Hi Matt, On Thu, 18 May 2017 at 23:02:09 +0800, Matt Johnston wrote: > Dropbear 2017.75 is released. This has a couple of security > fixes and a couple of bug fixes since 2016.74.
FYI https://matt.ucc.asn.au/dropbear/CHANGES yields 403 forbidden. > - Security: Fix double-free in server TCP listener cleanup > A double-free in the server could be triggered by an authenticated user if > dropbear is running with -a (Allow connections to forwarded ports from any > host) > This could potentially allow arbitrary code execution as root by an > authenticated user. > Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for reporting > the crash. > > - Security: Fix information disclosure with ~/.ssh/authorized_keys symlink. > Dropbear parsed authorized_keys as root, even if it were a symlink. The fix > is to switch to user permissions when opening authorized_keys > > A user could symlink their ~/.ssh/authorized_keys to a root-owned file they > couldn't normally read. If they managed to get that file to contain valid > authorized_keys with command= options it might be possible to read other > contents of that file. > This information disclosure is to an already authenticated user. > Thanks to Jann Horn of Google Project Zero for reporting this. We're backporting these two to Debian Jessie (stable, soon to be oldstable). Did you already request CVE IDs? Cheers, -- Guilhem.
signature.asc
Description: PGP signature