Bug 5611

Summary: dropbear new security issue CVE-2012-0920
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: Normal CC: davidwhodgins, mageia, stormi-mageia, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard: MGA1-32-OK MGA1-64-OK
Source RPM: dropbear-0.53.1-2.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-04-25 19:25:20 CEST 
Debian has issued this advisory on April 23:
http://www.debian.org/security/2012/dsa-2456

Cauldron is not affected (it was fixed in 2012.55).

Debian has the following patch for 0.52:
--- a/svr-authpubkeyoptions.c
+++ b/svr-authpubkeyoptions.c
@@ -90,8 +90,10 @@ int svr_pubkey_allows_pty() {

 /* Set chansession command to the one forced by 'command' public key option */
 void svr_pubkey_set_forced_command(struct ChanSess *chansess) {
-       if (ses.authstate.pubkey_options)
-               chansess->cmd = ses.authstate.pubkey_options->forced_command;
+       if (ses.authstate.pubkey_options) {
+               m_free(chansess->cmd);
+               chansess->cmd = m_strdup(ses.authstate.pubkey_options->forced_command);
+       }
 }

 /* Free potential public key options */
--

I believe the appropriate fix for our 0.53.1 would be:
--- svr-authpubkeyoptions.c~    2011-03-02 08:23:36.000000000 -0500
+++ svr-authpubkeyoptions.c     2012-04-25 13:24:18.872645770 -0400
@@ -97,6 +97,10 @@
                {
                        ses.authstate.pubkey_options->original_command = m_strdup("");
                }
+               else
+               {
+                       m_free(chansess->cmd);
+               }
                chansess->cmd = ses.authstate.pubkey_options->forced_command;
 #ifdef LOG_COMMANDS
                dropbear_log(LOG_INFO, "Command forced to '%s'", ses.authstate.pubkey_options->original_command);
David Walser 2012-04-25 19:25:32 CEST

CC: (none) => stormi

Comment 1 David Walser 2012-04-27 15:25:45 CEST 
The upstream fix that went into 2012.55 is different.  Here's the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=800655
David Walser 2012-05-01 21:06:12 CEST

CC: (none) => mageia

Comment 2 David Walser 2012-08-08 19:10:38 CEST 
I asked upstream twice if my patch was OK and got no response.

Since there's no PoC we can find, we'll upgrade to 2012.55 to be sure of the fix.

Advisory:
========================

Updated dropbear package fixes security vulnerability:

Use-after-free vulnerability in Dropbear SSH Server 0.52 through 2012.54,
when command restriction and public key authentication are enabled, allows
remote authenticated users to execute arbitrary code and bypass command
restrictions via multiple crafted command requests, related to "channels
concurrency" (CVE-2012-0920).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0920
http://www.debian.org/security/2012/dsa-2456
========================

Updated packages in core/updates_testing:
========================
dropbear-2012.55-1.mga1

from dropbear-2012.55-1.mga1.src.rpm

Assignee: bugsquad => qa-bugs

David Walser 2012-08-08 22:39:48 CEST

Severity: normal => critical

Comment 3 Dave Hodgins 2012-08-09 02:12:22 CEST 
Just testing that dropbear is working as an ssh server.

Testing complete on Mageia 1 i586.  I'll test x86-64 shortly.

CC: (none) => davidwhodgins
Whiteboard: (none) => MGA1-32-OK

Comment 4 Dave Hodgins 2012-08-09 02:15:22 CEST 
Testing complete on Mageia 1 x86-64.

Could someone form the sysadmin team push the srpm
dropbear-2012.55-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated dropbear package fixes security vulnerability:

Use-after-free vulnerability in Dropbear SSH Server 0.52 through 2012.54,
when command restriction and public key authentication are enabled, allows
remote authenticated users to execute arbitrary code and bypass command
restrictions via multiple crafted command requests, related to "channels
concurrency" (CVE-2012-0920).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0920
http://www.debian.org/security/2012/dsa-2456

https://bugs.mageia.org/show_bug.cgi?id=5611

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1-32-OK => MGA1-32-OK MGA1-64-OK

Comment 5 Thomas Backlund 2012-08-12 19:27:38 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0205

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED