I have confirmed the fix using openssh 1:9.6p1-3ubuntu13.10 from noble- proposed.
First, I reproduced the bug using the current version: nr@six:~$ lxc launch ubuntu:noble noble Launching noble nr@six:~$ lxc exec noble bash root@noble:~# cat > /etc/apt/sources.list.d/proposed.sources << EOF Types: deb URIs: http://us.archive.ubuntu.com/ubuntu/ Suites: noble-proposed Components: main universe Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg > EOF root@noble:~# apt update Get:1 http://us.archive.ubuntu.com/ubuntu noble-proposed InRelease [265 kB] Hit:2 http://archive.ubuntu.com/ubuntu noble InRelease Get:3 http://archive.ubuntu.com/ubuntu noble-updates InRelease [126 kB] Get:4 http://security.ubuntu.com/ubuntu noble-security InRelease [126 kB] Get:5 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages [243 kB] Get:6 http://us.archive.ubuntu.com/ubuntu noble-proposed/main Translation-en [56.0 kB] Get:7 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Components [22.3 kB] Get:8 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 c-n-f Metadata [2248 B] Get:9 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 Packages [470 kB] Get:10 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe Translation-en [60.2 kB] Get:11 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 Components [44.3 kB] Get:12 http://us.archive.ubuntu.com/ubuntu noble-proposed/universe amd64 c-n-f Metadata [7448 B] Get:13 http://archive.ubuntu.com/ubuntu noble-backports InRelease [126 kB] Get:14 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages [748 kB] Get:15 http://archive.ubuntu.com/ubuntu noble/universe amd64 Packages [15.0 MB] Get:16 http://security.ubuntu.com/ubuntu noble-security/main Translation-en [143 kB] Get:17 http://security.ubuntu.com/ubuntu noble-security/main amd64 Components [8956 B] Get:18 http://security.ubuntu.com/ubuntu noble-security/universe amd64 Packages [830 kB] Get:19 http://security.ubuntu.com/ubuntu noble-security/universe Translation-en [181 kB] Get:20 http://security.ubuntu.com/ubuntu noble-security/universe amd64 Components [52.2 kB] Get:21 http://security.ubuntu.com/ubuntu noble-security/universe amd64 c-n-f Metadata [17.0 kB] Get:22 http://security.ubuntu.com/ubuntu noble-security/restricted amd64 Packages [859 kB] Get:23 http://security.ubuntu.com/ubuntu noble-security/restricted Translation-en [175 kB] Get:24 http://security.ubuntu.com/ubuntu noble-security/restricted amd64 Components [212 B] Get:25 http://security.ubuntu.com/ubuntu noble-security/multiverse amd64 Packages [17.6 kB] Get:26 http://security.ubuntu.com/ubuntu noble-security/multiverse Translation-en [3792 B] Get:27 http://security.ubuntu.com/ubuntu noble-security/multiverse amd64 Components [208 B] Get:28 http://security.ubuntu.com/ubuntu noble-security/multiverse amd64 c-n-f Metadata [380 B] Get:29 http://archive.ubuntu.com/ubuntu noble/universe Translation-en [5982 kB] Get:30 http://archive.ubuntu.com/ubuntu noble/universe amd64 Components [3871 kB] Get:31 http://archive.ubuntu.com/ubuntu noble/universe amd64 c-n-f Metadata [301 kB] Get:32 http://archive.ubuntu.com/ubuntu noble/multiverse amd64 Packages [269 kB] Get:33 http://archive.ubuntu.com/ubuntu noble/multiverse Translation-en [118 kB] Get:34 http://archive.ubuntu.com/ubuntu noble/multiverse amd64 Components [35.0 kB] Get:35 http://archive.ubuntu.com/ubuntu noble/multiverse amd64 c-n-f Metadata [8328 B] Get:36 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages [1020 kB] Get:37 http://archive.ubuntu.com/ubuntu noble-updates/main Translation-en [223 kB] Get:38 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Components [151 kB] Get:39 http://archive.ubuntu.com/ubuntu noble-updates/universe amd64 Packages [1056 kB] Get:40 http://archive.ubuntu.com/ubuntu noble-updates/universe Translation-en [266 kB] Get:41 http://archive.ubuntu.com/ubuntu noble-updates/universe amd64 Components [367 kB] Get:42 http://archive.ubuntu.com/ubuntu noble-updates/universe amd64 c-n-f Metadata [26.0 kB] Get:43 http://archive.ubuntu.com/ubuntu noble-updates/restricted amd64 Packages [951 kB] Get:44 http://archive.ubuntu.com/ubuntu noble-updates/restricted Translation-en [195 kB] Get:45 http://archive.ubuntu.com/ubuntu noble-updates/restricted amd64 Components [212 B] Get:46 http://archive.ubuntu.com/ubuntu noble-updates/multiverse amd64 Packages [21.5 kB] Get:47 http://archive.ubuntu.com/ubuntu