Please merge openssh 1:8.4p1-6 from Debian unstable

This diff from Debian still includes the seccomp fixes pulled in for glibc 2.33, as they are still relevant with glibc 2.34. These are in upstream openssh version 8.5, so when Debian gets to 8.5 we can sync and drop the diff.

Verified locally that it builds.
The dropped change was taken upstream, and the remaining delta still looks relevant to carry.
LGTM, +1.

I've added the merge changes to git-ubuntu and sponsored the upload:

$ debuild -S -sa $(git ubuntu push-for-upload)
...
Now signing changes and any dsc files...
 signfile dsc openssh_8.4p1-6ubuntu1.dsc A661100B3DAC1D4F2CAD8A54E603B2578FB8F0FB

 fixup_buildinfo openssh_8.4p1-6ubuntu1.dsc openssh_8.4p1-6ubuntu1_source.buildinfo
 signfile buildinfo openssh_8.4p1-6ubuntu1_source.buildinfo A661100B3DAC1D4F2CAD8A54E603B2578FB8F0FB

 fixup_changes dsc openssh_8.4p1-6ubuntu1.dsc openssh_8.4p1-6ubuntu1_source.changes
 fixup_changes buildinfo openssh_8.4p1-6ubuntu1_source.buildinfo openssh_8.4p1-6ubuntu1_source.changes
 signfile changes openssh_8.4p1-6ubuntu1_source.changes A661100B3DAC1D4F2CAD8A54E603B2578FB8F0FB

Successfully signed dsc, buildinfo, changes files

$ dput ubuntu ../openssh_8.4p1-6ubuntu1_source.changes
D: Setting host argument.
Checking signature on .changes
gpg: ../openssh_8.4p1-6ubuntu1_source.changes: Valid signature from E603B2578FB8F0FB
Checking signature on .dsc
gpg: ../openssh_8.4p1-6ubuntu1.dsc: Valid signature from E603B2578FB8F0FB
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openssh_8.4p1-6ubuntu1.dsc: done.
  Uploading openssh_8.4p1.orig.tar.gz: done.
  Uploading openssh_8.4p1-6ubuntu1.debian.tar.xz: done.
  Uploading openssh_8.4p1-6ubuntu1_source.buildinfo: done.
  Uploading openssh_8.4p1-6ubuntu1_source.changes: done.
Successfully uploaded packages.

$ rmad openssh
 openssh | 1:8.4p1-6ubuntu1 | impish-proposed

The package was accepted to -proposed and has built successfully for all architectures. It'd be helpful if you could keep an eye on the update-excuses page to make sure its autopkgtests pass successfully. The autopkgtests failed in my local environment due to warnings about permissions on some tmp dirs; possibly this issue won't affect the buildd environment so the tests will be ok, but worth watching.

I'm unsubscribing sponsors since this has been uploaded.

This is stuck in -proposed due to some test failures.

a. snapd's autopkgtests are failing. I'm not sure why but it's failing against a bunch of stuff, and unlikely to be related to openssh. For this, I think just wait until snapd gets sorted.

b. openssh's autopkgtest for armhf fails:

https://autopkgtest.ubuntu.com/results/autopkgtest-impish/impish/armhf/o/openssh/20210915_153813_9f0ec@/log.gz

15:37:47.745132692 E: run test sftp-chroot.sh ...
15:37:47.815324958 O:
15:37:47.818687482 O: WARNING: Unsafe (group or world writable) directory permissions found:
15:37:47.821470734 O: /tmp/autopkgtest.BMCGDj /tmp
15:37:47.824349161 O:
15:37:47.828068207 O: These could be abused to locally escalate privileges. If you are
15:37:47.831098208 O: sure that this is not a risk (eg there are no other users), you can
15:37:47.834369382 O: bypass this check by setting TEST_SSH_UNSAFE_PERMISSIONS=1
15:37:47.838832596 O:
15:37:48.389593715 O: test sftp in chroot: get
15:37:49.220480056 O: FATAL: Fetch testdata_openssh-tests.10274 failed
15:37:49.272336819 E: make: *** [Makefile:214: t-exec] Error 1
15:37:49.272732416 O: make: Leaving directory '/tmp/autopkgtest.BMCGDj/autopkgtest_tmp/user/regress'

