openssh bugs - Mar 2017 - [Bug 2702] New: ssh compiled with --with-ldns segfaults during known_hosts parsing

https://bugzilla.mindrot.org/show_bug.cgi?id=2702

            Bug ID: 2702
           Summary: ssh compiled with --with-ldns segfaults during
                    known_hosts parsing
           Product: Portable OpenSSH
           Version: 7.5p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: aranea at aixah.de

Created attachment 2968
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2968&action=edit
Backtrace of ssh 7.5p1 segfaulting

When OpenSSH-7.5p1 is compiled with "./configure --with-ldns", ssh
<somehost> segfaults if the host's key is already recorded in
known_hosts.

The current head of the master branch is affected too. Builds with
--without-ldns don't exhibit the problem, and neither does
OpenSSH-7.4p1 (according to git bisect, the commit 523db854 "prefer to
use ldns-config to find libldns" introduced the bug).

My ssh_config is empty, and I've tested this against a variety of
sshd's (including github.com). I'll attach a backtrace; if you need a
coredump or information about my build environment, please let me know.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2702

--- Comment #1 from Luis Ressel <aranea at aixah.de> ---
Interestingly, running "./configure --with-ldns" before the first bad
commit reports "libldns support: no"; hence it's likely that the
real
bug is older and it's just been masked so far by configure not finding
the ldns library.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2702

--- Comment #2 from Luis Ressel <aranea at aixah.de> ---
Sorry, please ignore my previous comment. I mixed up the logs.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2702

--- Comment #3 from Luis Ressel <aranea at aixah.de> ---
Created attachment 2969
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2969&action=edit
Build log for last good commit c998bf0a with --with-ldns

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2702

--- Comment #4 from Luis Ressel <aranea at aixah.de> ---
Created attachment 2970
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2970&action=edit
Build log for first bad commit 523db854 with --with-ldns

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2702

--- Comment #5 from Luis Ressel <aranea at aixah.de> ---
Created attachment 2971
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2971&action=edit
Build log for first bad commit 523db854 with --without-ldns

I've attached some build logs. Looking at the diff between the two logs
for the bad commit, it looks like --with-ldns confuses ./configure into
finding some functions provided by libbsd.so; this causes problems
later on because the compiled binaries don't link against this library.

I'm a bit clueless why this happens, since I haven't found any relevant
libraries which link against libbsd (in particular, libldns doesn't
link against it).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2702

Luis Ressel <aranea at aixah.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|ssh                         |Build system

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2702

--- Comment #6 from Luis Ressel <aranea at aixah.de> ---
Okay, I think I've figured this out. When I enable --with-ldns,
./configure adds the output of "ldns-config --libs" (that's
"-Wl,-O1
-Wl,--as-needed   -L/usr/lib64   -lcrypto -lldns") to all of its
internal gcc calls.

On my system, libcrypto.so is provided by libressl and has some
internal symbols (strlcat, strlcpy, reallocarray, explicit_bzero,
timingsafe_bcmp and reallocarray) which configure searches for and
wouldn't otherwise have found. Thus, ssh uses libressl's version of
these functions instead of its own versions in the openbsd-compat/
folder. This somehow causes my segfault.

I have no idea how to fix this, though, since the autotools are a huge
blackbox to me. Could we prevent configure from adding ${ldns-config
--libs} to all its compiler calls (and instead only add it to the
ldns-related compiler calls)? This sounds like a messy hack, though...

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2702

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #7 from Damien Miller <djm at mindrot.org> ---
I think, generally, if one of your dependencies is using a particular
version/vendor libcrypto.so then you have to use it everywhere and not
try to mix and match.

I.e. either recompile ldns against LibreSSL or compile OpenSSH against
the same libcrypto/headers as ldns

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2702

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #8 from Damien Miller <djm at mindrot.org> ---
closing; OpenSSH can't detect conflicts in dependent libraries itself.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2702

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #9 from Damien Miller <djm at mindrot.org> ---
close bugs that were resolved in OpenSSH 8.5 release cycle

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.