noble-updates/multiverse Translation-en [4788 B] Get:48 http://archive.ubuntu.com/ubuntu noble-updates/multiverse amd64 Components [940 B] Get:49 http://archive.ubuntu.com/ubuntu noble-updates/multiverse amd64 c-n-f Metadata [592 B] Get:50 http://archive.ubuntu.com/ubuntu noble-backports/main amd64 Packages [39.1 kB] Get:51 http://archive.ubuntu.com/ubuntu noble-backports/main Translation-en [8676 B] Get:52 http://archive.ubuntu.com/ubuntu noble-backports/main amd64 Components [7064 B] Get:53 http://archive.ubuntu.com/ubuntu noble-backports/main amd64 c-n-f Metadata [272 B] Get:54 http://archive.ubuntu.com/ubuntu noble-backports/universe amd64 Packages [27.1 kB] Get:55 http://archive.ubuntu.com/ubuntu noble-backports/universe Translation-en [16.5 kB] Get:56 http://archive.ubuntu.com/ubuntu noble-backports/universe amd64 Components [15.8 kB] Get:57 http://archive.ubuntu.com/ubuntu noble-backports/universe amd64 c-n-f Metadata [1304 B] Get:58 http://archive.ubuntu.com/ubuntu noble-backports/restricted amd64 Components [216 B] Get:59 http://archive.ubuntu.com/ubuntu noble-backports/restricted amd64 c-n-f Metadata [116 B] Get:60 http://archive.ubuntu.com/ubuntu noble-backports/multiverse amd64 Components [212 B] Get:61 http://archive.ubuntu.com/ubuntu noble-backports/multiverse amd64 c-n-f Metadata [116 B] Fetched 34.6 MB in 5s (6552 kB/s) Reading package lists... Done Building dependency tree... Done Reading state information... Done 27 packages can be upgraded. Run 'apt list --upgradable' to see them. root@noble:~# echo "LogLevel DEBUG" >> /etc/ssh/sshd_config.d/log-level.conf root@noble:~# su - ubuntu To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. ubuntu@noble:~$ ssh-import-id enr0n 2025-04-18 19:18:00,520 INFO Authorized key ['3072', 'SHA256:VMGz6tsZ02V9ratWlExePp9LaOe2qIr7SiWLHP2aGrM', 'nr@six', '(RSA)'] 2025-04-18 19:18:00,521 INFO [1] SSH keys [Authorized] ubuntu@noble:~$ logout From another terminal, I connected to the container with: $ ssh ubuntu@10.19.111.127 Back in the container: root@noble:~# systemctl status ssh ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/usr/lib/systemd/system/ssh.service; disabled; preset: enabled) Active: active (running) since Fri 2025-04-18 19:18:38 UTC; 29s ago TriggeredBy: ● ssh.socket Docs: man:sshd(8) man:sshd_config(5) Process: 1054 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) Main PID: 1055 (sshd) Tasks: 1 (limit: 18290) Memory: 2.1M (peak: 3.1M) CPU: 92ms CGroup: /system.slice/ssh.service └─1055 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups" Apr 18 19:18:47 noble sshd[1059]: debug1: do_pam_account: called Apr 18 19:18:47 noble sshd[1059]: Accepted publickey for ubuntu from 10.19.111.1 port 38958 ssh2: RSA SHA256:VMGz6tsZ0> Apr 18 19:18:47 noble sshd[1059]: debug1: monitor_child_preauth: user ubuntu authenticated by privileged process Apr 18 19:18:47 noble sshd[1059]: debug1: auth_activate_options: setting new authentication options [preauth] Apr 18 19:18:47 noble sshd[1059]: debug1: monitor_read_log: child log fd closed Apr 18 19:18:47 noble sshd[1059]: debug1: PAM: establishing credentials Apr 18 19:18:47 noble sshd[1059]: pam_unix(sshd:session): session opened for user ubuntu(uid=1000) by ubuntu(uid=0) Apr 18 19:18:48 noble sshd[1059]: User child is on pid 1127 Apr 18 19:18:48 noble sshd[1059]: debug1: session_new: session 0 Apr 18 19:18:48 noble sshd[1059]: debug1: SELinux support disabled root@noble:~# journalctl -t sshd -b --grep "rexec start" -- No entries -- Then, I installed openssh-server from noble-proposed and tried again: root@noble:~# apt install -t noble-proposed openssh-server -y Reading package lists... Done Building dependency tree... Done Reading state information... Done The following additional packages will be installed: openssh-client openssh-sftp-server Suggested packages: keychain libpam-ssh monkeysphere ssh-askpass molly-guard The following packages will be upgraded: openssh-client openssh-server openssh-sftp-server 3 upgraded, 0 newly installed, 0 to remove and 50 not upgraded. Need to get 1452 kB of archives. After this operation, 0 B of additional disk space will be used. Get:1 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 openssh-sftp-server amd64 1:9.6p1-3ubuntu13.10 [37.3 kB] Get:2 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 openssh-server amd64 1:9.6p1-3ubuntu13.10 [509 kB] Get:3 http://us.archive.ubuntu.com/ubuntu noble-proposed/main amd64 openssh-client amd64 1:9.6p1-3ubuntu13.10 [905 kB] Fetched 1452 kB in 0s (6155 kB/s) Preconfiguring packages ... (Reading database ... 