# IMPORTANT: new ssh bug (with fix inside)

## xming

see

https://bugs.gentoo.org/show_bug.cgi?id=28873

There maybe already expoits on the wild

http://lists.netsys.com/pipermail/full-disclosure/2003-September/thread.html#10103

http://lists.netsys.com/pipermail/full-disclosure/2003-September/010116.html

http://slashdot.org/articles/03/09/16/1327248.shtml?tid=126&tid=172

for all the impatients (ebuild update isn't there yet)

```

cd /usr/portage/net-misc/openssh/

cp openssh-3.6.1_p2.ebuild openssh-3.7_p1.ebuild

emerge -f openssh-3.7_p1.ebuild

ebuild openssh-3.7_p1.ebuild digest

emerge openssh-3.7_p1.ebuild

```

EDIT:

```
/etc/init.d/sshd restart
```

Patch your machines NOWLast edited by xming on Tue Sep 16, 2003 4:21 pm; edited 3 times in total

----------

## xming

can someone make this sticky? Or we have to post like zomies to get this on top  :Smile: 

xming

----------

## viperlin

i've closed external ssh access on my router, will wait until it's in portage properly (at least masked)

----------

## HaeMaker

Just to confirm, the problem is with SSH and not the underlying SSL?

----------

## snutte

```

/etc/init.d/sshd stop

```

And waiting for update in portage.  :Wink: 

----------

## shadow255

Thanks for the instructions, Xming!  Worked flawlessly here...  otherwise, I might have been doing what some others have posted here   :Twisted Evil: 

----------

## Nahamu

 *xming wrote:*   

> 
> 
> Patch your machines NOW

 

Did anyone else have a compilation failure?

EDIT:  My solution -- I had enabled kerberos and ipv6 for whatever reason.  I unset those flags (which I don't really need) and it compiled fine.  Hope this helps someone[/b]Last edited by Nahamu on Tue Sep 16, 2003 5:12 pm; edited 2 times in total

----------

## taveren

Just did an rsync (1:05pm EST) and a new OpenSSH is available in portage.

----------

## octavianh

I just did an emerge sync and got the latest ebuilds and then I unmerged my old version and emerged the new one and I get this every time I try to run ssh:

```
Segmentation fault (core dumped)

```

Does anyone know why this is happening?

----------

## arand

I did the same, now it is giving me this.

```
--13:33:44--  ftp://ftp.openbsd.org/pub/unix/OpenBSD/OpenSSH/portable/openssh-3.7p1.tar.gz

  (try: 5) => `/usr/portage/distfiles/openssh-3.7p1.tar.gz'

Connecting to ftp.openbsd.org[129.128.5.191]:21... connected.

Logging in as anonymous ... 

Error in server greeting.

Giving up.
```

I guess I will have to wait or find another server.  

Thanks for getting this ebuild up so fast.

----------

## shadow255

 *octavianh wrote:*   

> I just did an emerge sync and got the latest ebuilds and then I unmerged my old version and emerged the new one and I get this every time I try to run ssh:
> 
> ```
> Segmentation fault (core dumped)
> 
> ...

 

When encountering trouble with ssh, I always try to run it with debugging messages.  Do you get more output if you run ssh with -v?  Also, I would recommend against unmerging ssh before upgrading - if you had made any configuration choices in your ssh_config or sshd_config config files at any point in the past, they're gone now.

----------

## viperlin

 *taveren wrote:*   

> Just did an rsync (1:05pm EST) and a new OpenSSH is available in portage.

 

i just did one about 1 minute ago and it's not... (ebuild is not in /usr/portage/net-misc/openssh/ )

----------

## octavianh

This is what I'm getting:

```
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x009060af

debug1: Reading configuration data /etc/ssh/ssh_config

Segmentation fault

```

I even tried reinstalling the old version again and it is also doing the same thing.  I checked the ssh_config file and it IS there and there is nothing in it except the default stuff which is all commented out.  Also, the permissions are set to 644 on the file and I'm trying this as root.

----------

## tedj

I just did a emerge sync and emerge openssh, then verified that the buffer.c file is indeed the sept 16 one with the correct patch.  

(I have also restarted sshd and verified that it does not coredump for me. Maybe try to sync and emerge again, then do the etc-update?)  

# emerge sync

# emerge -p openssh

# emerge openssh

# etc-update

# /etc/init.d/sshd stop

# /etc/init.d/sshd start

Its there, folks.  Emerge away.

----------

## blk_jack

 *octavianh wrote:*   

> This is what I'm getting:
> 
> ```
> OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x009060af
> 
> ...

 

I am getting the same, no idea why.

----------

## meyerm

 *Nahamu wrote:*   

> My solution -- I had enabled kerberos and ipv6 for whatever reason.  I unset those flags (which I don't really need) and it compiled fine.  Hope this helps someone

 

It did. Thank you!  :Very Happy: 

----------

## shadow255

 *octavianh wrote:*   

> This is what I'm getting:
> 
> ```
> OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x009060af
> 
> ...

 

Ouch.  Perhaps there is something going on with USE flags on your system.  Can you post output from emerge --info?

----------

## paranode

 *octavianh wrote:*   

> This is what I'm getting:
> 
> ```
> OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x009060af
> 
> ...

 

The version you need should be openssh-3.7_p1, you are still showing the old one.

