aborted (core dumped) when using ConnectTimeout > 2147483

Bug #1903516 reported by Bert Hekman
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
portable OpenSSH
Unknown
Unknown
openssh (Ubuntu)
Fix Released
Low
Unassigned
Bionic
Fix Released
Low
Athos Ribeiro
Focal
Fix Released
Low
Athos Ribeiro
Impish
Won't Fix
Low
Unassigned
Jammy
Fix Released
Low
Unassigned

Bug Description

[Impact]

Setting ConnectTimeout to a value higher than INT_MAX/1000 causes the ssh client to crash. This happens due to an integer overflow which was fixed upstream with the patch being proposed for this SRU, which caps the effective value for that option at INT_MAX/1000.

While use cases triggering the bug may be uncommon, the patch is straightforward and the fix could be staged for the next time an upload is needed.

[Test Plan]

Running

ssh -o "ConnectTimeout=$(perl -e 'use POSIX; my $max = int(POSIX::INT_MAX/1000)+1; print "$max\n";')" localhost

triggers the error. In this case, the ssh client will crash and

Aborted

will be printed to stderr.

By applying the proposed fix, running the same command should allow the ssh connection to proceed to the authentication steps.

[Where problems could occur]

Most problems would manifest due to rebuilding the package (e.g., dependency changes). Since this proposal is to stage these SRUs, such risk is being deferred to be shared with the next, more critical, upload.

[Other Info]

All the SRUs proposed here should be staged due to the low priority nature of the bug.

[Original bug report]

The ssh client fails with the message "Aborted (core dumped)" when setting the ConnectTimeout to 2147484 or higher.

lsb_release: Linux Mint 20 (but also tested this on latest ubuntu:20.04 docker container)
openssh-client version: 1:8.2p1-4ubuntu0.1

I expected that either the connect timeout would be used correctly, or that it would fail with a proper error message saying the connect timeout can't be higher than 2147483.

What happened:

$ ssh -o "ConnectTimeout=2147484" localhost
Aborted (core dumped)

Related branches

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thank you for taking the time to file a bug report.

Could you please provide the core dump file to help us investigate your problem?

Since there is not enough information in your report to begin triage or to
differentiate between a local configuration problem and a bug in Ubuntu, I
am marking this bug as "Incomplete". We would be grateful if you would:
provide a more complete description of the problem, explain why you
believe this is a bug in Ubuntu rather than a problem specific to your
system, and then change the bug status back to "New".

For local configuration issues, you can find assistance here:
http://www.ubuntu.com/support/community

Changed in openssh (Ubuntu):
status: New → Incomplete
Revision history for this message
Bert Hekman (demontpx) wrote :

I attached the core dump, like you asked

Revision history for this message
Paride Legovini (paride) wrote :

Hello Bert and thanks for this bug report. I could easily reproduce the issue you described, but I think it would best be fixed upstream rather than with an Ubuntu specific patch. I filed an upstream bug report [1] and linked it to this one.

Given that triggering this bug requires a very odd setting I'm marking this report with Importance: Low. Should there be an actual use case for such a high timeout please explain it in a comment and we'll re-evaluate the bug importance. Thanks!

[1] https://bugzilla.mindrot.org/show_bug.cgi?id=3229

Changed in openssh (Ubuntu):
importance: Undecided → Low
status: Incomplete → Triaged
Revision history for this message
Bert Hekman (demontpx) wrote :

Hi Paride,

Thanks for filing the upstream bug report. I totally agree that this bug is of low importance.

My colleague actually encountered this problem because he really didn't want a SSH tunnel to time out. He could not figure out what was causing the crash but I found it out after some digging. So I thought it would be useful if the client would give a proper error message, so other people who might encounter this who can't figure it out will also be able to know why it crashes.

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

This was fixed upstream on

http://anongit.mindrot.org/openssh.git/commit/?id=819b44e8b9af6ce18d3ec7505b9f461bf7991a1f

which was released in 8.6p1.

This affects impish, focal and bionic.

tags: added: server-todo
Lena Voytek (lvoytek)
Changed in openssh (Ubuntu Jammy):
status: Triaged → Fix Released
Changed in openssh (Ubuntu Bionic):
status: New → Triaged
Changed in openssh (Ubuntu Focal):
status: New → Triaged
Changed in openssh (Ubuntu Impish):
status: New → Triaged
Lena Voytek (lvoytek)
Changed in openssh (Ubuntu Bionic):
importance: Undecided → Low
Changed in openssh (Ubuntu Focal):
importance: Undecided → Low
Changed in openssh (Ubuntu Impish):
importance: Undecided → Low
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

This seems to be a good case for a staged SRU given the low priority of the issue.

