Your message dated Fri, 19 May 2017 22:18:45 +0000
with message-id <e1dbqep-000cpu...@fasolo.debian.org>
and subject line Bug#862970: fixed in dropbear 2016.74-5
has caused the Debian Bug report #862970,
regarding dropbear: Double-free in server TCP listener cleanup (CVE-2017-9078);
information disclosure with ~/.ssh/authorized_keys symlink (CVE-2017-9079)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
862970: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862970
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: dropbear
Version: 2014.65-1+deb8u2
Severity: grave
Tags: security
Justification: user security hole
dropbear 2017.75 was released [0] on May 18 and fixes the following two
security vulnerabilities, for which no CVE was assigned yet AFAIK [1].
- Security: Fix double-free in server TCP listener cleanup
A double-free in the server could be triggered by an authenticated
user if dropbear is running with -a (Allow connections to
forwarded ports from any host) This could potentially allow
arbitrary code execution as root by an authenticated user.
Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for
reporting the crash.
Patch: https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c
- Security: Fix information disclosure with ~/.ssh/authorized_keys
symlink.
Dropbear parsed authorized_keys as root, even if it were a
symlink. The fix is to switch to user permissions when opening
authorized_keys
A user could symlink their ~/.ssh/authorized_keys to a root-owned
file they couldn't normally read. If they managed to get that file
to contain valid authorized_keys with command= options it might be
possible to read other contents of that file.
This information disclosure is to an already authenticated user.
Thanks to Jann Horn of Google Project Zero for reporting this.
Patch: https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123
--
Guilhem.
[0] http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2017q2/001985.html
https://matt.ucc.asn.au/dropbear/CHANGES (currently yields 403)
[1] http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2017q2/001987.html
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: dropbear
Source-Version: 2016.74-5
We believe that the bug you reported is fixed in the latest version of
dropbear, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 862...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guil...@debian.org> (supplier of updated dropbear package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 19 May 2017 23:41:21 +0200
Source: dropbear
Binary: dropbear-bin dropbear-run dropbear-initramfs dropbear
Architecture: source amd64 all
Version: 2016.74-5
Distribution: unstable
Urgency: high
Maintainer: Guilhem Moulin <guil...@debian.org>
Changed-By: Guilhem Moulin <guil...@debian.org>
Description:
dropbear - transitional dummy package for dropbear-{run,initramfs}
dropbear-bin - lightweight SSH2 server and client - command line tools
dropbear-initramfs - lightweight SSH2 server and client - initramfs integration
dropbear-run - lightweight SSH2 server and client - startup scripts
Closes: 862970
Changes:
dropbear (2016.74-5) unstable; urgency=high
.
* Backport security fixes from 2017.75 (closes: #862970):
- CVE-2017-9078: Fix double-free in server TCP listener cleanup
A double-free in the server could be triggered by an authenticated user
if dropbear is running with -a (Allow connections to forwarded ports
from any host) This could potentially allow arbitrary code execution as
root by an authenticated user.
- CVE-2017-9079: Fix information disclosure with ~/.ssh/authorized_keys
symlink.
Dropbear parsed authorized_keys as root, even if it were a symlink. The
fix is to switch to user permissions when opening authorized_keys
A user could symlink their ~/.ssh/authorized_keys to a root-owned file
they couldn't normally read. If they managed to get that file to contain
valid authorized_keys with command= options it might be possible to read
other contents of that file.
This information disclosure is to an already authenticated user.
