# HG changeset patch # User Matt Johnston # Date 1495036638 -28800 # Node ID 8978d879ef07f0cd98cc31be89eced4932227727 # Parent efad433418c4aaac6d764f323d769d477aa2ff2f changes for 2017.75 diff -r efad433418c4 -r 8978d879ef07 CHANGES --- a/CHANGES Sat Nov 19 00:31:21 2016 +0800 +++ b/CHANGES Wed May 17 23:57:18 2017 +0800 @@ -1,3 +1,28 @@ +2017.75 - 18 May 2017 + +- Security: Fix double-free in server TCP listener cleanup + A double-free in the server could be triggered by an authenticated user if + dropbear is running with -a (Allow connections to forwarded ports from any host) + This could potentially allow arbitrary code execution as root by an authenticated user. + Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for reporting the crash. + +- Security: Fix information disclosure with ~/.ssh/authorized_keys symlink. + Dropbear parsed authorized_keys as root, even if it were a symlink. The fix + is to switch to user permissions when opening authorized_keys + + A user could symlink their ~/.ssh/authorized_keys to a root-owned file they + couldn't normally read. If they managed to get that file to contain valid + authorized_keys with command= options it might be possible to read other + contents of that file. + This information disclosure is to an already authenticated user. + Thanks to Jann Horn of Google Project Zero for reporting this. + +- Call fsync() to ensure that new hostkeys (dropbear -R) are flushed to disk + Thanks to Andrei Gherzan for a patch + +- Fix out of tree builds with bundled libtom + Thanks to Henrik Nordström and Peter Krefting for patches. + 2016.74 - 21 July 2016 - Security: Message printout was vulnerable to format string injection.