Changed in openssh (Ubuntu Impish):
assignee: nobody → Athos Ribeiro (athos-ribeiro)
Changed in openssh (Ubuntu Focal):
assignee: nobody → Athos Ribeiro (athos-ribeiro)
Changed in openssh (Ubuntu Bionic):
assignee: nobody → Athos Ribeiro (athos-ribeiro)
description: updated
Changed in openssh (Ubuntu Bionic):
status: Triaged → In Progress
Changed in openssh (Ubuntu Focal):
status: Triaged → In Progress
Changed in openssh (Ubuntu Impish):
status: Triaged → In Progress
tags: added: block-proposed-impish
Revision history for this message
Brian Murray (brian-murray) wrote :

Given that openssh occasionally has security updates I wonder how long this will last in -proposed but since the work was already done I'll accept it.

Changed in openssh (Ubuntu Impish):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-impish
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Bert, or anyone else affected,

Accepted openssh into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:8.4p1-6ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in openssh (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Bert, or anyone else affected,

Accepted openssh into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:8.2p1-4ubuntu0.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in openssh (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Bert, or anyone else affected,

Accepted openssh into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:7.6p1-4ubuntu0.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (openssh/1:8.4p1-6ubuntu2.2)

All autopkgtests for the newly accepted openssh (1:8.4p1-6ubuntu2.2) for impish have finished running.
The following regressions have been reported in tests triggered by the package:

gvfs/1.47.91-1ubuntu1 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/impish/update_excuses.html#openssh

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (openssh/1:8.2p1-4ubuntu0.5)

All autopkgtests for the newly accepted openssh (1:8.2p1-4ubuntu0.5) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

snapd/2.54.3+20.04.1ubuntu0.2 (ppc64el, s390x, arm64, amd64)
gvfs/1.44.1-1ubuntu1 (ppc64el, arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#openssh

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (openssh/1:7.6p1-4ubuntu0.7)

All autopkgtests for the newly accepted openssh (1:7.6p1-4ubuntu0.7) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

snapd/2.54.3+18.04.2ubuntu0.2 (arm64, s390x, ppc64el, amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#openssh

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

I performed verification for bionic, impish, and focal in the following fashion:

- Launched new lxd container
- ran `ssh -o "ConnectTimeout=$(perl -e 'use POSIX; my $max = int(POSIX::INT_MAX/1000)+1; print "$max\n";')" localhost` to verify it triggers the bug. All containers returned "Aborted (core dumped)"
- Enabled -proposed and upgraded ssh
- ran `ssh -o "ConnectTimeout=$(perl -e 'use POSIX; my $max = int(POSIX::INT_MAX/1000)+1; print "$max\n";')" localhost` again, this time to confirm the proposed fix.

To which they returned:

The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:$SOME_HASH.
Are you sure you want to continue connecting [...]? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
root@localhost: Permission denied (publickey).

Confirming the fix did not trigger the error.

tags: added: verification-done verification-done-bionic verification-done-focal verification-done-impish
removed: verification-needed verification-needed-bionic verification-needed-focal verification-needed-impish
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:8.2p1-4ubuntu0.5

---------------
openssh (1:8.2p1-4ubuntu0.5) focal; urgency=medium

  * d/p/fix-connect-timeout-overflow.patch: prevent ConnectTimeout overflow.
    (LP: #1903516)

  [ Sergio Durigan Junior ]
  * d/p/lp1966591-upstream-preserve-group-world-read-permission-on-kno.patch:
    Preserve group/world read permissions on known_hosts. (LP: #1966591)

 -- Athos Ribeiro <email address hidden> Wed, 30 Mar 2022 10:03:15 -0300

Changed in openssh (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for openssh has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:7.6p1-4ubuntu0.7

---------------
openssh (1:7.6p1-4ubuntu0.7) bionic; urgency=medium

  * d/p/fix-connect-timeout-overflow.patch: prevent ConnectTimeout overflow.
    (LP: #1903516)

  [ Sergio Durigan Junior ]
  * d/p/lp1966591-upstream-preserve-group-world-read-permission-on-kno.patch:
    Preserve group/world read permissions on known_hosts. (LP: #1966591)

 -- Athos Ribeiro <email address hidden> Wed, 30 Mar 2022 10:17:14 -0300

Changed in openssh (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Since the only thing left here is the staged SRU for impish, I am unsubscribing the server team and removing the server-todo tag from this bug.

tags: removed: server-todo
Changed in openssh (Ubuntu Impish):
assignee: Athos Ribeiro (athos-ribeiro) → nobody
Revision history for this message
Steve Langasek (vorlon) wrote :

impish has gone EOL without any further security updates to openssh, therefore I am removing this package from -proposed and closing this bug wontfix as part of the EOL process.

Changed in openssh (Ubuntu Impish):
status: Fix Committed → Won't Fix
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (openssh/1:8.4p1-6ubuntu2.2)

All autopkgtests for the newly accepted openssh (1:8.4p1-6ubuntu2.2) for impish have finished running.
The following regressions have been reported in tests triggered by the package:

snapd/2.54.3+21.10.1ubuntu0.2 (ppc64el, arm64, amd64, s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/impish/update_excuses.html#openssh

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.