Checksums-Sha1:
5ff95c319707373b30b43e3132df947d54a24ff3 2134 dropbear_2016.74-5.dsc
ffd6dbe1eaa1056e6841afd5924e00e358272c63 22072 dropbear_2016.74-5.debian.tar.xz
f15c6d827a8ba1d9bcfc6ffe3893b34011b5dfca 1252406
dropbear-bin-dbgsym_2016.74-5_amd64.deb
708ed45be0f41276d00dd1899f317ba377d43596 183340
dropbear-bin_2016.74-5_amd64.deb
133975e25e11b193c6b5d446a2503d8d2acbe581 36564
dropbear-initramfs_2016.74-5_all.deb
716cd21d211d82d6ca1d2609906578c36857274f 34152 dropbear-run_2016.74-5_all.deb
4ceacd70c534deaacbd89f37f6bed347c3a2f162 31838 dropbear_2016.74-5_all.deb
41ae76b614cad65cbab12a9e83dfd453b72cdb8d 6549
dropbear_2016.74-5_amd64.buildinfo
Checksums-Sha256:
6e0625a8e52c3a3f6dd5fd45730bbe8ab6c48cbab0a309a8804996bdda59b722 2134
dropbear_2016.74-5.dsc
719b0b7a84053062d35e02c8811d415f2178f032c1a0e584918e98eb23a62b8a 22072
dropbear_2016.74-5.debian.tar.xz
fae772c49c7b751ad2cb1cef7d959de5b7d1c667d7254dd5925107dcd945afcd 1252406
dropbear-bin-dbgsym_2016.74-5_amd64.deb
00d9135e8a1d652262662420533a5de3516490863d3ab1bb98a9234fa0ff0d63 183340
dropbear-bin_2016.74-5_amd64.deb
9685107d7af4955d5b802f86fff9b326a5e9b437ede3e03da7f8c3156c895b1c 36564
dropbear-initramfs_2016.74-5_all.deb
169145a775fc747f97252d29b468c3637aa946d6715062b7910bea8ade2be789 34152
dropbear-run_2016.74-5_all.deb
557299fb6f8c27ba1f0481d0ca82db301133e4dfb32582f8133ddc9894a3a3e9 31838
dropbear_2016.74-5_all.deb
948113dcb43d36ac1d3dc150d8c73ae52bb1aa98f0d60a62ef3c53fe211990dd 6549
dropbear_2016.74-5_amd64.buildinfo
Files:
c9d5b3307f283692f2014f1c62edf5b8 2134 net optional dropbear_2016.74-5.dsc
c092761dce400b84472e066506787895 22072 net optional
dropbear_2016.74-5.debian.tar.xz
4017fe6ad92831c93bc7b7928e8e86eb 1252406 debug extra
dropbear-bin-dbgsym_2016.74-5_amd64.deb
6a84c552f1e4eb28ca9e54d9e26284fb 183340 net optional
dropbear-bin_2016.74-5_amd64.deb
6e7e3bc503b93199ebaf41896170a73b 36564 net optional
dropbear-initramfs_2016.74-5_all.deb
9a745a9b83c7718411930514ab9eaeb8 34152 net optional
dropbear-run_2016.74-5_all.deb
935f1840ef24d1d7dfc20f8219101ff9 31838 oldlibs extra dropbear_2016.74-5_all.deb
f30f95df9e12015bcee4970848fff63b 6549 net optional
dropbear_2016.74-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAlkfaIoACgkQ05pJnDwh
pVKO/RAAskdu3/wcPfWwuyn+AhyWhSncSUQrSNf12brPXLjB/BBAPgQfBN+P+Bx+
a4B4hLgQ5bQzy/fzSm8tbKunNsWY2i1/wHZrV3YJqANAkth2wL1n/2XDJPTX5b93
+UlwIavWG1m1srC4XkP28yfp5Lb9xntsuKdF5BKpk49ws2WCbK5L9zDVhfzUgVf0
hgRacBFHG6E7Ggya16YF96zHmQGgsdUWxxUEcmJrGeHY1PN4wjROqlg+iXb7cU9D
mTeovc8UaCH1G44PoWUF/TEPNYwyFuUPQUPjjWIrBKMdzt8+x3aowT7nyKu20XnY
CA0bGpSkxcxh94Vr7zCxQ0PX1D09WLsP/Gjvu8DXtLm9jKnEimT4xIwYX1RrUTbY
RGjqGRCSjyvQyo1xMB3eLU56e/2kW50JsxNpL6DaGo8KBe8IRZUh4sFeMtL8vV9p
SvHgdp6SFyARjF2P2whGYzXbhq8z4y4VNjkOVO5mRFfLuWUik7ulyqHQQcrlUumg
/5d1MGgKJJ2Lkua67by9Jcxulx9gUhTa4c8EnLifmmWCS1Spyv8sELNUHYHoET07
lULlRpOAnIiTthDVdUGxqckXXUXEYyXctT7HfNBwhl3cH0JXuZBcJh0qPIrCgnYJ
8xLd2JyLRakNu7RP1s5nyEmx61Vg7hnwmXBGzzHNN08PExevMuE=
=qMgp
-----END PGP SIGNATURE-----
--- End Message ---