37222 files and directories currently installed.) Preparing to unpack .../openssh-sftp-server_1%3a9.6p1-3ubuntu13.10_amd64.deb ... Unpacking openssh-sftp-server (1:9.6p1-3ubuntu13.10) over (1:9.6p1-3ubuntu13.9) ... Preparing to unpack .../openssh-server_1%3a9.6p1-3ubuntu13.10_amd64.deb ... Unpacking openssh-server (1:9.6p1-3ubuntu13.10) over (1:9.6p1-3ubuntu13.9) ... Preparing to unpack .../openssh-client_1%3a9.6p1-3ubuntu13.10_amd64.deb ... Unpacking openssh-client (1:9.6p1-3ubuntu13.10) over (1:9.6p1-3ubuntu13.9) ... Setting up openssh-client (1:9.6p1-3ubuntu13.10) ... Setting up openssh-sftp-server (1:9.6p1-3ubuntu13.10) ... Setting up openssh-server (1:9.6p1-3ubuntu13.10) ... Processing triggers for man-db (2.12.0-4build2) ... Processing triggers for ufw (0.36.2-6) ... Scanning processes... Scanning candidates... No services need to be restarted. No containers need to be restarted. User sessions running outdated binaries: ubuntu @ session #525: sshd[1059] No VM guests are running outdated hypervisor (qemu) binaries on this host. root@noble:~# systemctl stop ssh.service Stopping 'ssh.service', but its triggering units are still active: ssh.socket From another termainal: $ ssh ubuntu@10.19.111.127 And back in the container: root@noble:~# journalctl -t sshd -b --grep "rexec start" Apr 18 19:20:10 noble sshd[1577]: debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7 ** Tags removed: verification-needed verification-needed-noble ** Tags added: verification-done verification-done-noble -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2071815 Title: Investigate ASLR re-randomization being disabled for children Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Noble: Fix Committed Bug description: [Impact] The systemd-socket-activation.patch patch has an Ubuntu delta to fix bug 2011458, but this results in ASLR not being re-randomized for children because the patch delta does "rexec_flag = 0;". This was discovered as part of the CVE-2024-6387 discovery by Qualys, and is mentioned in the disclosure itself: Side note: we discovered that Ubuntu 24.04 does not re-randomize the ASLR of its sshd children (it is randomized only once, at boot time); we tracked this down to the patch below, which turns off sshd's rexec_flag. This is generally a bad idea, but in the particular case of this signal handler race condition, it prevents sshd from being exploitable: the syslog() inside the SIGALRM handler does not call any of the malloc functions, because it is never the very first call to syslog(). This is also mentioned in the release notes of OpenSSH 9.8: Exploitation on non-glibc systems is conceivable but has not been examined. Systems that lack ASLR or users of downstream Linux distributions that have modified OpenSSH to disable per-connection ASLR re-randomisation (yes - this is a thing, no - we don't understand why) may potentially have an easier path to exploitation. We should investigate why that was needed, and if an alternative way of fixing the original bug can be done. [Test Plan] We just want to test that when a connection is accepted by sshd, the child process re-execs. There is a log message at the debug level from sshd when this happens. 1. Enable debug-level logging in sshd: $ echo "LogLevel DEBUG" >> /etc/ssh/sshd_config.d/log-level.conf 2. Watch the logs: $ journalctl -t sshd -b -f 3. From another host, connect to the test machine: $ ssh <user>@<test host> 4. On the test machine, among other messages, there should be a message noting the start of the re-exec, e.g.: sshd[2212]: debug1: rexec start in 6 out 6 newsock 6 pipe 8 sock 9 [Where problems could occur] Through the iterations of d/p/systemd-socket-activation.patch, there have been issues related to the re-exec behavior, and how the listen fds passed by systemd are handled. See [1][2] for examples. This patch hopes to finally resolve these issues. However, as was the case with previous bugs in this area, problems would most likely be related to incorrectly closing, or not closing, socket fds in sshd. [1] https://bugs.launchpad.net/bugs/2020474 [2] https://bugs.launchpad.net/bugs/2011458 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2071815/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
