On Mon, Feb 27, 2012 at 03:54:11PM +0100, Nico Golde wrote: > * Gerrit Pape <p...@smarden.org> [2012-02-27 15:48]: > > Accoring to upstream's changelog, this also affects squeeze. Are you > > already working on that, or shall I prepare an upload to stable? > > If you have the time to prepare stable updates that would be great, we > currently track this in RT as #3643. > Please send me the debdiff before uploading.
Hi, oldstable (0.51-1) is not affected. unstable is fixed with version 2012.55-1. For stable, I backported the fix to 0.52, swiftly checked with upstream (thx Matt), and prepared theses changes (debdiff attached): Format: 1.8 Date: Tue, 28 Feb 2012 09:44:53 +0000 Source: dropbear Binary: dropbear Architecture: source Version: 0.52-5+squeeze1 Distribution: stable-security Urgency: high Maintainer: Gerrit Pape <p...@smarden.org> Changed-By: Gerrit Pape <p...@smarden.org> Description: dropbear - lightweight SSH2 server and client Closes: 661150 Changes: dropbear (0.52-5+squeeze1) stable-security; urgency=high . * debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff: new: Fix use-after-free bug (CVE-2012-0920) (closes: #661150). Checksums-Sha1: 0afb9d944048204f9ee90104334db6bde3f92c69 769 dropbear_0.52-5+squeeze1.dsc ae927e8b90059a7ba2b2b514d9824c12885b1949 1789901 dropbear_0.52.orig.tar.gz 78962f1288c833c0609ae1c97557c731465cbb96 5767 dropbear_0.52-5+squeeze1.diff.gz Checksums-Sha256: e51eba0631636c438010b9251603b7f5c9220d442e4cc757f29ff31e3e877dcc 769 dropbear_0.52-5+squeeze1.dsc e3a2ca49ed85ce562240c0ac06e2f72826d7e52a83e80d91c067c8b97bf5c108 1789901 dropbear_0.52.orig.tar.gz 67e15d4c1663a31d33b50800e169ac82787d2c62276f80186724d4d1a21df91b 5767 dropbear_0.52-5+squeeze1.diff.gz Files: de29b4652687bb752fb28b38398df336 769 net optional dropbear_0.52-5+squeeze1.dsc 1c69ec674481d7745452f68f2ea5597e 1789901 net optional dropbear_0.52.orig.tar.gz b803c37992f2e7e6e75c5d806917568f 5767 net optional dropbear_0.52-5+squeeze1.diff.gz Regards, Gerrit.
diff -u dropbear-0.52/debian/changelog dropbear-0.52/debian/changelog --- dropbear-0.52/debian/changelog +++ dropbear-0.52/debian/changelog @@ -1,3 +1,10 @@ +dropbear (0.52-5+squeeze1) stable-security; urgency=high + + * debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff: new: + Fix use-after-free bug (CVE-2012-0920) (closes: #661150). + + -- Gerrit Pape <p...@smarden.org> Tue, 28 Feb 2012 09:44:53 +0000 + dropbear (0.52-5) unstable; urgency=low [ deb...@x.ray.net ] only in patch2: unchanged: --- dropbear-0.52.orig/debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff +++ dropbear-0.52/debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff @@ -0,0 +1,35 @@ +From d46b781361cae7fdbdc50ad5752d47f786f30a2b Mon Sep 17 00:00:00 2001 +From: Gerrit Pape <p...@smarden.org> +Date: Mon, 27 Feb 2012 16:33:55 +0000 +Subject: [PATCH 3/3] Fix use-after-free bug (CVE-2012-0920) + +Fix use-after-free bug that could be triggered if command="..." +authorized_keys restrictions are used. + +This is a backport of the upstream fix in version 2012.55 to version +0.52 + https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749 +--- + svr-authpubkeyoptions.c | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/svr-authpubkeyoptions.c b/svr-authpubkeyoptions.c +index 13a179d..324eb47 100644 +--- a/svr-authpubkeyoptions.c ++++ b/svr-authpubkeyoptions.c +@@ -90,8 +90,10 @@ int svr_pubkey_allows_pty() { + + /* Set chansession command to the one forced by 'command' public key option */ + void svr_pubkey_set_forced_command(struct ChanSess *chansess) { +- if (ses.authstate.pubkey_options) +- chansess->cmd = ses.authstate.pubkey_options->forced_command; ++ if (ses.authstate.pubkey_options) { ++ m_free(chansess->cmd); ++ chansess->cmd = m_strdup(ses.authstate.pubkey_options->forced_command); ++ } + } + + /* Free potential public key options */ +-- +1.7.9.1 +