Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 621428 - net-misc/openssh-7.5_p1-r1 ssh segfaults with USE="libressl ldns pie"
Summary: net-misc/openssh-7.5_p1-r1 ssh segfaults with USE="libressl ldns pie"
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: libressl-support
  Show dependency tree
 
Reported: 2017-06-10 19:47 UTC by jo77ah
Modified: 2019-03-09 09:02 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
emerge --info (emerge-info.txt,6.60 KB, text/plain)
2017-06-10 19:47 UTC, jo77ah
Details
backtrace of ssh hidden.tld (ssh-bt.txt,2.45 KB, text/plain)
2017-06-10 19:47 UTC, jo77ah
Details
output of ssh -vvv hidden.tld (ssh-log.txt,1.06 KB, text/plain)
2017-06-10 19:48 UTC, jo77ah
Details
Patch for openssh-7.6_p1-r5.ebuild (openssh-7.6_p1-r5.ebuild.patch,546 bytes, patch)
2018-04-19 22:53 UTC, Conway S. Smith
Details | Diff
Patch for openssh-7.7_p1-r1.ebuild (openssh-7.7_p1-r1.ebuild.patch,503 bytes, patch)
2018-04-19 22:53 UTC, Conway S. Smith
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description jo77ah 2017-06-10 19:47:14 UTC
Created attachment 475938 [details]
emerge --info

If openssh is compiled with USE="libressl ldns pie", it segfaults in record_hostkey(), when `ssh ip` is called. See backtrace and log.

If compiled with USE="libressl ldns" or USE="libressl pie", no segfault occurs.

Other, i think, not relevant USE-flags are: debug hpn libedit ssl.

After some searches, i think https://bugzilla.mindrot.org/show_bug.cgi?id=2702 is  kind of relevant.
Comment 1 jo77ah 2017-06-10 19:47:58 UTC
Created attachment 475940 [details]
backtrace of ssh hidden.tld
Comment 2 jo77ah 2017-06-10 19:48:45 UTC
Created attachment 475942 [details]
output of ssh -vvv hidden.tld
Comment 3 Hendrik v. Raven 2017-11-09 08:58:59 UTC
I can confirm this bug. Could you please increase the priority or at least block this combination?
It also affects sshd, possible blocking remote access to a server, IMHO making this a critical bug.
Comment 4 Pavel Volkov 2018-02-10 20:24:15 UTC
I just hit this with net-misc/openssh-7.6_p1-r3 and switching off USE=pie didn't work out, I had to turn off USE=ldns and ldns was a nice feature, I will miss it.
Comment 5 Pavel Volkov 2018-02-10 20:26:13 UTC
Why don't you add a block to bug #561854?
Comment 6 Pavel Volkov 2018-02-11 08:38:12 UTC
See how this was fixed in FreeBSD:

https://svnweb.freebsd.org/ports?view=revision&revision=452358
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2018-04-16 23:46:44 UTC
I cannot reproduce this with libressl-2.6.0 or 2.6.4 which are the latest stable.  Please try the latest OpenSSH and LibreSSL.  If you still have issues please let us know.
Comment 8 Pavel Volkov 2018-04-18 21:40:34 UTC
Yes, it still segfaults.

openssh 7.7_p1-r1
libressl 2.6.4

USE="X ldns libressl pam pie ssl -X509 -audit -bindist -debug -hpn -kerberos (-ldap) -libedit -livecd -sctp (-selinux) -skey -static {-test}"
Comment 9 Conway S. Smith 2018-04-19 22:51:12 UTC
I am also still getting segfaults w/ both openssh-7.6_p1-r5 & openssh-7.7_p1-r1 in the Gentoo Portage tree w/ USE="libressl ldns".

However, based on the FreeBSD fix referenced in comment #6 I have patched ebuilds in my local overlay that do not segfault.  All I changed was $(use_with ldns) to $(use_with ldns ldns ${EROOT}).  For some reason this makes configure omit the extra/repeated -l flags (e.g. -lcrypto gets repeated) that per the FreeBSD fix cause the segfaults.
Comment 10 Conway S. Smith 2018-04-19 22:53:20 UTC
Created attachment 528064 [details, diff]
Patch for openssh-7.6_p1-r5.ebuild
Comment 11 Conway S. Smith 2018-04-19 22:53:59 UTC
Created attachment 528066 [details, diff]
Patch for openssh-7.7_p1-r1.ebuild
Comment 12 Stefan Strogin gentoo-dev 2019-03-06 17:27:40 UTC
Got segfault on "ssh <ip>" with USE="libressl ldns". net-misc/openssh-7.9_p1-r3, dev-libs/libressl-2.8.3.
Comment 13 Larry the Git Cow gentoo-dev 2019-03-06 23:56:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=249dd650a66c66d870bf264aa146dad33c23527b

commit 249dd650a66c66d870bf264aa146dad33c23527b
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-03-06 23:11:53 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-03-06 23:55:55 +0000

    net-misc/openssh: fix ldns overlinking when LibreSSL is used
    
    Link: https://svnweb.freebsd.org/ports?view=revision&revision=452358
    Bug: https://bugs.gentoo.org/621428
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-misc/openssh/openssh-7.9_p1-r4.ebuild | 468 ++++++++++++++++++++++++++++++
 1 file changed, 468 insertions(+)
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-06 23:58:42 UTC
Please test =net-misc/openssh/openssh-7.9_p1-r4.
Comment 15 Stefan Strogin gentoo-dev 2019-03-07 01:43:39 UTC
Thank you Thomas! Unfortunately I could not yet get DNSSEC (and SSHFP) to work, but at least it does not segfault now, just

debug3: verify_host_key_dns
DNS lookup error: general failure

and then authentication goes as usual.
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-07 02:03:42 UTC
I see

> DNS lookup error: general failure

in debug log when trying to connect to a non-DNSSEC enabled host when using OpenSSL, too. So this could be normal.
Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-07 15:06:48 UTC
Confirmed,

> DNS lookup error: general failure

is not an error in code. Just the error returned when the requested DNS entries are missing.
Comment 18 Pavel Volkov 2019-03-09 08:49:26 UTC
It seems to me that OpenSSH is now able to validate DNSSEC records in Linux even without ldns.
I use systemd-resolved as system resolver.
Comment 19 Pavel Volkov 2019-03-09 09:02:56 UTC
Actually, it's more like ssh client now trusts secure flag received from resolver which it didn't trust before and asked for confirmation to add server key to .known_hosts.