[Secure-testing-team] Bug#862970: dropbear-bin: Double-free in server TCP listener cleanup; information disclosure with ~/.ssh/authorized_keys symlink

Guilhem Moulin guilhem at debian.org
Fri May 19 12:50:55 UTC 2017 

Package: dropbear
Version: 2014.65-1+deb8u2
Severity: grave
Tags: security
Justification: user security hole

dropbear 2017.75 was released [0] on May 18 and fixes the following two
security vulnerabilities, for which no CVE was assigned yet AFAIK [1].

    - Security: Fix double-free in server TCP listener cleanup
      A double-free in the server could be triggered by an authenticated
      user if dropbear is running with -a (Allow connections to
      forwarded ports from any host) This could potentially allow
      arbitrary code execution as root by an authenticated user.
      Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for
      reporting the crash.

    Patch: https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c

    - Security: Fix information disclosure with ~/.ssh/authorized_keys
      symlink.
      Dropbear parsed authorized_keys as root, even if it were a
      symlink. The fix is to switch to user permissions when opening
      authorized_keys

      A user could symlink their ~/.ssh/authorized_keys to a root-owned
      file they couldn't normally read. If they managed to get that file
      to contain valid authorized_keys with command= options it might be
      possible to read other contents of that file.
      This information disclosure is to an already authenticated user.
      Thanks to Jann Horn of Google Project Zero for reporting this.

    Patch: https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123

-- 
Guilhem.

[0] http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2017q2/001985.html
	https://matt.ucc.asn.au/dropbear/CHANGES (currently yields 403)
[1] http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2017q2/001987.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20170519/0155d44c/attachment.sig>

More information about the Secure-testing-team mailing list