Hello community,
here is the log from the commit of package dropbear for openSUSE:Factory
checked in at 2016-03-16 10:36:05
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/dropbear (Old)
and /work/SRC/openSUSE:Factory/.dropbear.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dropbear"
Changes:
--------
--- /work/SRC/openSUSE:Factory/dropbear/dropbear.changes 2015-12-06
07:44:04.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.dropbear.new/dropbear.changes 2016-03-16
10:36:20.000000000 +0100
@@ -1,0 +2,8 @@
+Fri Mar 11 16:00:23 UTC 2016 - thard...@suse.com
+
+- updated to upstream version 2016.72
+ * Validate X11 forwarding input. Could allow bypass of authorized_keys
command= restrictions,
+ found by github.com/tintinweb. Thanks for Damien Miller for a patch.
+- used as bug fix release for bnc#970633 - VUL-0: CVE-2016-3116
+
+-------------------------------------------------------------------
Old:
----
dropbear-2015.71.tar.bz2
dropbear-2015.71.tar.bz2.asc
New:
----
dropbear-2016.72.tar.bz2
dropbear-2016.72.tar.bz2.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ dropbear.spec ++++++
--- /var/tmp/diff_new_pack.1CF1SH/_old 2016-03-16 10:36:21.000000000 +0100
+++ /var/tmp/diff_new_pack.1CF1SH/_new 2016-03-16 10:36:21.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package dropbear
#
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -21,7 +21,7 @@
%endif
Name: dropbear
-Version: 2015.71
+Version: 2016.72
Release: 0
Summary: A relatively small SSH 2 server and client
License: MIT
++++++ dropbear-2015.71.tar.bz2 -> dropbear-2016.72.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/dropbear-2015.71/.hg_archival.txt
new/dropbear-2016.72/.hg_archival.txt
--- old/dropbear-2015.71/.hg_archival.txt 2015-12-03 14:23:59.000000000
+0100
+++ new/dropbear-2016.72/.hg_archival.txt 2016-03-09 15:54:53.000000000
+0100
@@ -1,6 +1,6 @@
repo: d7da3b1e15401eb234ec866d5eac992fc4cd5878
-node: 9a944a243f08be6b22d32f166a0690eb4872462b
+node: 78b12b6549be08b0bea3da329b2578060a76ca31
branch: default
-latesttag: DROPBEAR_2015.70
-latesttagdistance: 10
-changessincelatesttag: 11
+latesttag: DROPBEAR_2015.71
+latesttagdistance: 3
+changessincelatesttag: 3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/dropbear-2015.71/CHANGES new/dropbear-2016.72/CHANGES
--- old/dropbear-2015.71/CHANGES 2015-12-03 14:23:59.000000000 +0100
+++ new/dropbear-2016.72/CHANGES 2016-03-09 15:54:53.000000000 +0100
@@ -1,3 +1,8 @@
+2016.72 - 9 March 2016
+
+- Validate X11 forwarding input. Could allow bypass of authorized_keys
command= restrictions,
+ found by github.com/tintinweb. Thanks for Damien Miller for a patch.
+
2015.71 - 3 December 2015
- Fix "bad buf_incrpos" when data is transferred, broke in 2015.69
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/dropbear-2015.71/debian/changelog
new/dropbear-2016.72/debian/changelog
--- old/dropbear-2015.71/debian/changelog 2015-12-03 14:23:59.000000000
+0100
+++ new/dropbear-2016.72/debian/changelog 2016-03-09 15:54:53.000000000
+0100
@@ -1,8 +1,8 @@
-dropbear (2015.71-0.1) unstable; urgency=low
+dropbear (2016.72-0.1) unstable; urgency=low
* New upstream release.
- -- Matt Johnston <m...@ucc.asn.au> Thu, 3 Dec 2015 22:52:58 +0800
+ -- Matt Johnston <m...@ucc.asn.au> Wed, 10 Mar 2016 22:52:58 +0800
dropbear (2015.70-0.1) unstable; urgency=low
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/dropbear-2015.71/svr-x11fwd.c
new/dropbear-2016.72/svr-x11fwd.c
--- old/dropbear-2015.71/svr-x11fwd.c 2015-12-03 14:24:00.000000000 +0100
+++ new/dropbear-2016.72/svr-x11fwd.c 2016-03-09 15:54:54.000000000 +0100
@@ -42,11 +42,29 @@
static int bindport(int fd);
static int send_msg_channel_open_x11(int fd, struct sockaddr_in* addr);
+/* Check untrusted xauth strings for metacharacters */
+/* Returns DROPBEAR_SUCCESS/DROPBEAR_FAILURE */
+static int
+xauth_valid_string(const char *s)
+{
+ size_t i;
+
+ for (i = 0; s[i] != '\0'; i++) {
+ if (!isalnum(s[i]) &&
+ s[i] != '.' && s[i] != ':' && s[i] != '/' &&
+ s[i] != '-' && s[i] != '_') {
+ return DROPBEAR_FAILURE;
+ }
+ }
+ return DROPBEAR_SUCCESS;
+}
+
+
/* called as a request for a session channel, sets up listening X11 */
/* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
int x11req(struct ChanSess * chansess) {
- int fd;
+ int fd = -1;
if (!svr_pubkey_allows_x11fwd()) {
return DROPBEAR_FAILURE;
@@ -62,6 +80,11 @@
chansess->x11authcookie = buf_getstring(ses.payload, NULL);
chansess->x11screennum = buf_getint(ses.payload);
+ if (xauth_valid_string(chansess->x11authprot) == DROPBEAR_FAILURE ||
+ xauth_valid_string(chansess->x11authcookie) ==
DROPBEAR_FAILURE) {
+ dropbear_log(LOG_WARNING, "Bad xauth request");
+ goto fail;
+ }
/* create listening socket */
fd = socket(PF_INET, SOCK_STREAM, 0);
if (fd < 0) {
@@ -159,7 +182,7 @@
return;
}
- /* popen is a nice function - code is strongly based on OpenSSH's */
+ /* code is strongly based on OpenSSH's */
authprog = popen(XAUTH_COMMAND, "w");
if (authprog) {
fprintf(authprog, "add %s %s %s\n",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/dropbear-2015.71/sysoptions.h
new/dropbear-2016.72/sysoptions.h
--- old/dropbear-2015.71/sysoptions.h 2015-12-03 14:24:00.000000000 +0100
+++ new/dropbear-2016.72/sysoptions.h 2016-03-09 15:54:54.000000000 +0100
@@ -4,7 +4,7 @@
*******************************************************************/
#ifndef DROPBEAR_VERSION
-#define DROPBEAR_VERSION "2015.71"
+#define DROPBEAR_VERSION "2016.72"
#endif
#define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
