summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2016-07-22 14:36:32 +0100
committerColin Watson <cjwatson@debian.org>2016-07-22 14:37:21 +0100
commit4e620d6d9ebe0eda9ceddb28134d1fc465dd925c (patch)
tree49d0d071456b5cf98beef530c365a873c676519b
parenteb0633f934e5bd9d4d0c5ed9bd0b54951b8d9323 (diff)
parent751d1f6494fb3ffd75188de7390c28725a5b91a6 (diff)
Backport upstream patch to close ControlPersist background process stderr when not in debug mode or when logging to a file or syslog (closes: #714526).
-rw-r--r--debian/.git-dpm4
-rw-r--r--debian/changelog3
-rw-r--r--debian/patches/control-persist-close-stderr.patch59
-rw-r--r--debian/patches/series1
-rw-r--r--log.c2
-rw-r--r--ssh.c6
6 files changed, 70 insertions, 5 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 8da19debc..782b862df 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
2abde8dda29c2db2405d6fbca2fe022430e2c1177 2751d1f6494fb3ffd75188de7390c28725a5b91a6
3abde8dda29c2db2405d6fbca2fe022430e2c1177 3751d1f6494fb3ffd75188de7390c28725a5b91a6
4f0329aac23c61e1a5197d6d57349a63f459bccb0 4f0329aac23c61e1a5197d6d57349a63f459bccb0
5f0329aac23c61e1a5197d6d57349a63f459bccb0 5f0329aac23c61e1a5197d6d57349a63f459bccb0
6openssh_7.2p2.orig.tar.gz 6openssh_7.2p2.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 5aa526a6a..1e1229042 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,6 +11,9 @@ openssh (1:7.2p2-6) UNRELEASED; urgency=medium
11 LP #1588457). 11 LP #1588457).
12 * CVE-2016-6210: Mitigate user enumeration via covert timing channel 12 * CVE-2016-6210: Mitigate user enumeration via covert timing channel
13 (closes: #831902). 13 (closes: #831902).
14 * Backport upstream patch to close ControlPersist background process
15 stderr when not in debug mode or when logging to a file or syslog
16 (closes: #714526).
14 17
15 -- Colin Watson <cjwatson@debian.org> Sat, 30 Apr 2016 11:29:20 +0100 18 -- Colin Watson <cjwatson@debian.org> Sat, 30 Apr 2016 11:29:20 +0100
16 19
diff --git a/debian/patches/control-persist-close-stderr.patch b/debian/patches/control-persist-close-stderr.patch
new file mode 100644
index 000000000..f800c0d13
--- /dev/null
+++ b/debian/patches/control-persist-close-stderr.patch
@@ -0,0 +1,59 @@
1From 751d1f6494fb3ffd75188de7390c28725a5b91a6 Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Fri, 29 Apr 2016 08:07:53 +0000
4Subject: upstream commit
5
6close ControlPersist background process stderr when not
7 in debug mode or when logging to a file or syslog. bz#1988 ok dtucker
8
9Upstream-ID: 4fb726f0fdcb155ad419913cea10dc4afd409d24
10
11Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d2d6bf864e52af8491a60dd507f85b74361f5da3
12Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1988
13Bug-Debian: https://bugs.debian.org/714526
14Last-Update: 2016-07-22
15
16Patch-Name: control-persist-close-stderr.patch
17---
18 log.c | 2 +-
19 ssh.c | 6 ++++--
20 2 files changed, 5 insertions(+), 3 deletions(-)
21
22diff --git a/log.c b/log.c
23index e68b84a..6c59641 100644
24--- a/log.c
25+++ b/log.c
26@@ -343,7 +343,7 @@ log_change_level(LogLevel new_log_level)
27 int
28 log_is_on_stderr(void)
29 {
30- return log_on_stderr;
31+ return log_on_stderr && log_stderr_fd == STDERR_FILENO;
32 }
33
34 /* redirect what would usually get written to stderr to specified file */
35diff --git a/ssh.c b/ssh.c
36index 314dd52..af39e72 100644
37--- a/ssh.c
38+++ b/ssh.c
39@@ -1392,7 +1392,7 @@ static void
40 control_persist_detach(void)
41 {
42 pid_t pid;
43- int devnull;
44+ int devnull, keep_stderr;
45
46 debug("%s: backgrounding master process", __func__);
47
48@@ -1423,8 +1423,10 @@ control_persist_detach(void)
49 error("%s: open(\"/dev/null\"): %s", __func__,
50 strerror(errno));
51 } else {
52+ keep_stderr = log_is_on_stderr() && debug_flag;
53 if (dup2(devnull, STDIN_FILENO) == -1 ||
54- dup2(devnull, STDOUT_FILENO) == -1)
55+ dup2(devnull, STDOUT_FILENO) == -1 ||
56+ (!keep_stderr && dup2(devnull, STDERR_FILENO) == -1))
57 error("%s: dup2: %s", __func__, strerror(errno));
58 if (devnull > STDERR_FILENO)
59 close(devnull);
diff --git a/debian/patches/series b/debian/patches/series
index 363475c20..d8ea2890b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -30,3 +30,4 @@ unbreak-certificate-auth.patch
30CVE-2016-6210-1.patch 30CVE-2016-6210-1.patch
31CVE-2016-6210-2.patch 31CVE-2016-6210-2.patch
32CVE-2016-6210-3.patch 32CVE-2016-6210-3.patch
33control-persist-close-stderr.patch
diff --git a/log.c b/log.c
index e68b84a20..6c596414b 100644
--- a/log.c
+++ b/log.c
@@ -343,7 +343,7 @@ log_change_level(LogLevel new_log_level)
343int 343int
344log_is_on_stderr(void) 344log_is_on_stderr(void)
345{ 345{
346 return log_on_stderr; 346 return log_on_stderr && log_stderr_fd == STDERR_FILENO;
347} 347}
348 348
349/* redirect what would usually get written to stderr to specified file */ 349/* redirect what would usually get written to stderr to specified file */
diff --git a/ssh.c b/ssh.c
index 314dd528d..af39e724f 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1392,7 +1392,7 @@ static void
1392control_persist_detach(void) 1392control_persist_detach(void)
1393{ 1393{
1394 pid_t pid; 1394 pid_t pid;
1395 int devnull; 1395 int devnull, keep_stderr;
1396 1396
1397 debug("%s: backgrounding master process", __func__); 1397 debug("%s: backgrounding master process", __func__);
1398 1398
@@ -1423,8 +1423,10 @@ control_persist_detach(void)
1423 error("%s: open(\"/dev/null\"): %s", __func__, 1423 error("%s: open(\"/dev/null\"): %s", __func__,
1424 strerror(errno)); 1424 strerror(errno));
1425 } else { 1425 } else {
1426 keep_stderr = log_is_on_stderr() && debug_flag;
1426 if (dup2(devnull, STDIN_FILENO) == -1 || 1427 if (dup2(devnull, STDIN_FILENO) == -1 ||
1427 dup2(devnull, STDOUT_FILENO) == -1) 1428 dup2(devnull, STDOUT_FILENO) == -1 ||
1429 (!keep_stderr && dup2(devnull, STDERR_FILENO) == -1))
1428 error("%s: dup2: %s", __func__, strerror(errno)); 1430 error("%s: dup2: %s", __func__, strerror(errno));
1429 if (devnull > STDERR_FILENO) 1431 if (devnull > STDERR_FILENO)
1430 close(devnull); 1432 close(devnull);