openssh bugs - Mar 2018 - [Bug 2837] New: ssh-agent closes listening socket on error in handle_socket_read()

https://bugzilla.mindrot.org/show_bug.cgi?id=2837

            Bug ID: 2837
           Summary: ssh-agent closes listening socket on error in
                    handle_socket_read()
           Product: Portable OpenSSH
           Version: 7.6p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh-agent
          Assignee: unassigned-bugs at mindrot.org
          Reporter: lukas.kuster at adnovum.ch

Created attachment 3132
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3132&action=edit
patch that removes close_socket() of listening socket.

Hi all,

The ssh-agent closes the listening socket if handle_socket_read() fails
for any reason. This makes the agent process unusable if the getpeereid
check fails. Older versions before 7.6p1 used to not close the
listening socket.

You can reproduce this bug by executing agent-getpeereid.sh test but
instead of killing the agent process at the end, execute "ssh-add -l"
again with a privileged user. You will notice that the connection will
be refused because the listening socket was closed by the agent.

On our AIX test server we had a more severe issue because of this bug.
The ssh client tries to check if a ssh-agent is present by connecting
to it and immediately closing the socket again. On the agent side, this
can cause the call to getpeereid() to fail with the errormessage
"Connection closed" causing the listening socket to be closed as well,
making any future connections to the agent process impossible.

Thanks

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2837

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |djm at mindrot.org
             Blocks|                            |2852

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
oops - well spotted. I'll take a look.


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2852
[Bug 2852] Tracking bug for OpenSSH 7.8 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2837

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
This has been committed on the master and V_7_7 branches. Thanks!

commit 260ede2787fe80b18b8d5920455b4fb268519c7d
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Apr 9 23:54:49 2018 +0000

    upstream: don't kill ssh-agent's listening socket entriely if we

    fail to accept a connection; bz#2837, patch from Lukas Kuster

    OpenBSD-Commit-ID: 52413f5069179bebf30d38f524afe1a2133c738f

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2837

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Close RESOLVED bugs with the release of openssh-8.0

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.