Changeset 32104


Ignore:
Timestamp:
May 19, 2017, 9:12:28 AM (2 months ago)
Author:
brainslayer
Message:

update dropbear

Location:
src/router/dropbear
Files:
17 edited

Legend:

Unmodified
Added
Removed
  • src/router/dropbear/.hg_archival.txt

    r30270 r32104  
    11repo: d7da3b1e15401eb234ec866d5eac992fc4cd5878
    2 node: 0ed3d2bbf956cb8a9bf0f4b5a86b7dd9688205cb
     2node: c31276613181c5cff7854e7ef586ace03424e55e
    33branch: default
    4 latesttag: DROPBEAR_2016.73
     4latesttag: DROPBEAR_2016.74
    55latesttagdistance: 12
    66changessincelatesttag: 12
  • src/router/dropbear/.hgsigs

    r29282 r32104  
    2121926e7275cef4f4f2a4251597ee4814748394824c 0 iQIcBAABCgAGBQJWYES4AAoJEESTFJTynGdzdT0P/0O/1frevtr698DwMe6kmJx35P6Bqq8szntMxYucv0HROTfr85JRcCCSvl/2SflDS215QmOxdvYLGLUWPJNz/gURCLpzsT88KLF68Y1tC72nl4Fj+LGIOlsWsvwEqQqw0v4iQkHIfcxI6q7g1r9Hfldf/ju4bzQ4HnKLxm6KNcLLoAsuehVpQ+njHpLmlLAGHU5a84B7xeXHFR+U/EBPxSdm637rNhmpLpkuK2Mym/Mzv7BThKDstpB8lhFHIwAVNqi3Cy4nGYxFZOJpooUN9pDornqAwuzHmOAMs9+49L8GZ1de5PBRGyFKibzjBIUWPEU9EIkfJVaVwTlqYK8Q/IRi9HjITPx6GpE8cZhdSvAibrQdb6BbIDrZ8eCvD9vnod6Uk0Jb9/ui6nCF9x+CN/3Qez4epV5+JCMYsqCiXFkVPm9Lab6L2eGZis7Q2TXImA/sSV+E4BGfH2urpkKlnuXTTtDp4XRG+lOISkIBXgjVY+uy8soVKNdx1gv+LeY8hu/oQ2NyOlaOeL47aSQ3who4Pk6pVRUOl6zfcKo9Vs6xDWm35A3Z6x/mrAENaXasB0JrfY5nIbefJUpbeSmi76fYldU98HdQNHPHCSeiKVYl7v/B6gi2JXp5xngLZz/5VVAurago7sRmpIp7G/AqU6LNE85IUzG8aQz8AfR0d1dW
    2222fd1981f41c626a969f07b4823848deaefef3c8aa 0 iQIcBAABCgAGBQJW4W2TAAoJEESTFJTynGdzuOcP/j6tvB2WRwSj39KoJuRcRebFWWv4ZHiQXYMXWa3X0Ppzz52r9W0cXDjjlp5FyGdovCQsK+IXmjPo5cCvWBrZJYA6usFr9ssnUtTC+45lvPxPYwj47ZGPngCXDt7LD+v08XhqCu4LsctXIP/zejd30KVS1eR2RHI+tnEyaIKC0Xaa0igcv74MZX7Q8/U+B730QMX5adfYAHoeyRhoctRWaxVV3To7Vadd9jNXP45MRY5auhRcK7XyQcS85vJeCRoysfDUas4ERRQWYkX+68GyzO9GrkYFle931Akw2K6ZZfUuiC2TrF5xv1eRP1Zm2GX481U4ZGFTI8IzZL8sVQ6tvzq2Mxsecu589JNui9aB2d8Gp2Su/E2zn0h0ShIRmviGzf2HiBt+Bnji5X2h/fJKWbLaWge0MdOU5Jidfyh9k0YT7xo4piJLJYSaZ3nv+j4jTYnTfL7uYvuWbYkJ1T32aQVCan7Eup3BFAgQjzbWYi1XQVg6fvu8uHPpS3tNNA9EAMeeyTyg1l6zI2EIU5gPfd/dKmdyotY2lZBkFZNJqFkKRZuzjWekcw7hAxS+Bd68GKklt/DGrQiVycAgimqwXrfkzzQagawq2fXL2uXB8ghlsyxKLSQPnAtBF2Jcn5FH2z7HOQ+e18ZrFfNy0cYa/4OdH6K5aK1igTzhZZP2Urn0
     239030ffdbe5625e35ed7189ab84a41dfc8d413e9c 0 iQIcBAABCgAGBQJXkOg0AAoJEESTFJTynGdzc1kP/3vSKCnhOOvjCjnpTQadYcCUq8vTNnfLHYVu0R4ItPa/jT6RmxoaYP+lZnLnnBx9+aX7kzwHsa9BUX3MbMEyLrOzX2I+bDJbNPhQyupyCuPYlf5Q9KVcO9YlpbsC4q5XBzCn3j2+pT8kSfi9uD8fgY3TgE4w9meINrfQAealfjwMLT8S/I49/ni0r+usSfk/dnSShJYDUO7Ja0VWbJea/GkkZTu30bCnMUZPjRApipU3hPP63WFjkSMT1rp2mAXbWqyr9lf8z32yxzM9nMSjq4ViRFzFlkGtE3EVRJ4PwkO7JuiWAMPJpiQcEr+r52cCsmWhiGyHuINo01MwoMO9/n6uL1WVa3mJcE9se3xBOvfgDu2FRFGCAdm1tef+AGVo9EG1uJXi0sX2yUc6DMeuYaRWrXMMlZh7zp9cuNU9Y/lLui9RFmq66yeXG3Z2B72doju3Ig5QGrNNw2AOsSzeHdAtOp6ychqPcl9QfIeJQG18KyPSefZKM3G8YRKBRIwXFEH6iZJe5ZIP4iXrHDMn2JqtTRtDqKR8VNDAgb9z4Ffx8QRxFyj5JzTTMM1GddHb9udLvTQlO0ULYG7hCSMRNzvUBE2aTw8frjLRyfyyg3QpDu/hz8op8s1ecE8rTCD8RuX9DiiylNozypPtGNS+UDbAmkc1PCWaRpPVl+9K6787
  • src/router/dropbear/CHANGES

