Bug 1851 - ssh_selinux_setfscreatecon segfaults if SELinux support is compiled in but is disabled at run-time
Summary: ssh_selinux_setfscreatecon segfaults if SELinux support is compiled in but is...
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 5.7p1
Hardware: All Linux
: P2 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_5_9
  Show dependency treegraph
 
Reported: 2011-01-27 23:09 AEDT by Colin Watson
Modified: 2011-09-06 15:32 AEST (History)
3 users (show)

See Also:

Attachments
more error checks in ssh_selinux_setfscreatecon (518 bytes, patch)
2011-01-27 23:09 AEDT, Colin Watson 		no flags Details | Diff
openssh-5.8p1-syntex-error.diff (520 bytes, patch)
2011-02-04 22:40 AEDT, Leonardo Chiquitto 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Colin Watson 2011-01-27 23:09:38 AEDT 
Created attachment 1984 [details]
more error checks in ssh_selinux_setfscreatecon

The Debian/Ubuntu OpenSSH packages are compiled with SELinux support, but SELinux isn't necessarily available at run-time.  If it's unavailable, then ssh_selinux_setfscreatecon may crash because it does not either (a) check ssh_selinux_enabled or (b) check the return value of matchpathcon.  I suspect it should do both, although I'm not sure whether any error message is necessary if matchpathcon fails - does this just mean that the configuration doesn't specify any particular context?  (I'm not an SELinux expert.)

Patch attached which at least clears up the crash.

(BTW, the indentation in ssh_selinux_setfscreatecon is non-standard.)
Comment 1 Damien Miller 2011-01-28 10:26:17 AEDT 
Patch applied - thanks.
Comment 2 Leonardo Chiquitto 2011-02-04 22:39:40 AEDT 
This patch* was misapplied and causes a syntax error when building 5.8p1 with SELinux enabled.

* http://hg.mindrot.org/openssh/rev/8611ccf82385
Comment 3 Leonardo Chiquitto 2011-02-04 22:40:41 AEDT 
Created attachment 1991 [details]
openssh-5.8p1-syntex-error.diff
Comment 4 Darren Tucker 2011-02-06 13:25:34 AEDT 
Applied, thanks.
Comment 5 Damien Miller 2011-09-06 15:32:49 AEST 
close resolved bugs now that openssh-5.9 has been released