Debian Bug report logs -
#862970
dropbear: Double-free in server TCP listener cleanup (CVE-2017-9078); information disclosure with ~/.ssh/authorized_keys symlink (CVE-2017-9079)
Reported by: Guilhem Moulin <guilhem@debian.org>
Date: Fri, 19 May 2017 13:00:05 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version dropbear/2013.60-1
Fixed in versions dropbear/2016.74-5, dropbear/2014.65-1+deb8u2
Done: Guilhem Moulin <guilhem@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Guilhem Moulin <guilhem@guilhem.org>:
Bug#862970; Package dropbear.
(Fri, 19 May 2017 13:00:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Guilhem Moulin <guilhem@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Guilhem Moulin <guilhem@guilhem.org>.
(Fri, 19 May 2017 13:00:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: dropbear
Version: 2014.65-1+deb8u2
Severity: grave
Tags: security
Justification: user security hole
dropbear 2017.75 was released [0] on May 18 and fixes the following two
security vulnerabilities, for which no CVE was assigned yet AFAIK [1].
- Security: Fix double-free in server TCP listener cleanup
A double-free in the server could be triggered by an authenticated
user if dropbear is running with -a (Allow connections to
forwarded ports from any host) This could potentially allow
arbitrary code execution as root by an authenticated user.
Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for
reporting the crash.
Patch: https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c
- Security: Fix information disclosure with ~/.ssh/authorized_keys
symlink.
Dropbear parsed authorized_keys as root, even if it were a
symlink. The fix is to switch to user permissions when opening
authorized_keys
A user could symlink their ~/.ssh/authorized_keys to a root-owned
file they couldn't normally read. If they managed to get that file
to contain valid authorized_keys with command= options it might be
possible to read other contents of that file.
This information disclosure is to an already authenticated user.
Thanks to Jann Horn of Google Project Zero for reporting this.
Patch: https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123
--
Guilhem.
[0] http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2017q2/001985.html
https://matt.ucc.asn.au/dropbear/CHANGES (currently yields 403)
[1] http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2017q2/001987.html
[signature.asc (application/pgp-signature, inline)]
Marked as found in versions dropbear/2013.60-1.
Request was from Adrian Bunk <bunk@debian.org>
to control@bugs.debian.org.
(Fri, 19 May 2017 13:39:06 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 19 May 2017 13:57:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Guilhem Moulin <guilhem@guilhem.org>:
Bug#862970; Package dropbear.
(Fri, 19 May 2017 16:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Guilhem Moulin <guilhem@guilhem.org>.
(Fri, 19 May 2017 16:00:05 GMT) (full text, mbox, link).
Message #14 received at 862970@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 dropbear: Double-free in server TCP listener cleanup (CVE-2017-9078); information disclosure with ~/.ssh/authorized_keys symlink (CVE-2017-9079)
Two CVEs were assigned for the two issues, retitling the bug
accordingly.
Regards,
Salvatore
Changed Bug title to 'dropbear: Double-free in server TCP listener cleanup (CVE-2017-9078); information disclosure with ~/.ssh/authorized_keys symlink (CVE-2017-9079)' from 'dropbear-bin: Double-free in server TCP listener cleanup; information disclosure with ~/.ssh/authorized_keys symlink'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 862970-submit@bugs.debian.org.
(Fri, 19 May 2017 16:00:05 GMT) (full text, mbox, link).
Reply sent
to Guilhem Moulin <guilhem@debian.org>:
You have taken responsibility.
(Fri, 19 May 2017 22:21:05 GMT) (full text, mbox, link).
Notification sent
to Guilhem Moulin <guilhem@debian.org>:
Bug acknowledged by developer.
(Fri, 19 May 2017 22:21:05 GMT) (full text, mbox, link).
Message #21 received at 862970-close@bugs.debian.org (full text, mbox, reply):
Source: dropbear
Source-Version: 2016.74-5
We believe that the bug you reported is fixed in the latest version of
dropbear, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 862970@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated dropbear package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 19 May 2017 23:41:21 +0200
Source: dropbear
Binary: dropbear-bin dropbear-run dropbear-initramfs dropbear
Architecture: source amd64 all
Version: 2016.74-5
Distribution: unstable
Urgency: high
Maintainer: Guilhem Moulin <guilhem@debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Description:
dropbear - transitional dummy package for dropbear-{run,initramfs}
dropbear-bin - lightweight SSH2 server and client - command line tools
dropbear-initramfs - lightweight SSH2 server and client - initramfs integration
dropbear-run - lightweight SSH2 server and client - startup scripts
Closes: 862970
Changes:
dropbear (2016.74-5) unstable; urgency=high
.
* Backport security fixes from 2017.75 (closes: #862970):
- CVE-2017-9078: Fix double-free in server TCP listener cleanup
A double-free in the server could be triggered by an authenticated user
if dropbear is running with -a (Allow connections to forwarded ports
from any host) This could potentially allow arbitrary code execution as
root by an authenticated user.
- CVE-2017-9079: Fix information disclosure with ~/.ssh/authorized_keys
symlink.
Dropbear parsed authorized_keys as root, even if it were a symlink. The
fix is to switch to user permissions when opening authorized_keys
A user could symlink their ~/.ssh/authorized_keys to a root-owned file
they couldn't normally read. If they managed to get that file to contain
valid authorized_keys with command= options it might be possible to read
other contents of that file.
This information disclosure is to an already authenticated user.
