Dropbear 2017.75
Guilhem Moulin
guilhem at fripost.org
Fri May 19 20:37:28 AWST 2017
Hi Matt,
On Thu, 18 May 2017 at 23:02:09 +0800, Matt Johnston wrote:
> Dropbear 2017.75 is released. This has a couple of security
> fixes and a couple of bug fixes since 2016.74.
FYI https://matt.ucc.asn.au/dropbear/CHANGES yields 403 forbidden.
> - Security: Fix double-free in server TCP listener cleanup
> A double-free in the server could be triggered by an authenticated user if
> dropbear is running with -a (Allow connections to forwarded ports from any host)
> This could potentially allow arbitrary code execution as root by an authenticated user.
> Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for reporting the crash.
>
> - Security: Fix information disclosure with ~/.ssh/authorized_keys symlink.
> Dropbear parsed authorized_keys as root, even if it were a symlink. The fix
> is to switch to user permissions when opening authorized_keys
>
> A user could symlink their ~/.ssh/authorized_keys to a root-owned file they
> couldn't normally read. If they managed to get that file to contain valid
> authorized_keys with command= options it might be possible to read other
> contents of that file.
> This information disclosure is to an already authenticated user.
> Thanks to Jann Horn of Google Project Zero for reporting this.
We're backporting these two to Debian Jessie (stable, soon to be
oldstable). Did you already request CVE IDs?
Cheers,
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20170519/c302775f/attachment.sig
More information about the Dropbear
mailing list