    r30270 r32104  
     12017.75 - 18 May 2017
     2
     3- Security: Fix double-free in server TCP listener cleanup
     4  A double-free in the server could be triggered by an authenticated user if
     5  dropbear is running with -a (Allow connections to forwarded ports from any host)
     6  This could potentially allow arbitrary code execution as root by an authenticated user.
     7  Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for reporting the crash.
     8
     9- Security: Fix information disclosure with ~/.ssh/authorized_keys symlink.
     10  Dropbear parsed authorized_keys as root, even if it were a symlink. The fix
     11  is to switch to user permissions when opening authorized_keys
     12
     13  A user could symlink their ~/.ssh/authorized_keys to a root-owned file they
     14  couldn't normally read. If they managed to get that file to contain valid
     15  authorized_keys with command= options it might be possible to read other
     16  contents of that file.
     17  This information disclosure is to an already authenticated user.
     18  Thanks to Jann Horn of Google Project Zero for reporting this.
     19
     20- Generate hostkeys with dropbearkey atomically and flush to disk with fsync
     21  Thanks to Andrei Gherzan for a patch
     22
     23- Fix out of tree builds with bundled libtom
     24  Thanks to Henrik Nordström and Peter Krefting for patches.
     25
    1262016.74 - 21 July 2016
    227
     
