[source] dropbear: bump to 2017.75

LEDE Commits lede-commits at lists.infradead.org
Sun May 21 14:57:14 PDT 2017


hauke pushed a commit to source.git, branch master:
https://git.lede-project.org/6e10fc74fd569b71b6f64f5a2420dc624d73bee2

commit 6e10fc74fd569b71b6f64f5a2420dc624d73bee2
Author: Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk>
AuthorDate: Sat May 20 12:54:11 2017 +0100

    dropbear: bump to 2017.75
    
    - Security: Fix double-free in server TCP listener cleanup A double-free
    in the server could be triggered by an authenticated user if dropbear is
    running with -a (Allow connections to forwarded ports from any host)
    This could potentially allow arbitrary code execution as root by an
    authenticated user.  Affects versions 2013.56 to 2016.74. Thanks to Mark
    Shepard for reporting the crash.
    CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c
    
    - Security: Fix information disclosure with ~/.ssh/authorized_keys
    symlink.  Dropbear parsed authorized_keys as root, even if it were a
    symlink.  The fix is to switch to user permissions when opening
    authorized_keys
    
    A user could symlink their ~/.ssh/authorized_keys to a root-owned file
    they couldn't normally read. If they managed to get that file to contain
    valid authorized_keys with command= options it might be possible to read
    other contents of that file.
    This information disclosure is to an already authenticated user.
    Thanks to Jann Horn of Google Project Zero for reporting this.
    CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123
    
    Refresh patches, rework 100-pubkey_path.patch to work with new
    authorized_keys validation.
    
    Signed-off-by: Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk>
---
 package/network/services/dropbear/Makefile         |  6 +++---
 .../dropbear/patches/100-pubkey_path.patch         | 24 +++++++++-------------
 2 files changed, 13 insertions(+), 17 deletions(-)

diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index 5e518da..1e2588d 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
-PKG_VERSION:=2016.74
-PKG_RELEASE:=2
+PKG_VERSION:=2017.75
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
 	http://matt.ucc.asn.au/dropbear/releases/ \
 	https://dropbear.nl/mirror/releases/
-PKG_HASH:=2720ea54ed009af812701bcc290a2a601d5c107d12993e5d92c0f5f81f718891
+PKG_HASH:=6cbc1dcb1c9709d226dff669e5604172a18cf5dbf9a201474d5618ae4465098c
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch
index 41fdc1a..401c7e1 100644
--- a/package/network/services/dropbear/patches/100-pubkey_path.patch
+++ b/package/network/services/dropbear/patches/100-pubkey_path.patch
@@ -1,6 +1,6 @@
 --- a/svr-authpubkey.c
 +++ b/svr-authpubkey.c
-@@ -218,17 +218,21 @@ static int checkpubkey(char* algo, unsig
+@@ -220,14 +220,20 @@ static int checkpubkey(char* algo, unsig
  		goto out;
  	}
  
@@ -12,9 +12,6 @@
 -	filename = m_malloc(len + 22);
 -	snprintf(filename, len + 22, "%s/.ssh/authorized_keys", 
 -				ses.authstate.pw_dir);
--
--	/* open the file */
--	authfile = fopen(filename, "r");
 +	if (ses.authstate.pw_uid != 0) {
 +		/* we don't need to check pw and pw_dir for validity, since
 +		 * its been done in checkpubkeyperms. */
@@ -22,18 +19,17 @@
 +		/* allocate max required pathname storage,
 +		 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
 +		filename = m_malloc(len + 22);
-+		snprintf(filename, len + 22, "%s/.ssh/authorized_keys", 
-+		         ses.authstate.pw_dir);
-+
-+		/* open the file */
-+		authfile = fopen(filename, "r");
++		snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
++					ses.authstate.pw_dir);
 +	} else {
-+		authfile = fopen("/etc/dropbear/authorized_keys","r");
++		filename = m_malloc(30);
++		strncpy(filename, "/etc/dropbear/authorized_keys", 30);
 +	}
- 	if (authfile == NULL) {
- 		goto out;
- 	}
-@@ -381,26 +385,35 @@ static int checkpubkeyperms() {
++
+ 
+ 	/* open the file as the authenticating user. */
+ 	origuid = getuid();
+@@ -396,26 +402,35 @@ static int checkpubkeyperms() {
  		goto out;
  	}
  



More information about the lede-commits mailing list