4 files changed, 65 insertions, 2 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 8da19debc..782b862df 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-abde8dda29c2db2405d6fbca2fe022430e2c1177
+751d1f6494fb3ffd75188de7390c28725a5b91a6
-abde8dda29c2db2405d6fbca2fe022430e2c1177
+751d1f6494fb3ffd75188de7390c28725a5b91a6
 f0329aac23c61e1a5197d6d57349a63f459bccb0
 f0329aac23c61e1a5197d6d57349a63f459bccb0
 openssh_7.2p2.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 5aa526a6a..1e1229042 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,6 +11,9 @@ openssh (1:7.2p2-6) UNRELEASED; urgency=medium
    LP #1588457).
  * CVE-2016-6210: Mitigate user enumeration via covert timing channel
    (closes: #831902).
+  * Backport upstream patch to close ControlPersist background process
+    stderr when not in debug mode or when logging to a file or syslog
+    (closes: #714526).
 -- Colin Watson <cjwatson@debian.org>  Sat, 30 Apr 2016 11:29:20 +0100
diff --git a/debian/patches/control-persist-close-stderr.patch b/debian/patches/control-persist-close-stderr.patch
new file mode 100644
index 000000000..f800c0d13
--- /dev/null
+++ b/debian/patches/control-persist-close-stderr.patch
@@ -0,0 +1,59 @@
+From 751d1f6494fb3ffd75188de7390c28725a5b91a6 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 29 Apr 2016 08:07:53 +0000
+Subject: upstream commit
+close ControlPersist background process stderr when not
+ in debug mode or when logging to a file or syslog. bz#1988 ok dtucker
+Upstream-ID: 4fb726f0fdcb155ad419913cea10dc4afd409d24
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d2d6bf864e52af8491a60dd507f85b74361f5da3
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1988
+Bug-Debian: https://bugs.debian.org/714526
+Last-Update: 2016-07-22
+Patch-Name: control-persist-close-stderr.patch
+---
+ log.c | 2 +-
+ ssh.c | 6 ++++--
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+diff --git a/log.c b/log.c
+index e68b84a..6c59641 100644
+--- a/log.c
+++ b/log.c
+@@ -343,7 +343,7 @@ log_change_level(LogLevel new_log_level)
+ int
+ log_is_on_stderr(void)
+ {
+-       return log_on_stderr;
+       return log_on_stderr && log_stderr_fd == STDERR_FILENO;
+ }
+ 
+ /* redirect what would usually get written to stderr to specified file */
+diff --git a/ssh.c b/ssh.c
+index 314dd52..af39e72 100644
+--- a/ssh.c
+++ b/ssh.c
+@@ -1392,7 +1392,7 @@ static void
+ control_persist_detach(void)
+ {
+        pid_t pid;
+-       int devnull;
+       int devnull, keep_stderr;
+ 
+        debug("%s: backgrounding master process", __func__);
+ 
+@@ -1423,8 +1423,10 @@ control_persist_detach(void)
+                error("%s: open(\"/dev/null\"): %s", __func__,
+                    strerror(errno));
+        } else {
+               keep_stderr = log_is_on_stderr() && debug_flag;
+                if (dup2(devnull, STDIN_FILENO) == -1 ||
+-                   dup2(devnull, STDOUT_FILENO) == -1)
+                   dup2(devnull, STDOUT_FILENO) == -1 ||
+                   (!keep_stderr && dup2(devnull, STDERR_FILENO) == -1))
+                        error("%s: dup2: %s", __func__, strerror(errno));
+                if (devnull > STDERR_FILENO)
+                        close(devnull);
diff --git a/debian/patches/series b/debian/patches/series
index 363475c20..d8ea2890b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -30,3 +30,4 @@ unbreak-certificate-auth.patch
 CVE-2016-6210-1.patch
 CVE-2016-6210-2.patch
 CVE-2016-6210-3.patch
+control-persist-close-stderr.patch

diff --git a/debian/.git-dpm b/debian/.git-dpm index 8da19debc..782b862df 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1	# see git-dpm(1) from git-dpm package	1	# see git-dpm(1) from git-dpm package
2	abde8dda29c2db2405d6fbca2fe022430e2c1177	2	751d1f6494fb3ffd75188de7390c28725a5b91a6
3	abde8dda29c2db2405d6fbca2fe022430e2c1177	3	751d1f6494fb3ffd75188de7390c28725a5b91a6
4	f0329aac23c61e1a5197d6d57349a63f459bccb0	4	f0329aac23c61e1a5197d6d57349a63f459bccb0
5	f0329aac23c61e1a5197d6d57349a63f459bccb0	5	f0329aac23c61e1a5197d6d57349a63f459bccb0
6	openssh_7.2p2.orig.tar.gz	6	openssh_7.2p2.orig.tar.gz


