Debian has issued this advisory on April 23: http://www.debian.org/security/2012/dsa-2456 Cauldron is not affected (it was fixed in 2012.55). Debian has the following patch for 0.52: --- a/svr-authpubkeyoptions.c +++ b/svr-authpubkeyoptions.c @@ -90,8 +90,10 @@ int svr_pubkey_allows_pty() { /* Set chansession command to the one forced by 'command' public key option */ void svr_pubkey_set_forced_command(struct ChanSess *chansess) { - if (ses.authstate.pubkey_options) - chansess->cmd = ses.authstate.pubkey_options->forced_command; + if (ses.authstate.pubkey_options) { + m_free(chansess->cmd); + chansess->cmd = m_strdup(ses.authstate.pubkey_options->forced_command); + } } /* Free potential public key options */ -- I believe the appropriate fix for our 0.53.1 would be: --- svr-authpubkeyoptions.c~ 2011-03-02 08:23:36.000000000 -0500 +++ svr-authpubkeyoptions.c 2012-04-25 13:24:18.872645770 -0400 @@ -97,6 +97,10 @@ { ses.authstate.pubkey_options->original_command = m_strdup(""); } + else + { + m_free(chansess->cmd); + } chansess->cmd = ses.authstate.pubkey_options->forced_command; #ifdef LOG_COMMANDS dropbear_log(LOG_INFO, "Command forced to '%s'", ses.authstate.pubkey_options->original_command);
CC: (none) => stormi
The upstream fix that went into 2012.55 is different. Here's the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=800655
CC: (none) => mageia
I asked upstream twice if my patch was OK and got no response. Since there's no PoC we can find, we'll upgrade to 2012.55 to be sure of the fix. Advisory: ======================== Updated dropbear package fixes security vulnerability: Use-after-free vulnerability in Dropbear SSH Server 0.52 through 2012.54, when command restriction and public key authentication are enabled, allows remote authenticated users to execute arbitrary code and bypass command restrictions via multiple crafted command requests, related to "channels concurrency" (CVE-2012-0920). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0920 http://www.debian.org/security/2012/dsa-2456 ======================== Updated packages in core/updates_testing: ======================== dropbear-2012.55-1.mga1 from dropbear-2012.55-1.mga1.src.rpm
Assignee: bugsquad => qa-bugs
Severity: normal => critical
Just testing that dropbear is working as an ssh server. Testing complete on Mageia 1 i586. I'll test x86-64 shortly.
CC: (none) => davidwhodginsWhiteboard: (none) => MGA1-32-OK
Testing complete on Mageia 1 x86-64. Could someone form the sysadmin team push the srpm dropbear-2012.55-1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated dropbear package fixes security vulnerability: Use-after-free vulnerability in Dropbear SSH Server 0.52 through 2012.54, when command restriction and public key authentication are enabled, allows remote authenticated users to execute arbitrary code and bypass command restrictions via multiple crafted command requests, related to "channels concurrency" (CVE-2012-0920). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0920 http://www.debian.org/security/2012/dsa-2456 https://bugs.mageia.org/show_bug.cgi?id=5611
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1-32-OK => MGA1-32-OK MGA1-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0205
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED