Bug 446103 - TCP wrappers leave SIGALRM blocked when ident fails
Summary: TCP wrappers leave SIGALRM blocked when ident fails
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: tcp_wrappers
Version: 5.2
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Jan Safranek
QA Contact:
URL:
Whiteboard:
: 449090 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-12 18:58 UTC by Bryan Mason
Modified: 2018-10-20 02:53 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-04-29 13:42:44 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Proposed patch - 1 of 2 (1.04 KB, patch)
2008-05-12 19:00 UTC, Bryan Mason
no flags Details | Diff
Proposed patch - 2 of 2 (975 bytes, patch)
2008-05-12 19:01 UTC, Bryan Mason
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2009:0453 0 normal SHIPPED_LIVE tcp_wrappers bug fix update 2009-04-29 13:42:42 UTC

Description Bryan Mason 2008-05-12 18:58:23 UTC
+++ This bug was initially created as a clone of Bug #205129 +++

Description of problem:
When tcp wrappers try to query a remote ident server, which is blocked (e.g. by
iptables), it leaves SIGALRM blocked. This is especially bad for sshd, because
then whole session then runs with SIGALRM blocked.

Version-Release number of selected component (if applicable):
tcp_wrappers-7.6-40.4.el5

How reproducible:
100%

Steps to Reproduce:
1. on ssh client: "iptables -I INPUT -p tcp --dport ident -j DROP"
2. on ssh server: configure TCP wrappers to do an ident lookup (e.g. add "sshd:
ALL@ALL" line to /etc/hosts.allow)
3a. on ssh client: "ssh user@server 'ps xs|grep $$|grep -v grep'"
or 3b. on ssh client: "ssh user@server", and in the ssh session run something
like this:

perl -e '$SIG{ALRM}=sub{print"ALARM\n";}; alarm 1; sleep 5'

Actual results:
3a: the "BLOCKED" column of SSH output contains SIGALRM (BLOCKED & 0x2000
is 0x2000 on Linux/x86_64 and Linux/i386).
3b: no message is printed.

Expected results:
3a: BLOCKED & 0x2000 should be zero
3b: the "ALARM\n" message should be printed.

Additional info:
In the following message, Wietse Venema suggests that tcp_wrappers code is
correct and the bug is added by third parties:
http://www.gatago.com/mailing/unix/openssh-dev/4854382.html

Debian bug #354855 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=354855)
apparently contains a patch for this problem. (META: this bugzilla does not have
 Debian bug tracking system available in "External Bug Reference" list).

Comment 1 Bryan Mason 2008-05-12 19:00:42 UTC
Created attachment 305159 [details]
Proposed patch - 1 of 2

These two patches are position dependent.  This one needs to be applied first.

Comment 2 Bryan Mason 2008-05-12 19:01:24 UTC
Created attachment 305160 [details]
Proposed patch - 2 of 2

This patch nees to be applied second.

Comment 3 Jan Safranek 2008-06-02 05:22:05 UTC
*** Bug 449090 has been marked as a duplicate of this bug. ***

Comment 6 RHEL Program Management 2008-07-21 23:02:53 UTC
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".

Comment 15 errata-xmlrpc 2009-04-29 13:42:44 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0453.html


Note You need to log in before you can comment on or make changes to this bug.