diff --git a/debian/changelog b/debian/changelog index 5aa526a6a..1e1229042 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -11,6 +11,9 @@ openssh (1:7.2p2-6) UNRELEASED; urgency=medium
11	LP #1588457).	11	LP #1588457).
12	* CVE-2016-6210: Mitigate user enumeration via covert timing channel	12	* CVE-2016-6210: Mitigate user enumeration via covert timing channel
13	(closes: #831902).	13	(closes: #831902).
		14	* Backport upstream patch to close ControlPersist background process
		15	stderr when not in debug mode or when logging to a file or syslog
		16	(closes: #714526).
14		17
15	-- Colin Watson <cjwatson@debian.org> Sat, 30 Apr 2016 11:29:20 +0100	18	-- Colin Watson <cjwatson@debian.org> Sat, 30 Apr 2016 11:29:20 +0100
16		19


diff --git a/debian/patches/control-persist-close-stderr.patch b/debian/patches/control-persist-close-stderr.patch new file mode 100644 index 000000000..f800c0d13 --- /dev/null +++ b/debian/patches/control-persist-close-stderr.patch
@@ -0,0 +1,59 @@
		1	From 751d1f6494fb3ffd75188de7390c28725a5b91a6 Mon Sep 17 00:00:00 2001
		2	From: "djm@openbsd.org" <djm@openbsd.org>
		3	Date: Fri, 29 Apr 2016 08:07:53 +0000
		4	Subject: upstream commit
		5
		6	close ControlPersist background process stderr when not
		7	in debug mode or when logging to a file or syslog. bz#1988 ok dtucker
		8
		9	Upstream-ID: 4fb726f0fdcb155ad419913cea10dc4afd409d24
		10
		11	Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d2d6bf864e52af8491a60dd507f85b74361f5da3
		12	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1988
		13	Bug-Debian: https://bugs.debian.org/714526
		14	Last-Update: 2016-07-22
		15
		16	Patch-Name: control-persist-close-stderr.patch
		17	---
		18	log.c \| 2 +-
		19	ssh.c \| 6 ++++--
		20	2 files changed, 5 insertions(+), 3 deletions(-)
		21
		22	diff --git a/log.c b/log.c
		23	index e68b84a..6c59641 100644
		24	--- a/log.c
		25	+++ b/log.c
		26	@@ -343,7 +343,7 @@ log_change_level(LogLevel new_log_level)
		27	int
		28	log_is_on_stderr(void)
		29	{
		30	- return log_on_stderr;
		31	+ return log_on_stderr && log_stderr_fd == STDERR_FILENO;
		32	}
		33
		34	/* redirect what would usually get written to stderr to specified file */
		35	diff --git a/ssh.c b/ssh.c
		36	index 314dd52..af39e72 100644
		37	--- a/ssh.c
		38	+++ b/ssh.c
		39	@@ -1392,7 +1392,7 @@ static void
		40	control_persist_detach(void)
		41	{
		42	pid_t pid;
		43	- int devnull;
		44	+ int devnull, keep_stderr;
		45
		46	debug("%s: backgrounding master process", __func__);
		47
		48	@@ -1423,8 +1423,10 @@ control_persist_detach(void)
		49	error("%s: open(\"/dev/null\"): %s", __func__,
		50	strerror(errno));
		51	} else {
		52	+ keep_stderr = log_is_on_stderr() && debug_flag;
		53	if (dup2(devnull, STDIN_FILENO) == -1 \|\|
		54	- dup2(devnull, STDOUT_FILENO) == -1)
		55	+ dup2(devnull, STDOUT_FILENO) == -1 \|\|
		56	+ (!keep_stderr && dup2(devnull, STDERR_FILENO) == -1))
		57	error("%s: dup2: %s", __func__, strerror(errno));
		58	if (devnull > STDERR_FILENO)
		59	close(devnull);


diff --git a/debian/patches/series b/debian/patches/series index 363475c20..d8ea2890b 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -30,3 +30,4 @@ unbreak-certificate-auth.patch
30	CVE-2016-6210-1.patch	30	CVE-2016-6210-1.patch
31	CVE-2016-6210-2.patch	31	CVE-2016-6210-2.patch
32	CVE-2016-6210-3.patch	32	CVE-2016-6210-3.patch
		33	control-persist-close-stderr.patch