    1035  run arbitrary code as the dbclient user. This could be a problem if scripts
    1136  or webpages pass untrusted input to the dbclient program.
     37  CVE-2016-7406
     38  https://secure.ucc.asn.au/hg/dropbear/rev/b66a483f3dcb
    1239
    1340- Security: dropbearconvert import of OpenSSH keys could run arbitrary code as
    1441  the local dropbearconvert user when parsing malicious key files
     42  CVE-2016-7407
     43  https://secure.ucc.asn.au/hg/dropbear/rev/34e6127ef02e
    1544
    1645- Security: dbclient could run arbitrary code as the local dbclient user if
    1746  particular -m or -c arguments are provided. This could be an issue where
    1847  dbclient is used in scripts.
     48  CVE-2016-7408
     49  https://secure.ucc.asn.au/hg/dropbear/rev/eed9376a4ad6
    1950
    2051- Security: dbclient or dropbear server could expose process memory to the
    2152  running user if compiled with DEBUG_TRACE and running with -v
     53  CVE-2016-7409
     54  https://secure.ucc.asn.au/hg/dropbear/rev/6a14b1f6dc04
    2255
    2356  The security issues were reported by an anonymous researcher working with
     
    6598- Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions,
    6699  found by github.com/tintinweb. Thanks for Damien Miller for a patch. CVE-2016-3116
     100  https://secure.ucc.asn.au/hg/dropbear/rev/a3e8389e01ff
    67101
    681022015.71 - 3 December 2015
     
    343377  of service
    344378  Thanks to Logan Lamb for reporting and investigating it. CVE-2013-4421
     379  https://secure.ucc.asn.au/hg/dropbear/rev/0bf76f54de6f
    345380
    346381- Avoid disclosing existence of valid users through inconsistent delays
    347382  Thanks to Logan Lamb for reporting. CVE-2013-4434
     383  https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a
    348384
    349385- Update config.guess and config.sub for newer architectures
     
    448484  Thanks to Danny Fullerton of Mantor Organization for reporting
    449485  the bug.
     486  https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749
    450487
    451488- Compile fix, only apply IPV6 socket options if they are available in headers
  • src/router/dropbear/buffer.c

    r30270 r32104  
    110110        }
    111111        buf->len = len;
     112        buf->pos = MIN(buf->pos, buf->len);
    112113}
    113114
  • src/router/dropbear/dbutil.c

    r29282 r32104  
    686686}
    687687
    688 
     688void fsync_parent_dir(const char* fn) {
     689#ifdef HAVE_LIBGEN_H
     690        char *fn_dir = m_strdup(fn);
     691        char *dir = dirname(fn_dir);
     692        int dirfd = open(dir, O_RDONLY);
     693
     694        if (dirfd != -1) {
     695                if (fsync(dirfd) != 0) {
     696                        TRACE(("fsync of directory %s failed: %s", dir, strerror(errno)))
     697                }
     698                m_close(dirfd);
     699        } else {
     700                TRACE(("error opening directory %s for fsync: %s", dir, strerror(errno)))
     701        }
     702
     703        free(fn_dir);
     704#endif
     705}
  • src/router/dropbear/dbutil.h

    r29282 r32104  
    9191char * expand_homedir_path(const char *inpath);
    9292
     93void fsync_parent_dir(const char* fn);
     94
    9395#endif /* DROPBEAR_DBUTIL_H_ */
  • src/router/dropbear/debian/changelog

    r30270 r32104  
     1dropbear (2017.75-0.1) unstable; urgency=low
     2
     3  * New upstream release.
     4
     5 -- Matt Johnston <matt@ucc.asn.au>  Thu, 18 May 2017 22:51:57 +0800
     6
    17dropbear (2016.74-0.1) unstable; urgency=low
    28
  • src/router/dropbear/dropbearkey.c

    r29282 r32104  
    242242
    243243        fprintf(stderr, "Generating key, this may take a while...\n");
    244         if (signkey_generate(keytype, bits, filename) == DROPBEAR_FAILURE)
     244        if (signkey_generate(keytype, bits, filename, 0) == DROPBEAR_FAILURE)
    245245        {
    246246                dropbear_exit("Failed to generate key.\n");
  • src/router/dropbear/gensignkey.c

    r29282 r32104  
    7777}
    7878
    79 int signkey_generate(enum signkey_type keytype, int bits, const char* filename)
     79/* if skip_exist is set it will silently return if the key file exists */
     80int signkey_generate(enum signkey_type keytype, int bits, const char* filename, int skip_exist)
    8081{
    8182        sign_key * key = NULL;
    8283        buffer *buf = NULL;
     84        char *fn_temp = NULL;
    8385        int ret = DROPBEAR_FAILURE;
    8486        if (bits == 0)
     
