
#0 __memcpy_avx_unaligned () at
../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136
#1 0x00007fec25b241db in memcpy (__len=<optimized out>, __src=0x0,
__dest=<optimized out>)
at /usr/include/x86_64-linux-gnu/bits/string3.h:53
#2 aes_gcm_ctrl (c=0x558a7ae19758, type=<optimized out>, arg=<optimized out>,
ptr=0x0) at e_aes.c:1189
#3 0x00007fec25b20897 in EVP_CIPHER_CTX_ctrl (ctx=ctx@entry=0x558a7ae19758,
type=type@entry=18, arg=arg@entry=-1, ptr=ptr@entry=0x0) at evp_enc.c:619
#4 0x0000558a7953f54c in cipher_init (cc=cc@entry=0x558a7ae19750,
cipher=0x558a797b3ef0 <ciphers+720>, key=0x0, keylen=32, iv=0x0,
ivlen=<optimized out>, do_encrypt=0) at ../cipher.c:336
#5 0x0000558a7954521a in ssh_set_newkeys (ssh=ssh@entry=0x558a7ae18ef0,
mode=mode@entry=0)at ../packet.c:919
#6 0x0000558a7955ae92 in kex_input_newkeys (type=<optimized out>,
seq=<optimized out>, ctxt=0x558a7ae18ef0)at ../kex.c:434
#7 0x0000558a7954d269 in ssh_dispatch_run (ssh=ssh@entry=0x558a7ae18ef0,
mode=0, done=0x558a7ae18278, ctxt=0x558a7ae18ef0) at ../dispatch.c:119
#8 0x0000558a7954d2b9 in ssh_dispatch_run_fatal (ssh=0x558a7ae18ef0,
mode=<optimized out>, done=<optimized out>, ctxt=<optimized out>) at
../dispatch.c:140
#9 0x0000558a79502770 in do_ssh2_kex () at ../sshd.c:2744
#10 main (ac=<optimized out>, av=<optimized out>) at ../sshd.c:2301
(gdb)
[Test plan]
** NOT REPRODUCIBLE ON MY SIDE **
This seems to be a corner case generated by the Defensics fuzzer test
suite (proprietary software from synopsys).
That's the only way this could have been reproduced so far.
[Where problem could occur]
[Other information]
Upstream fix:
https://github.com/openssh/openssh-portable/commit/2adbe1e63bc313d03e8e84e652cc623af8ebb163
Only Xenial requires the fix:
# git describe --contains 2adbe1e
V_7_5_P1~7
# rmadison openssh
=> openssh | 1:7.2p2-4ubuntu2.10 | xenial-updates | source
openssh | 1:7.6p1-4 | bionic | source
openssh | 1:7.6p1-4ubuntu0.3 | bionic-security | source
openssh | 1:7.6p1-4ubuntu0.3 | bionic-updates | source
openssh | 1:7.6p1-4ubuntu0.4 | bionic-proposed | source
openssh | 1:8.2p1-4 | focal | source
openssh | 1:8.2p1-4ubuntu0.2 | focal-security | source
openssh | 1:8.2p1-4ubuntu0.2 | focal-updates | source
openssh | 1:8.3p1-1 | groovy | source
openssh | 1:8.3p1-1ubuntu0.1 | groovy-security | source
openssh | 1:8.3p1-1ubuntu0.1 | groovy-updates | source
openssh | 1:8.4p1-5ubuntu1 | hirsute | source
openssh | 1:8.4p1-5ubuntu1 | impish | source
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1930286/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
