Version in base suite: 7.9p1-10+deb10u1 Base version: openssh_7.9p1-10+deb10u1 Target version: openssh_7.9p1-10+deb10u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openssh/openssh_7.9p1-10+deb10u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openssh/openssh_7.9p1-10+deb10u2.dsc .git-dpm | 4 +-- .gitignore | 17 +++++++++++++ changelog | 10 +++++++ patches/sandbox-seccomp-ipc.patch | 48 ++++++++++++++++++++++++++++++++++++++ patches/series | 1 5 files changed, 78 insertions(+), 2 deletions(-) diff -Nru openssh-7.9p1/debian/.git-dpm openssh-7.9p1/debian/.git-dpm --- openssh-7.9p1/debian/.git-dpm 2019-10-06 18:17:34.000000000 +0000 +++ openssh-7.9p1/debian/.git-dpm 2020-01-31 20:55:34.000000000 +0000 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -35956d8211ef0a606a117ca3f0ba3ae163c31a39 -35956d8211ef0a606a117ca3f0ba3ae163c31a39 +6f794127bd7d332c1d88a3e35eda97dac4530a15 +6f794127bd7d332c1d88a3e35eda97dac4530a15 3d246f10429fc9a37b98eabef94fe8dc7c61002b 3d246f10429fc9a37b98eabef94fe8dc7c61002b openssh_7.9p1.orig.tar.gz diff -Nru openssh-7.9p1/debian/.gitignore openssh-7.9p1/debian/.gitignore --- openssh-7.9p1/debian/.gitignore 1970-01-01 00:00:00.000000000 +0000 +++ openssh-7.9p1/debian/.gitignore 2020-01-31 20:55:34.000000000 +0000 @@ -0,0 +1,17 @@ +/*.debhelper* +/*substvars +/build-deb +/build-udeb +/files +/keygen-test/key1 +/keygen-test/key1.pub +/keygen-test/key2 +/keygen-test/key2.pub +/openssh-client +/openssh-client-udeb +/openssh-server +/openssh-server-udeb +/ssh +/ssh-askpass-gnome +/ssh-krb5 +/tmp diff -Nru openssh-7.9p1/debian/changelog openssh-7.9p1/debian/changelog --- openssh-7.9p1/debian/changelog 2019-10-06 18:18:07.000000000 +0000 +++ openssh-7.9p1/debian/changelog 2020-01-31 20:55:34.000000000 +0000 @@ -1,3 +1,13 @@ +openssh (1:7.9p1-10+deb10u2) buster; urgency=medium + + * Apply upstream patch to deny (non-fatally) ipc in the seccomp sandbox, + fixing failures with OpenSSL 1.1.1d and Linux < 3.19 on some + architectures (closes: #946242). Note that this also drops the previous + change to allow ipc on s390, since upstream has security concerns with + that and it doesn't currently seem to be needed. + + -- Colin Watson Fri, 31 Jan 2020 20:55:34 +0000 + openssh (1:7.9p1-10+deb10u1) buster-security; urgency=high * Apply upstream patch to deny (non-fatally) shmget/shmat/shmdt in preauth diff -Nru openssh-7.9p1/debian/patches/sandbox-seccomp-ipc.patch openssh-7.9p1/debian/patches/sandbox-seccomp-ipc.patch --- openssh-7.9p1/debian/patches/sandbox-seccomp-ipc.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssh-7.9p1/debian/patches/sandbox-seccomp-ipc.patch 2020-01-31 20:55:34.000000000 +0000 @@ -0,0 +1,48 @@ +From 6f794127bd7d332c1d88a3e35eda97dac4530a15 Mon Sep 17 00:00:00 2001 +From: Jeremy Drake +Date: Fri, 11 Oct 2019 18:31:05 -0700 +Subject: Deny (non-fatal) ipc in preauth privsep child. + +As noted in openssh/openssh-portable#149, i386 does not have have +_NR_shmget etc. Instead, it has a single ipc syscall (see man 2 ipc, +https://linux.die.net/man/2/ipc). Add this syscall, if present, to the +list of syscalls that seccomp will deny non-fatally. + +[cjwatson: For backporting to buster, I've dropped the previous change +to allow ipc on s390. Upstream refused that since it opens security +weaknesses and doesn't currently seem to be needed, so I'd already +dropped that for bullseye.] + +Bug-Debian: https://bugs.debian.org/946242 +Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=30f704ebc0e9e32b3d12f5d9e8c1b705fdde2c89 +Last-Update: 2020-01-11 + +Patch-Name: sandbox-seccomp-ipc.patch +--- + sandbox-seccomp-filter.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index e8f31555e..9b6aea8db 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -158,6 +158,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_shmdt + SC_DENY(__NR_shmdt, EACCES), + #endif ++#ifdef __NR_ipc ++ SC_DENY(__NR_ipc, EACCES), ++#endif + + /* Syscalls to permit */ + #ifdef __NR_brk +@@ -205,9 +208,6 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_getuid32 + SC_ALLOW(__NR_getuid32), + #endif +-#if defined(__NR_ipc) && defined(__s390__) +- SC_ALLOW(__NR_ipc), +-#endif + #ifdef __NR_madvise + SC_ALLOW(__NR_madvise), + #endif diff -Nru openssh-7.9p1/debian/patches/series openssh-7.9p1/debian/patches/series --- openssh-7.9p1/debian/patches/series 2019-10-06 18:17:34.000000000 +0000 +++ openssh-7.9p1/debian/patches/series 2020-01-31 20:55:34.000000000 +0000 @@ -33,3 +33,4 @@ scp-handle-braces.patch revert-ipqos-defaults.patch seccomp-handle-shm.patch +sandbox-seccomp-ipc.patch