    127129        key = NULL;
    128130        buf_setpos(buf, 0);
    129         ret = buf_writefile(buf, filename);
    130131
    131         buf_burn(buf);
    132         buf_free(buf);
    133         buf = NULL;
     132        fn_temp = m_malloc(strlen(filename) + 30);
     133        snprintf(fn_temp, strlen(filename)+30, "%s.tmp%d", filename, getpid());
     134        ret = buf_writefile(buf, fn_temp);
     135
     136        if (ret == DROPBEAR_FAILURE) {
     137                goto out;
     138        }
     139
     140        if (link(fn_temp, filename) < 0) {
     141                /* If generating keys on connection (skipexist) it's OK to get EEXIST
     142                - we probably just lost a race with another connection to generate the key */
     143                if (!(skip_exist && errno == EEXIST)) {
     144                        dropbear_log(LOG_ERR, "Failed moving key file to %s: %s", filename,
     145                                strerror(errno));
     146                        /* XXX fallback to non-atomic copy for some filesystems? */
     147                        ret = DROPBEAR_FAILURE;
     148                        goto out;
     149                }
     150        }
     151
     152out:
     153        if (buf) {
     154                buf_burn(buf);
     155                buf_free(buf);
     156        }
     157       
     158        if (fn_temp) {
     159                unlink(fn_temp);
     160                m_free(fn_temp);
     161        }
     162
    134163        return ret;
    135164}
  • src/router/dropbear/gensignkey.h

    r29233 r32104  
    44#include "signkey.h"
    55
    6 int signkey_generate(enum signkey_type type, int bits, const char* filename);
     6int signkey_generate(enum signkey_type type, int bits, const char* filename, int skip_exist);
    77
    88#endif
  • src/router/dropbear/libtomcrypt/Makefile.in

    r23208 r32104  
    2020# Compilation flags. Note the += does not write over the user's CFLAGS!
    2121# The rest of the flags come from the parent Dropbear makefile
    22 CFLAGS += -c -I$(srcdir)/src/headers/ -I$(srcdir)/../ -DLTC_SOURCE -I$(srcdir)/../libtommath/
     22CFLAGS += -c -Isrc/headers/ -I$(srcdir)/src/headers/ -I../ -I$(srcdir)/../ -DLTC_SOURCE -I../libtommath/ -I$(srcdir)/../libtommath/
    2323
    2424# additional warnings (newer GCC 3.4 and higher)
  • src/router/dropbear/libtommath/Makefile.in

    r29282 r32104  
    1010
    1111# So that libtommath can include Dropbear headers for options and m_burn()
    12 CFLAGS += -I$(srcdir)/../libtomcrypt/src/headers/ -I$(srcdir)/../
     12CFLAGS += -I. -I$(srcdir) -I../libtomcrypt/src/headers/ -I$(srcdir)/../libtomcrypt/src/headers/ -I../ -I$(srcdir)/../
    1313
    1414ifndef IGNORE_SPEED
  • src/router/dropbear/svr-authpubkey.c

    r29282 r32104  
    202202        buffer * options_buf = NULL;
    203203        int line_num;
     204        uid_t origuid;
     205        gid_t origgid;
    204206
    205207        TRACE(("enter checkpubkey"))
     
    228230                                ses.authstate.pw_dir);
    229231
    230         /* open the file */
     232        /* open the file as the authenticating user. */
     233        origuid = getuid();
     234        origgid = getgid();
     235        if ((setegid(ses.authstate.pw_gid)) < 0 ||
     236                (seteuid(ses.authstate.pw_uid)) < 0) {
     237                dropbear_exit("Failed to set euid");
     238        }
     239
    231240        authfile = fopen(filename, "r");
     241
     242        if ((seteuid(origuid)) < 0 ||
     243                (setegid(origgid)) < 0) {
     244                dropbear_exit("Failed to revert euid");
     245        }
     246
    232247        if (authfile == NULL) {
    233248                goto out;
  • src/router/dropbear/svr-authpubkeyoptions.c

    r29233 r32104  
    9696                        /* original_command takes ownership */
    9797                        chansess->original_command = chansess->cmd;
     98                        chansess->cmd = NULL;
    9899                } else {
    99100                        chansess->original_command = m_strdup("");
     
