comparison CHANGES @ 1355:3fdd8c5a0195 fuzz

merge main to fuzz
author Matt Johnston <matt@ucc.asn.au>
date Thu, 18 May 2017 23:45:10 +0800
parents c31276613181
children 1a3c4ec0f840
comparison
equal deleted inserted replaced
1354:7618759e9327 1355:3fdd8c5a0195
1 2017.75 - 18 May 2017
2
3 - Security: Fix double-free in server TCP listener cleanup
4 A double-free in the server could be triggered by an authenticated user if
5 dropbear is running with -a (Allow connections to forwarded ports from any host)
6 This could potentially allow arbitrary code execution as root by an authenticated user.
7 Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for reporting the crash.
8
9 - Security: Fix information disclosure with ~/.ssh/authorized_keys symlink.
10 Dropbear parsed authorized_keys as root, even if it were a symlink. The fix
11 is to switch to user permissions when opening authorized_keys
12
13 A user could symlink their ~/.ssh/authorized_keys to a root-owned file they
14 couldn't normally read. If they managed to get that file to contain valid
15 authorized_keys with command= options it might be possible to read other
16 contents of that file.
17 This information disclosure is to an already authenticated user.
18 Thanks to Jann Horn of Google Project Zero for reporting this.
19
20 - Generate hostkeys with dropbearkey atomically and flush to disk with fsync
21 Thanks to Andrei Gherzan for a patch
22
23 - Fix out of tree builds with bundled libtom
24 Thanks to Henrik Nordström and Peter Krefting for patches.
25
1 2016.74 - 21 July 2016 26 2016.74 - 21 July 2016
2 27
3 - Security: Message printout was vulnerable to format string injection. 28 - Security: Message printout was vulnerable to format string injection.
4 29
5 If specific usernames including "%" symbols can be created on a system 30 If specific usernames including "%" symbols can be created on a system
7 when connecting to Dropbear server. 32 when connecting to Dropbear server.
8 33
9 A dbclient user who can control username or host arguments could potentially 34 A dbclient user who can control username or host arguments could potentially
10 run arbitrary code as the dbclient user. This could be a problem if scripts 35 run arbitrary code as the dbclient user. This could be a problem if scripts
11 or webpages pass untrusted input to the dbclient program. 36 or webpages pass untrusted input to the dbclient program.
37 CVE-2016-7406
38 https://secure.ucc.asn.au/hg/dropbear/rev/b66a483f3dcb
12 39
13 - Security: dropbearconvert import of OpenSSH keys could run arbitrary code as 40 - Security: dropbearconvert import of OpenSSH keys could run arbitrary code as
14 the local dropbearconvert user when parsing malicious key files 41 the local dropbearconvert user when parsing malicious key files
42 CVE-2016-7407
43 https://secure.ucc.asn.au/hg/dropbear/rev/34e6127ef02e
15 44
16 - Security: dbclient could run arbitrary code as the local dbclient user if 45 - Security: dbclient could run arbitrary code as the local dbclient user if
17 particular -m or -c arguments are provided. This could be an issue where 46 particular -m or -c arguments are provided. This could be an issue where
18 dbclient is used in scripts. 47 dbclient is used in scripts.
48 CVE-2016-7408
49 https://secure.ucc.asn.au/hg/dropbear/rev/eed9376a4ad6
19 50
20 - Security: dbclient or dropbear server could expose process memory to the 51 - Security: dbclient or dropbear server could expose process memory to the
21 running user if compiled with DEBUG_TRACE and running with -v 52 running user if compiled with DEBUG_TRACE and running with -v
53 CVE-2016-7409
54 https://secure.ucc.asn.au/hg/dropbear/rev/6a14b1f6dc04
22 55
23 The security issues were reported by an anonymous researcher working with 56 The security issues were reported by an anonymous researcher working with
24 Beyond Security's SecuriTeam Secure Disclosure www.beyondsecurity.com/ssd.html 57 Beyond Security's SecuriTeam Secure Disclosure www.beyondsecurity.com/ssd.html
25 58
26 - Fix port forwarding failure when connecting to domains that have both 59 - Fix port forwarding failure when connecting to domains that have both
62 95
63 2016.72 - 9 March 2016 96 2016.72 - 9 March 2016
64 97
65 - Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions, 98 - Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions,
66 found by github.com/tintinweb. Thanks for Damien Miller for a patch. CVE-2016-3116 99 found by github.com/tintinweb. Thanks for Damien Miller for a patch. CVE-2016-3116
100 https://secure.ucc.asn.au/hg/dropbear/rev/a3e8389e01ff
67 101
68 2015.71 - 3 December 2015 102 2015.71 - 3 December 2015
69 103
70 - Fix "bad buf_incrpos" when data is transferred, broke in 2015.69 104 - Fix "bad buf_incrpos" when data is transferred, broke in 2015.69
71 105
340 Patch from Martin Donnelly 374 Patch from Martin Donnelly
341 375
342 - Limit the size of decompressed payloads, avoids memory exhaustion denial 376 - Limit the size of decompressed payloads, avoids memory exhaustion denial
343 of service 377 of service
344 Thanks to Logan Lamb for reporting and investigating it. CVE-2013-4421 378 Thanks to Logan Lamb for reporting and investigating it. CVE-2013-4421
379 https://secure.ucc.asn.au/hg/dropbear/rev/0bf76f54de6f
345 380
346 - Avoid disclosing existence of valid users through inconsistent delays 381 - Avoid disclosing existence of valid users through inconsistent delays
347 Thanks to Logan Lamb for reporting. CVE-2013-4434 382 Thanks to Logan Lamb for reporting. CVE-2013-4434
383 https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a
348 384
349 - Update config.guess and config.sub for newer architectures 385 - Update config.guess and config.sub for newer architectures
350 386
351 - Avoid segfault in server for locked accounts 387 - Avoid segfault in server for locked accounts
352 388
445 authorized_keys restrictions are used. Could allow arbitrary code execution 481 authorized_keys restrictions are used. Could allow arbitrary code execution
446 or bypass of the command="..." restriction to an authenticated user. 482 or bypass of the command="..." restriction to an authenticated user.
447 This bug affects releases 0.52 onwards. Ref CVE-2012-0920. 483 This bug affects releases 0.52 onwards. Ref CVE-2012-0920.
448 Thanks to Danny Fullerton of Mantor Organization for reporting 484 Thanks to Danny Fullerton of Mantor Organization for reporting
449 the bug. 485 the bug.
486 https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749
450 487
451 - Compile fix, only apply IPV6 socket options if they are available in headers 488 - Compile fix, only apply IPV6 socket options if they are available in headers
452 Thanks to Gustavo Zacarias for the patch 489 Thanks to Gustavo Zacarias for the patch
453 490
454 - Overwrite session key memory on exit 491 - Overwrite session key memory on exit