15:37:49.275848416 O: ==> /tmp/autopkgtest.BMCGDj/autopkgtest_tmp/user/regress/failed-regress.log <==
15:37:49.278666043 O: trace: test sftp in chroot: get
15:37:49.279119015 E: tail: error writing 'standard output': Resource temporarily unavailable
15:37:49.281732694 O: Connection closed
15:37:49.284391098 O:
Connection closed.
15:37:49.287049577 O: FATAL: Fetch testdata_openssh-tests.10274 failed
15:37:49.289863204 O:
15:37:49.292443584 O: trace: test sftp in chroot: get
15:37:49.295060163 O: Connection closed
15:37:49.297757192 O:
Connection closed.
15:37:49.300477945 O: FATAL: Fetch testdata_openssh-tests.10274 failed
15:37:49.303095599 O: FAIL: Fetch testdata_openssh-tests.10274 failed

15:37:49.308296783 O: ==> /tmp/autopkgtest.BMCGDj/autopkgtest_tmp/user/regress/failed-ssh.log <==
...
15:37:51.474372804 O: debug3: channel 0: status: The following connections are open:
15:37:51.477102508 O: #0 server-session (t4 r0 i3/0 o3/0 e[closed]/0 fd -1/-1/-1 sock -1 cc -1)
15:37:51.479741212 O:
15:37:51.482360441 O: debug3: receive packet: type 1
15:37:51.485060819 O: Received disconnect from 127.0.0.1 port 51114:11: disconnected by user
15:37:51.487996046 O: Disconnected from user openssh-tests 127.0.0.1 port 51114
15:37:51.490691200 O: debug1: do_cleanup
15:37:51.493366103 O: debug1: temporarily_use_uid: 1001/1001 (e=1001/1001)
15:37:51.501159391 O: debug1: restore_uid: (unprivileged)
15:37:51.503932169 O: debug3: mm_request_receive entering
15:37:51.506765122 O: debug1: do_cleanup
15:37:51.509590624 O: debug1: temporarily_use_uid: 1001/1001 (e=0/0)
15:37:51.512431677 O: debug1: restore_uid: 0/0
15:37:51.515012731 O: debug1: audit_event: unhandled event 12
15:37:51.517875458 O: debug1: main_sigchld_handler: Child exited
15:37:51.520917709 O: FATAL: Fetch testdata_openssh-tests.10274 failed
15:37:51.523740937 O:

From the original debdiff, two items catch the eye:

+ - Cherry-pick seccomp fixes for glibc 2.33 thanks to Dave Jones for
+ reports on armhf.

This is a carried delta so I shouldn't think it creates a new issue, however I note we're now on glibc 2.34 in impish so wonder if there's some additional adjustment required for this fix. The patches in question are allowing certain symbols through, so could there be more symbols needed in glibc 2.34? I'm not spotting any relevant patches in the upstream bugzilla, though.

+ * debian/tests/regress: Don't fail cleanup if haveged isn't running.

This is a change to the test that is failing, so seems suspect, however the actual change is just this:

- start-stop-daemon --stop --quiet \
+ start-stop-daemon --stop --quiet --oknodo \

Bryceh: I've been looking into this a bit. Removing the --oknodo had no effect on the tests, and neither did removing the diff that we carry from Debian. I've also noticed that the issue only occurs on kernel <= 5.8. The tests all pass when run in a test environment with kernel 5.11 or 5.13, which is how I missed this in my initial testing.

I'm still looking into this, and have many strace and debug openssh logs to read through.

So this is fun, the upstream openssh actually has the same test failure when running `make tests`. So it doesn't appear to be something we introduced here, but it is definitely a problem that needs solving.

Mounting /proc in the chroot fixed the test. I'll prepare a patch and an upstream bug report.

Actually, a feature of openssh is being able to use a chroot that doesn't look like a root filesystem, so we'll have to consider how to move forward on this. I'll create some upstream bug reports for glibc and openssh. It seems glibc's fallback just silently does nothing if the kernel close_range is not present.

This bug was fixed in the package openssh - 1:8.4p1-6ubuntu2

---------------
openssh (1:8.4p1-6ubuntu2) impish; urgency=medium

  * Configure with ac_cv_func_closefrom=no to avoid an incompatibility
    with glibc 2.34's fallback_closefrom function (LP: #1944621)

 -- William 'jawn-smith' Wilson <email address hidden> Tue, 21 Sep 2021 22:08:39 +0000