    109110void svr_pubkey_options_cleanup() {
    110111        if (ses.authstate.pubkey_options) {
     112                if (ses.authstate.pubkey_options->forced_command) {
     113                        m_free(ses.authstate.pubkey_options->forced_command);
     114                }
    111115                m_free(ses.authstate.pubkey_options);
    112116                ses.authstate.pubkey_options = NULL;
     
    201205bad_option:
    202206        ret = DROPBEAR_FAILURE;
    203         m_free(ses.authstate.pubkey_options);
    204         ses.authstate.pubkey_options = NULL;
     207        svr_pubkey_options_cleanup();
    205208        dropbear_log(LOG_WARNING, "Bad public key options at %s:%d", filename, line_num);
    206209
  • src/router/dropbear/svr-kex.c

    r29282 r32104  
    8888#ifdef DROPBEAR_DELAY_HOSTKEY
    8989
    90 static void fsync_parent_dir(const char* fn) {
    91 #ifdef HAVE_LIBGEN_H
    92         char *fn_dir = m_strdup(fn);
    93         char *dir = dirname(fn_dir);
    94         int dirfd = open(dir, O_RDONLY);
    95 
    96         if (dirfd != -1) {
    97                 if (fsync(dirfd) != 0) {
    98                         TRACE(("fsync of directory %s failed: %s", dir, strerror(errno)))
    99                 }
    100                 m_close(dirfd);
    101         } else {
    102                 TRACE(("error opening directory %s for fsync: %s", dir, strerror(errno)))
    103         }
    104 
    105         free(fn_dir);
    106 #endif
    107 }
    108 
    10990static void svr_ensure_hostkey() {
    11091
    11192        const char* fn = NULL;
    112         char *fn_temp = NULL;
    11393        enum signkey_type type = ses.newkeys->algo_hostkey;
    11494        void **hostkey = signkey_key_ptr(svr_opts.hostkey, type);
     
    146126        }
    147127
    148         fn_temp = m_malloc(strlen(fn) + 20);
    149         snprintf(fn_temp, strlen(fn)+20, "%s.tmp%d", fn, getpid());
    150 
    151         if (signkey_generate(type, 0, fn_temp) == DROPBEAR_FAILURE) {
     128        if (signkey_generate(type, 0, fn, 1) == DROPBEAR_FAILURE) {
    152129                goto out;
    153130        }
    154 
    155         if (link(fn_temp, fn) < 0) {
    156                 /* It's OK to get EEXIST - we probably just lost a race
    157                 with another connection to generate the key */
    158                 if (errno != EEXIST) {
    159                         dropbear_log(LOG_ERR, "Failed moving key file to %s: %s", fn,
    160                                 strerror(errno));
    161                         /* XXX fallback to non-atomic copy for some filesystems? */
    162                         goto out;
    163                 }
    164         }
    165 
    166         /* ensure directory update is flushed to disk, otherwise we can end up
    167         with zero-byte hostkey files if the power goes off */
    168         fsync_parent_dir(fn);
    169 
     131       
    170132        ret = readhostkey(fn, svr_opts.hostkey, &type);
    171133
     
    185147
    186148out:
    187         if (fn_temp) {
    188                 unlink(fn_temp);
    189                 m_free(fn_temp);
    190         }
    191 
    192149        if (ret == DROPBEAR_FAILURE)
    193150        {
  • src/router/dropbear/svr-tcpfwd.c

    r29282 r32104  
    200200        else
    201201        {
    202                 tcpinfo->listenaddr = request_addr;
     202                tcpinfo->listenaddr = m_strdup(request_addr);
    203203        }
    204204
  • src/router/dropbear/sysoptions.h

    r30270 r32104  
    55
    66#ifndef DROPBEAR_VERSION
    7 #define DROPBEAR_VERSION "2016.74"
     7#define DROPBEAR_VERSION "2017.75"
    88#endif
    99
Note: See TracChangeset for help on using the changeset viewer.