Mercurial > dropbear
comparison CHANGES @ 1344:b90da477ab63 coverity
merge coverity
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Thu, 18 May 2017 23:02:39 +0800 |
| parents | c31276613181 |
| children | 1a3c4ec0f840 |
comparison
equal
deleted
inserted
replaced
| 1318:10e2a7727253 | 1344:b90da477ab63 |
|---|---|
| 1 2017.75 - 18 May 2017 | |
| 2 | |
| 3 - Security: Fix double-free in server TCP listener cleanup | |
| 4 A double-free in the server could be triggered by an authenticated user if | |
| 5 dropbear is running with -a (Allow connections to forwarded ports from any host) | |
| 6 This could potentially allow arbitrary code execution as root by an authenticated user. | |
| 7 Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for reporting the crash. | |
| 8 | |
| 9 - Security: Fix information disclosure with ~/.ssh/authorized_keys symlink. | |
| 10 Dropbear parsed authorized_keys as root, even if it were a symlink. The fix | |
| 11 is to switch to user permissions when opening authorized_keys | |
| 12 | |
| 13 A user could symlink their ~/.ssh/authorized_keys to a root-owned file they | |
| 14 couldn't normally read. If they managed to get that file to contain valid | |
| 15 authorized_keys with command= options it might be possible to read other | |
| 16 contents of that file. | |
| 17 This information disclosure is to an already authenticated user. | |
| 18 Thanks to Jann Horn of Google Project Zero for reporting this. | |
| 19 | |
| 20 - Generate hostkeys with dropbearkey atomically and flush to disk with fsync | |
| 21 Thanks to Andrei Gherzan for a patch | |
| 22 | |
| 23 - Fix out of tree builds with bundled libtom | |
| 24 Thanks to Henrik Nordström and Peter Krefting for patches. | |
| 25 | |
| 1 2016.74 - 21 July 2016 | 26 2016.74 - 21 July 2016 |
| 2 | 27 |
| 3 - Security: Message printout was vulnerable to format string injection. | 28 - Security: Message printout was vulnerable to format string injection. |
| 4 | 29 |
| 5 If specific usernames including "%" symbols can be created on a system | 30 If specific usernames including "%" symbols can be created on a system |
| 7 when connecting to Dropbear server. | 32 when connecting to Dropbear server. |
| 8 | 33 |
| 9 A dbclient user who can control username or host arguments could potentially | 34 A dbclient user who can control username or host arguments could potentially |
| 10 run arbitrary code as the dbclient user. This could be a problem if scripts | 35 run arbitrary code as the dbclient user. This could be a problem if scripts |
| 11 or webpages pass untrusted input to the dbclient program. | 36 or webpages pass untrusted input to the dbclient program. |
| 37 CVE-2016-7406 | |
| 38 https://secure.ucc.asn.au/hg/dropbear/rev/b66a483f3dcb | |
| 12 | 39 |
| 13 - Security: dropbearconvert import of OpenSSH keys could run arbitrary code as | 40 - Security: dropbearconvert import of OpenSSH keys could run arbitrary code as |
| 14 the local dropbearconvert user when parsing malicious key files | 41 the local dropbearconvert user when parsing malicious key files |
| 42 CVE-2016-7407 | |
| 43 https://secure.ucc.asn.au/hg/dropbear/rev/34e6127ef02e | |
| 15 | 44 |
| 16 - Security: dbclient could run arbitrary code as the local dbclient user if | 45 - Security: dbclient could run arbitrary code as the local dbclient user if |
| 17 particular -m or -c arguments are provided. This could be an issue where | 46 particular -m or -c arguments are provided. This could be an issue where |
| 18 dbclient is used in scripts. | 47 dbclient is used in scripts. |
| 48 CVE-2016-7408 | |
| 49 https://secure.ucc.asn.au/hg/dropbear/rev/eed9376a4ad6 | |
| 19 | 50 |
| 20 - Security: dbclient or dropbear server could expose process memory to the | 51 - Security: dbclient or dropbear server could expose process memory to the |
| 21 running user if compiled with DEBUG_TRACE and running with -v | 52 running user if compiled with DEBUG_TRACE and running with -v |
| 53 CVE-2016-7409 | |
| 54 https://secure.ucc.asn.au/hg/dropbear/rev/6a14b1f6dc04 | |
| 22 | 55 |
| 23 The security issues were reported by an anonymous researcher working with | 56 The security issues were reported by an anonymous researcher working with |
| 24 Beyond Security's SecuriTeam Secure Disclosure www.beyondsecurity.com/ssd.html | 57 Beyond Security's SecuriTeam Secure Disclosure www.beyondsecurity.com/ssd.html |
| 25 | 58 |
| 26 - Fix port forwarding failure when connecting to domains that have both | 59 - Fix port forwarding failure when connecting to domains that have both |
| 62 | 95 |
| 63 2016.72 - 9 March 2016 | 96 2016.72 - 9 March 2016 |
| 64 | 97 |
| 65 - Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions, | 98 - Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions, |
| 66 found by github.com/tintinweb. Thanks for Damien Miller for a patch. CVE-2016-3116 | 99 found by github.com/tintinweb. Thanks for Damien Miller for a patch. CVE-2016-3116 |
| 100 https://secure.ucc.asn.au/hg/dropbear/rev/a3e8389e01ff | |
| 67 | 101 |
| 68 2015.71 - 3 December 2015 | 102 2015.71 - 3 December 2015 |
| 69 | 103 |
| 70 - Fix "bad buf_incrpos" when data is transferred, broke in 2015.69 | 104 - Fix "bad buf_incrpos" when data is transferred, broke in 2015.69 |
| 71 | 105 |
| 340 Patch from Martin Donnelly | 374 Patch from Martin Donnelly |
| 341 | 375 |
| 342 - Limit the size of decompressed payloads, avoids memory exhaustion denial | 376 - Limit the size of decompressed payloads, avoids memory exhaustion denial |
| 343 of service | 377 of service |
| 344 Thanks to Logan Lamb for reporting and investigating it. CVE-2013-4421 | 378 Thanks to Logan Lamb for reporting and investigating it. CVE-2013-4421 |
| 379 https://secure.ucc.asn.au/hg/dropbear/rev/0bf76f54de6f | |
| 345 | 380 |
| 346 - Avoid disclosing existence of valid users through inconsistent delays | 381 - Avoid disclosing existence of valid users through inconsistent delays |
| 347 Thanks to Logan Lamb for reporting. CVE-2013-4434 | 382 Thanks to Logan Lamb for reporting. CVE-2013-4434 |
| 383 https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a | |
| 348 | 384 |
| 349 - Update config.guess and config.sub for newer architectures | 385 - Update config.guess and config.sub for newer architectures |
| 350 | 386 |
| 351 - Avoid segfault in server for locked accounts | 387 - Avoid segfault in server for locked accounts |
| 352 | 388 |
| 445 authorized_keys restrictions are used. Could allow arbitrary code execution | 481 authorized_keys restrictions are used. Could allow arbitrary code execution |
| 446 or bypass of the command="..." restriction to an authenticated user. | 482 or bypass of the command="..." restriction to an authenticated user. |
| 447 This bug affects releases 0.52 onwards. Ref CVE-2012-0920. | 483 This bug affects releases 0.52 onwards. Ref CVE-2012-0920. |
| 448 Thanks to Danny Fullerton of Mantor Organization for reporting | 484 Thanks to Danny Fullerton of Mantor Organization for reporting |
| 449 the bug. | 485 the bug. |
| 486 https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749 | |
| 450 | 487 |
| 451 - Compile fix, only apply IPV6 socket options if they are available in headers | 488 - Compile fix, only apply IPV6 socket options if they are available in headers |
| 452 Thanks to Gustavo Zacarias for the patch | 489 Thanks to Gustavo Zacarias for the patch |
| 453 | 490 |
| 454 - Overwrite session key memory on exit | 491 - Overwrite session key memory on exit |