Checksums-Sha1:
5ff95c319707373b30b43e3132df947d54a24ff3 2134 dropbear_2016.74-5.dsc
ffd6dbe1eaa1056e6841afd5924e00e358272c63 22072 dropbear_2016.74-5.debian.tar.xz
f15c6d827a8ba1d9bcfc6ffe3893b34011b5dfca 1252406 dropbear-bin-dbgsym_2016.74-5_amd64.deb
708ed45be0f41276d00dd1899f317ba377d43596 183340 dropbear-bin_2016.74-5_amd64.deb
133975e25e11b193c6b5d446a2503d8d2acbe581 36564 dropbear-initramfs_2016.74-5_all.deb
716cd21d211d82d6ca1d2609906578c36857274f 34152 dropbear-run_2016.74-5_all.deb
4ceacd70c534deaacbd89f37f6bed347c3a2f162 31838 dropbear_2016.74-5_all.deb
41ae76b614cad65cbab12a9e83dfd453b72cdb8d 6549 dropbear_2016.74-5_amd64.buildinfo
Checksums-Sha256:
6e0625a8e52c3a3f6dd5fd45730bbe8ab6c48cbab0a309a8804996bdda59b722 2134 dropbear_2016.74-5.dsc
719b0b7a84053062d35e02c8811d415f2178f032c1a0e584918e98eb23a62b8a 22072 dropbear_2016.74-5.debian.tar.xz
fae772c49c7b751ad2cb1cef7d959de5b7d1c667d7254dd5925107dcd945afcd 1252406 dropbear-bin-dbgsym_2016.74-5_amd64.deb
00d9135e8a1d652262662420533a5de3516490863d3ab1bb98a9234fa0ff0d63 183340 dropbear-bin_2016.74-5_amd64.deb
9685107d7af4955d5b802f86fff9b326a5e9b437ede3e03da7f8c3156c895b1c 36564 dropbear-initramfs_2016.74-5_all.deb
169145a775fc747f97252d29b468c3637aa946d6715062b7910bea8ade2be789 34152 dropbear-run_2016.74-5_all.deb
557299fb6f8c27ba1f0481d0ca82db301133e4dfb32582f8133ddc9894a3a3e9 31838 dropbear_2016.74-5_all.deb
948113dcb43d36ac1d3dc150d8c73ae52bb1aa98f0d60a62ef3c53fe211990dd 6549 dropbear_2016.74-5_amd64.buildinfo
Files:
c9d5b3307f283692f2014f1c62edf5b8 2134 net optional dropbear_2016.74-5.dsc
c092761dce400b84472e066506787895 22072 net optional dropbear_2016.74-5.debian.tar.xz
4017fe6ad92831c93bc7b7928e8e86eb 1252406 debug extra dropbear-bin-dbgsym_2016.74-5_amd64.deb
6a84c552f1e4eb28ca9e54d9e26284fb 183340 net optional dropbear-bin_2016.74-5_amd64.deb
6e7e3bc503b93199ebaf41896170a73b 36564 net optional dropbear-initramfs_2016.74-5_all.deb
9a745a9b83c7718411930514ab9eaeb8 34152 net optional dropbear-run_2016.74-5_all.deb
935f1840ef24d1d7dfc20f8219101ff9 31838 oldlibs extra dropbear_2016.74-5_all.deb
f30f95df9e12015bcee4970848fff63b 6549 net optional dropbear_2016.74-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAlkfaIoACgkQ05pJnDwh
pVKO/RAAskdu3/wcPfWwuyn+AhyWhSncSUQrSNf12brPXLjB/BBAPgQfBN+P+Bx+
a4B4hLgQ5bQzy/fzSm8tbKunNsWY2i1/wHZrV3YJqANAkth4wL1n/2XDJPTX5b93
+UlwIavWG1m1srC4XkP28yfp5Lb9xntsuKdF5BKpk49ws2WCbK5L9zDVhfzUgVf0
hgRacBFHG6E7Ggya16YF96zHmQGgsdUWxxUEcmJrGeHY1PN4wjROqlg+iXb7cU9D
mTeovc8UaCH1G44PoWUF/TEPNYwyFuUPQUPjjWIrBKMdzt8+x3aowT7nyKu20XnY
CA0bGpSkxcxh94Vr7zCxQ0PX1D09WLsP/Gjvu8DXtLm9jKnEimT4xIwYX1RrUTbY
RGjqGRCSjyvQyo1xMB3eLU56e/2kW50JsxNpL6DaGo8KBe8IRZUh4sFeMtL8vV9p
SvHgdp6SFyARjF2P2whGYzXbhq8z4y4VNjkOVO5mRFfLuWUik7ulyqHQQcrlUumg
/5d1MGgKJJ2Lkua67by9Jcxulx9gUhTa4c8EnLifmmWCS1Spyv8sELNUHYHoET07
lULlRpOAnIiTthDVdUGxqckXXUXEYyXctT7HfNBwhl3cH0JXuZBcJh0qPIrCgnYJ
8xLd2JyLRakNu7RP1s5nyEmx61Vg7hnwmXBGzzHNN08PExevMuE=
=qMgp
-----END PGP SIGNATURE-----
No longer marked as found in versions 2014.65-1+deb8u2.
Request was from Guilhem Moulin <guilhem@debian.org>
to control@bugs.debian.org.
(Sat, 20 May 2017 06:42:03 GMT) (full text, mbox, link).
Marked as fixed in versions dropbear/2014.65-1+deb8u2.
Request was from Guilhem Moulin <guilhem@debian.org>
to control@bugs.debian.org.
(Sat, 20 May 2017 07:18:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 16 Jul 2017 07:49:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:17:51 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon