[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: libssh 0.9.7 and 0.10.5 were released
[Thread Prev] | [Thread Next]
- Subject: Re: libssh 0.9.7 and 0.10.5 were released
- From: Jakub Jelen <jjelen@xxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Mon, 15 May 2023 12:04:41 +0200
- To: libssh@xxxxxxxxxx
On 5/9/23 19:25, Jakub Jelen wrote:
On 5/8/23 19:52, Jakub Jelen wrote:On 5/8/23 04:05, Orion Poplawski wrote:On 5/4/23 06:23, Jakub Jelen wrote:Hello,the libssh team released libssh 0.9.7 and 0.10.5, fixing previously announced security issues CVE-2023-1667 and CVE-2023-2283:https://www.libssh.org/2023/05/04/libssh-0-10-5-and-libssh-0-9-7-security-releases/We're seeing a test failure just on i686 on Fedora rawhide: 40/62 Test #40: torture_rekey ....................***Failed 23.34 sec [==========] tests: Running 14 test(s). OK: SSH-2.0-OpenSSH_9.0 [ RUN ] torture_rekey_default [ OK ] torture_rekey_default [ RUN ] torture_rekey_time [ OK ] torture_rekey_time [ RUN ] torture_rekey_recv [ OK ] torture_rekey_recv [ RUN ] torture_rekey_send [ OK ] torture_rekey_send [ RUN ] torture_rekey_different_kex [ ERROR ] --- 0x20 != 0x40[ LINE ] --- /builddir/build/BUILD/libssh-0.10.5/tests/client/torture_rekey.c:522: error: Failure![ FAILED ] torture_rekey_different_kex [ RUN ] torture_rekey_send_compression_delayed [ OK ] torture_rekey_send_compression_delayed [ RUN ] torture_rekey_recv_compression_delayed [ OK ] torture_rekey_recv_compression_delayed [ RUN ] torture_rekey_server_different_kex OK: SSH-2.0-OpenSSH_9.0 [ ERROR ] --- 0x20 != 0x40[ LINE ] --- /builddir/build/BUILD/libssh-0.10.5/tests/client/torture_rekey.c:597: error: Failure![ FAILED ] torture_rekey_server_different_kex [ RUN ] torture_rekey_server_send OK: SSH-2.0-OpenSSH_9.0 [ OK ] torture_rekey_server_send [ RUN ] torture_rekey_guess_send OK: SSH-2.0-OpenSSH_9.0 [ OK ] torture_rekey_guess_send [ RUN ] torture_rekey_guess_wrong_send OK: SSH-2.0-OpenSSH_9.0 [ OK ] torture_rekey_guess_wrong_send [ RUN ] torture_rekey_server_recv OK: SSH-2.0-OpenSSH_9.0 [ OK ] torture_rekey_server_recv [ RUN ] torture_rekey_guess_recv OK: SSH-2.0-OpenSSH_9.0 [ OK ] torture_rekey_guess_recv [ RUN ] torture_rekey_guess_wrong_recv OK: SSH-2.0-OpenSSH_9.0 [ OK ] torture_rekey_guess_wrong_recv [==========] tests: 14 test(s) run. [ PASSED ] 12 test(s). [ FAILED ] tests: 2 test(s), listed below: [ FAILED ] torture_rekey_different_kex [ FAILED ] torture_rekey_server_different_kex 2 FAILED TEST(S) any idea what might be causing that?Hi,I was hoping I debugged all these issues while working on the release, but it looks like there are still some timing/memory/architecture variables.This error happens in case the rekey did not happen as expected (unexpected size of digest size). I was bumping the amount of sent data in [1] and [2] in both branches, which looked like solving the problem in upstream tests. Other option might be adding some sleep between the sending and processing the packets to make sure the server gets its turn, but hard to say if this would help ... the packet processing and rekey is asynchronous ... but there might better ways to do that.[1] https://gitlab.com/libssh/libssh-mirror/-/commit/31a33fd2fd0fdad7c814748fdff75c7390c7f06e [0.9] [2] https://gitlab.com/libssh/libssh-mirror/-/commit/dc1254d53e4fc6cbeb4797fc6ca1c9ed2c21f15c [0.10]Regards,From my understanding, this is an issue of the OpenSSH in Rawhide. I can reliably reproduce it in mock and it goes away when I try the same code in Fedora 38 (regardless of architecture).There are several patches in rawhide openssh that are missing from the F38 version so I will continue some investigation tomorrow.
This is a Fedora's OpenSSH bug on i686 (or OpenSSL one): https://bugzilla.redhat.com/show_bug.cgi?id=2203241 We are still investigating the real cause.In the meantime, the libssh in Fedora rawhide was updated with skipping this test. Updates in older versions are landing as they do not have this issue.
Regards, -- Jakub Jelen Crypto Team, Security Engineering Red Hat, Inc.
| Re: libssh 0.9.7 and 0.10.5 were released | Orion Poplawski <orion@xxxxxxxx> |
| libssh 0.9.7 and 0.10.5 were released | Jakub Jelen <jjelen@xxxxxxxxxx> |
| Re: libssh 0.9.7 and 0.10.5 were released | Orion Poplawski <orion@xxxxxxxx> |
| Re: libssh 0.9.7 and 0.10.5 were released | Jakub Jelen <jjelen@xxxxxxxxxx> |
| Re: libssh 0.9.7 and 0.10.5 were released | Jakub Jelen <jjelen@xxxxxxxxxx> |