[Bug 2049552] Re: [noble] ftbfs with new zlib 1.3

Miriam EspaƱa Acebal 2049552 at bugs.launchpad.net
Thu Jan 18 09:03:17 UTC 2024 

The regress test is failing when ran against -proposed for all archs (in
both cases for s390x), except for i386 (unmet dependencies, maybe not in
the i386-white-list). From the log, the fail is the same in all archs:

1800s 21:20:13.906172151 E: run test putty-transfer.sh ...
1801s 21:20:14.536962818 O: putty transfer data: compression 0
1802s 21:20:15.670433174 O: putty transfer data: compression 1
1803s 21:20:16.693499776 O: ok putty transfer data
1803s 21:20:16.695110678 E: run test putty-ciphers.sh ...
1804s 21:20:17.585923199 O: putty ciphers: cipher aes
1804s 21:20:17.709690365 O: putty ciphers: cipher 3des
1804s 21:20:17.835865215 O: putty ciphers: cipher aes128-ctr
1804s 21:20:17.965845061 O: putty ciphers: cipher aes192-ctr
1805s 21:20:18.098941298 O: putty ciphers: cipher aes256-ctr
1805s 21:20:18.232051575 O: putty ciphers: cipher chacha20
1805s 21:20:18.278267143 E: The client-to-server cipher selected for this session is
1805s 21:20:18.279841266 E: ChaCha20-Poly1305, which, with this server, is vulnerable to
1805s 21:20:18.281237545 E: the 'Terrapin' attack CVE-2023-48795, potentially allowing
1805s 21:20:18.282623086 E: an attacker to modify the encrypted session.
1805s 21:20:18.284017245 E: Upgrading, patching, or reconfiguring this SSH server is the
1805s 21:20:18.285366255 E: best way to avoid this vulnerability, if possible.
1805s 21:20:18.286856416 E: You can also avoid this vulnerability by abandoning this
1805s 21:20:18.288221535 E: connection, moving ChaCha20 to below the 'warn below here'
1805s 21:20:18.289585505 E: line in PuTTY's SSH cipher configuration (so that an
1805s 21:20:18.291007676 E: algorithm without the vulnerability will be selected), and
1805s 21:20:18.292345334 E: starting a new connection.
1805s 21:20:18.293771875 E: Connection abandoned.
1805s 21:20:18.295117553 E: FATAL ERROR: Cannot confirm a weak crypto primitive in batch mode
1805s 21:20:18.297391166 O: ssh cat /tmp/autopkgtest.8T5BlL/autopkgtest_tmp/user/regress/data failed
1805s 21:20:18.298429901 E: cmp: EOF on /tmp/autopkgtest.8T5BlL/autopkgtest_tmp/user/regress/copy which is empty
1805s 21:20:18.317523283 O: corrupted copy
1805s 21:20:18.319527121 O: failed putty ciphers
1805s 21:20:18.319434210 E: make: *** [Makefile:247: t-exec-interop] Error 1
1805s 21:20:18.320965722 O: make: Leaving directory '/tmp/autopkgtest.8T5BlL/autopkgtest_tmp/user/regress'
1805s 21:20:18.322307881 O: ==> /tmp/autopkgtest.8T5BlL/autopkgtest_tmp/user/regress/failed-regress.log <==

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-48795

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2049552

Title:
  [noble] ftbfs with new zlib 1.3

Status in openssh package in Ubuntu:
  In Progress

Bug description:
  The zlib detection code seems faulty:

  checking for possibly buggy zlib... yes
  configure: error: *** zlib too old - check config.log ***
  Your reported zlib version has known security problems.  It's possible your
  vendor has fixed these problems without changing the version number.  If you
  are sure this is the case, you can disable the check by running
  "./configure --without-zlib-version-check".
  If you are in doubt, upgrade zlib to version 1.2.3 or greater.
  See http://www.gzip.org/zlib/ for details.

  | #include <stdio.h>
  | #include <stdlib.h>
  | #include <zlib.h>
  |
  | int
  | main (void)
  | {
  |
  |   int a=0, b=0, c=0, d=0, n, v;
  |   n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
  |   if (n != 3 && n != 4)
  |       exit(1);
  |   v = a*1000000 + b*10000 + c*100 + d;
  |   fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
  |
  |   /* 1.1.4 is OK */
  |   if (a == 1 && b == 1 && c >= 4)
  |       exit(0);
  |
  |   /* 1.2.3 and up are OK */
  |   if (v >= 1020300)
  |       exit(0);
  |
  |   exit(2);
  |
  |   ;
  |   return 0;
  | }

  Upstream bug report: https://bugzilla.mindrot.org/show_bug.cgi?id=3604

  Upstream fix (untested): https://github.com/openssh/openssh-
  portable/commit/cb4ed12ffc332d1f72d054ed92655b5f1c38f621

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2049552/+subscriptions

More information about the foundations-bugs mailing list