Bug 5611 - dropbear new security issue CVE-2012-0920
: dropbear new security issue CVE-2012-0920
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 1
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
:
: MGA1-32-OK MGA1-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-04-25 19:25 CEST by David Walser
Modified: 2012-08-12 19:27 CEST (History)
5 users (show)

See Also:
Source RPM: dropbear-0.53.1-2.mga1.src.rpm
CVE:


Attachments

Description David Walser 2012-04-25 19:25:20 CEST
Debian has issued this advisory on April 23:
http://www.debian.org/security/2012/dsa-2456

Cauldron is not affected (it was fixed in 2012.55).

Debian has the following patch for 0.52:
--- a/svr-authpubkeyoptions.c
+++ b/svr-authpubkeyoptions.c
@@ -90,8 +90,10 @@ int svr_pubkey_allows_pty() {

 /* Set chansession command to the one forced by 'command' public key option */
 void svr_pubkey_set_forced_command(struct ChanSess *chansess) {
-       if (ses.authstate.pubkey_options)
-               chansess->cmd = ses.authstate.pubkey_options->forced_command;
+       if (ses.authstate.pubkey_options) {
+               m_free(chansess->cmd);
+               chansess->cmd = m_strdup(ses.authstate.pubkey_options->forced_command);
+       }
 }

 /* Free potential public key options */
--

I believe the appropriate fix for our 0.53.1 would be:
--- svr-authpubkeyoptions.c~    2011-03-02 08:23:36.000000000 -0500
+++ svr-authpubkeyoptions.c     2012-04-25 13:24:18.872645770 -0400
@@ -97,6 +97,10 @@
                {
                        ses.authstate.pubkey_options->original_command = m_strdup("");
                }
+               else
+               {
+                       m_free(chansess->cmd);
+               }
                chansess->cmd = ses.authstate.pubkey_options->forced_command;
 #ifdef LOG_COMMANDS
                dropbear_log(LOG_INFO, "Command forced to '%s'", ses.authstate.pubkey_options->original_command);
Comment 1 David Walser 2012-04-27 15:25:45 CEST
The upstream fix that went into 2012.55 is different.  Here's the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=800655
Comment 2 David Walser 2012-08-08 19:10:38 CEST
I asked upstream twice if my patch was OK and got no response.

Since there's no PoC we can find, we'll upgrade to 2012.55 to be sure of the fix.

Advisory:
========================

Updated dropbear package fixes security vulnerability:

Use-after-free vulnerability in Dropbear SSH Server 0.52 through 2012.54,
when command restriction and public key authentication are enabled, allows
remote authenticated users to execute arbitrary code and bypass command
restrictions via multiple crafted command requests, related to "channels
concurrency" (CVE-2012-0920).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0920
http://www.debian.org/security/2012/dsa-2456
========================

Updated packages in core/updates_testing:
========================
dropbear-2012.55-1.mga1

from dropbear-2012.55-1.mga1.src.rpm
Comment 3 Dave Hodgins 2012-08-09 02:12:22 CEST
Just testing that dropbear is working as an ssh server.

Testing complete on Mageia 1 i586.  I'll test x86-64 shortly.
Comment 4 Dave Hodgins 2012-08-09 02:15:22 CEST
Testing complete on Mageia 1 x86-64.

Could someone form the sysadmin team push the srpm
dropbear-2012.55-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated dropbear package fixes security vulnerability:

Use-after-free vulnerability in Dropbear SSH Server 0.52 through 2012.54,
when command restriction and public key authentication are enabled, allows
remote authenticated users to execute arbitrary code and bypass command
restrictions via multiple crafted command requests, related to "channels
concurrency" (CVE-2012-0920).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0920
http://www.debian.org/security/2012/dsa-2456

https://bugs.mageia.org/show_bug.cgi?id=5611
Comment 5 Thomas Backlund 2012-08-12 19:27:38 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0205

Note You need to log in before you can comment on or make changes to this bug.