On Mon, Feb 27, 2012 at 03:54:11PM +0100, Nico Golde wrote:
> * Gerrit Pape <p...@smarden.org> [2012-02-27 15:48]:
> > Accoring to upstream's changelog, this also affects squeeze. Are you
> > already working on that, or shall I prepare an upload to stable?
>
> If you have the time to prepare stable updates that would be great, we
> currently track this in RT as #3643.
> Please send me the debdiff before uploading.
Hi,
oldstable (0.51-1) is not affected.
unstable is fixed with version 2012.55-1.
For stable, I backported the fix to 0.52, swiftly checked with upstream
(thx Matt), and prepared theses changes (debdiff attached):
Format: 1.8
Date: Tue, 28 Feb 2012 09:44:53 +0000
Source: dropbear
Binary: dropbear
Architecture: source
Version: 0.52-5+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Gerrit Pape <p...@smarden.org>
Changed-By: Gerrit Pape <p...@smarden.org>
Description:
dropbear - lightweight SSH2 server and client
Closes: 661150
Changes:
dropbear (0.52-5+squeeze1) stable-security; urgency=high
.
* debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff: new:
Fix use-after-free bug (CVE-2012-0920) (closes: #661150).
Checksums-Sha1:
0afb9d944048204f9ee90104334db6bde3f92c69 769 dropbear_0.52-5+squeeze1.dsc
ae927e8b90059a7ba2b2b514d9824c12885b1949 1789901 dropbear_0.52.orig.tar.gz
78962f1288c833c0609ae1c97557c731465cbb96 5767 dropbear_0.52-5+squeeze1.diff.gz
Checksums-Sha256:
e51eba0631636c438010b9251603b7f5c9220d442e4cc757f29ff31e3e877dcc 769
dropbear_0.52-5+squeeze1.dsc
e3a2ca49ed85ce562240c0ac06e2f72826d7e52a83e80d91c067c8b97bf5c108 1789901
dropbear_0.52.orig.tar.gz
67e15d4c1663a31d33b50800e169ac82787d2c62276f80186724d4d1a21df91b 5767
dropbear_0.52-5+squeeze1.diff.gz
Files:
de29b4652687bb752fb28b38398df336 769 net optional dropbear_0.52-5+squeeze1.dsc
1c69ec674481d7745452f68f2ea5597e 1789901 net optional dropbear_0.52.orig.tar.gz
b803c37992f2e7e6e75c5d806917568f 5767 net optional
dropbear_0.52-5+squeeze1.diff.gz
Regards, Gerrit.
diff -u dropbear-0.52/debian/changelog dropbear-0.52/debian/changelog
--- dropbear-0.52/debian/changelog
+++ dropbear-0.52/debian/changelog
@@ -1,3 +1,10 @@
+dropbear (0.52-5+squeeze1) stable-security; urgency=high
+
+ * debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff: new:
+ Fix use-after-free bug (CVE-2012-0920) (closes: #661150).
+
+ -- Gerrit Pape <p...@smarden.org> Tue, 28 Feb 2012 09:44:53 +0000
+
dropbear (0.52-5) unstable; urgency=low
[ deb...@x.ray.net ]
only in patch2:
unchanged:
---
dropbear-0.52.orig/debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff
+++ dropbear-0.52/debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff
@@ -0,0 +1,35 @@
+From d46b781361cae7fdbdc50ad5752d47f786f30a2b Mon Sep 17 00:00:00 2001
+From: Gerrit Pape <p...@smarden.org>
+Date: Mon, 27 Feb 2012 16:33:55 +0000
+Subject: [PATCH 3/3] Fix use-after-free bug (CVE-2012-0920)
+
+Fix use-after-free bug that could be triggered if command="..."
+authorized_keys restrictions are used.
+
+This is a backport of the upstream fix in version 2012.55 to version
+0.52
+ https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749
+---
+ svr-authpubkeyoptions.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/svr-authpubkeyoptions.c b/svr-authpubkeyoptions.c
+index 13a179d..324eb47 100644
+--- a/svr-authpubkeyoptions.c
++++ b/svr-authpubkeyoptions.c
+@@ -90,8 +90,10 @@ int svr_pubkey_allows_pty() {
+
+ /* Set chansession command to the one forced by 'command' public key option */
+ void svr_pubkey_set_forced_command(struct ChanSess *chansess) {
+- if (ses.authstate.pubkey_options)
+- chansess->cmd = ses.authstate.pubkey_options->forced_command;
++ if (ses.authstate.pubkey_options) {
++ m_free(chansess->cmd);
++ chansess->cmd =
m_strdup(ses.authstate.pubkey_options->forced_command);
++ }
+ }
+
+ /* Free potential public key options */
+--
+1.7.9.1
+