----------

## octavianh

First of all, I know the version is 3.6... that's cause I tried to reinstall the old one and the old one crashes also.  I'm not dumb.  Here is the info from emerge:

```

Portage 2.0.49-r4 (default-x86-1.4, gcc-3.3.1, glibc-2.3.2-r1, 2.4.20-gentoo-r6)

=================================================================

System uname: 2.4.20-gentoo-r6 i686 AMD Athlon(TM) XP 2000+

ACCEPT_KEYWORDS="x86 ~x86"

AUTOCLEAN="yes"

CFLAGS="-O3 -march=athlon-xp -funroll-loops -pipe"

CHOST="i686-pc-linux-gnu"

COMPILER="gcc3"

CONFIG_PROTECT="/etc /var/qmail/control /usr/kde/2/share/config /usr/kde/3/share/config /usr/X11R6/lib/X11/xkb /usr/kde/3.1/share/config /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/config"

CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d"

CXXFLAGS="-O3 -march=athlon-xp -funroll-loops -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="sandbox ccache autoaddcvs"

GENTOO_MIRRORS="http://gentoo.oregonstate.edu http://distro.ibiblio.org/pub/Linux/distributions/gentoo"

MAKEOPTS="-j2"

PKGDIR="/usr/portage/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY="/usr/local/portage"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="oss apm encode foomaticdb gpm libg++ mad mikmod ncurses nls spell xv gdbm berkdb slang readline bonobo tcltk tcpd perl motif -apache2 X gtk gtk2 gnome gtkhtml mozsvg alsa arts crypt cups curl gd gif imap java jpeg kde maildir mbox mcal mpeg mozilla mysql oggvorbis pdflib png postgres qt python ssl tiff truetype xml2 xmms zlib x86 dvd avi 3dnow cdr dga directfb esd evo fbcon flash gb gphoto2 imlib lcms libgda libwww mmx opengl pam quicktime samba scanner sdl slp sse svga tetex usb videos wmf"

```

Also, here is the -pv info from the specific package:

```

These are the packages that I would merge, in order:

 

Calculating dependencies ...done!

[ebuild   R   ] net-misc/openssh-3.7_p1  -ipv6 -static +pam +tcpd -kerberos -selinux -X509 -skey

```

----------

## shadow255

 *octavianh wrote:*   

> First of all, I know the version is 3.6... that's cause I tried to reinstall the old one and the old one crashes also.  I'm not dumb.  Here is the info from emerge:
> 
> ```
> 
> Portage 2.0.49-r4 (default-x86-1.4, gcc-3.3.1, glibc-2.3.2-r1, 2.4.20-gentoo-r6)
> ...

 

The only thing I see which gives me concern is in your compiler flags.  -funroll-loops is a pretty aggressive optimization which I wouldn't normally recommend for general-purpose makes.  Try changing that in /etc/make.conf and see whether that makes a difference with openssh.  

[Removed unnecessary blather here!]  Sorry, I was reading the output from emerge --info like it was the make.conf file...

----------

## neuron

<_neuron_> damit... /me just emerge -DU openssh on unstable tree, ssh segfaulted, used last version, and it still segfaults, suggestions anyone?

<genone> gcc-3.3.1-r2 ?

<_neuron_> yeah

<genone> it's broken

<_neuron_> .... argh, don't stuff like gcc go through a bit of testing as masked before getting unmasked?

<genone> looks as if most programs compiled with -r2 segfault

----------

## viperlin

just to let everyone know the ebuild in portage is working fine for me

----------

## licor

 *neuron wrote:*   

> <_neuron_> damit... /me just emerge -DU openssh on unstable tree, ssh segfaulted, used last version, and it still segfaults, suggestions anyone?
> 
> <genone> gcc-3.3.1-r2 ?
> 
> <_neuron_> yeah
> ...

 

does anyone have a way to solve this yet? (openssh 3.7p1 compiled using gcc-3.3.1-r2 cordumping)   :Confused: 

----------

## tseng

guys having trouble with gcc-3.3.1-r2:

mv $(gcc-config -L)/libgcc_s.a $(gcc-config -L)/libgcc.a

and remerge ssh

----------

## licor

 *tseng wrote:*   

> guys having trouble with gcc-3.3.1-r2:
> 
> mv $(gcc-config -L)/libgcc_s.a $(gcc-config -L)/libgcc.a
> 
> and remerge ssh

 

thanks, worked like a charm.

----------

## C.M

Thanks tseng!    :Very Happy: 

I was really worried for a while.... What exactly did that renaming do? Should it be changed back?

/C.M

----------

## bmichaelsen

Shouldnt this be on the GLSA seen on top of the forums main page?

Björn

----------

## TehF0X

Yeah, I'm getting the segfault issue, this should probably be fixed in the ebuild (or is all I need to upgrade to the latestgcc (it's emerging right now)).

----------

## bisho

 *tseng wrote:*   

> guys having trouble with gcc-3.3.1-r2:
> 
> mv $(gcc-config -L)/libgcc_s.a $(gcc-config -L)/libgcc.a
> 
> and remerge ssh

 

Thanks a lot!... I worked!

It was crashing at:

```

open("/etc/ssh/ssh_config", O_RDONLY|O_LARGEFILE) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=1159, ...}) = 0

mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40000000

read(3, "#\t$OpenBSD: ssh_config,v 1.19 20"..., 4096) = 1159

read(3, "", 4096)                       = 0

close(3)                                = 0

munmap(0x40000000, 4096)                = 0

getpid()                                = 12848

getpid()                                = 12848

open("/dev/urandom", O_RDONLY)          = 3

--- SIGSEGV (Segmentation fault) @ 0 (0) ---

```

So, why moving that file solves the problem?

----------

