Ubuntu
dropbear package

Merge lp:~jtaylor/ubuntu/oneiric/dropbear/CVE-2012-0920 into lp:ubuntu/oneiric/dropbear

  1. Oneiric (11.10)
  2. CVE-2012-0920
  3. Merge into oneiric
Proposed by Julian Taylor
Status: Rejected
Rejected by: Martin Pitt
Proposed branch: lp:~jtaylor/ubuntu/oneiric/dropbear/CVE-2012-0920
Merge into: lp:ubuntu/oneiric/dropbear
Diff against target: 122 lines (+110/-0)
2 files modified
debian/changelog (+10/-0)
debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff (+100/-0)
To merge this branch: bzr merge lp:~jtaylor/ubuntu/oneiric/dropbear/CVE-2012-0920
Reviewer Review Type Date Requested Status
Jamie Strandboge Approve
Ubuntu branches Pending
Review via email: mp+103385@code.launchpad.net

Description of the change

patch from upstream 2012.55 applies to oneiric, fuzz svr-chansession.c irrelevant

To post a comment you must log in.
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Oneiric should use a patch name of 0004-Fix-use-after-free-bug-CVE-2012-0920.diff since 0004 already exists. I fixed this.

review: Approve

Unmerged revisions

17. By Julian Taylor

* SECURITY UPDATE: remote execution via use after free (LP: #976360)
  - debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff
    pulled from https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749
    Thanks to Matt Johnston
  - CVE-2012-0920

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2011-06-27 22:39:11 +0000
3+++ debian/changelog 2012-04-24 22:04:25 +0000
4@@ -1,3 +1,13 @@
5+dropbear (0.53.1-1ubuntu1.1) oneiric-security; urgency=low
6+
7+ * SECURITY UPDATE: remote execution via use after free (LP: #976360)
8+ - debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff
9+ pulled from https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749
10+ Thanks to Matt Johnston
11+ - CVE-2012-0920
12+
13+ -- Julian Taylor <jtaylor@ubuntu.com> Tue, 24 Apr 2012 22:54:41 +0200
14+
15 dropbear (0.53.1-1ubuntu1) oneiric; urgency=low
16
17 * debian/diff/0004-fix-ftbfs-with-binutils-gold.diff:
18
19=== added file 'debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff'
20--- debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff 1970-01-01 00:00:00 +0000
21+++ debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff 2012-04-24 22:04:25 +0000
22@@ -0,0 +1,100 @@
23+From: Matt Johnston <matt@ucc.asn.au>
24+Date: Mon, 27 Feb 2012 16:33:55 +0000
25+Subject: Fix use-after-free bug (CVE-2012-0920)
26+Origin: https://secure.ucc.asn.au/hg/dropbear/raw-rev/818108bf7749
27+
28+# HG changeset patch
29+# User Matt Johnston <matt@ucc.asn.au>
30+# Date 1322947885 -28800
31+# Node ID 818108bf7749bfecd4715a30e2583aac9dbe25e8
32+# Parent 5e8d84f3ee7256d054ecf7e9f248765ccaa7f24f
33+- Fix use-after-free if multiple command requests were sent. Move
34+the original_command into chansess struct since that makes more sense
35+
36+diff -r 5e8d84f3ee72 -r 818108bf7749 auth.h
37+--- a/auth.h Sun Dec 04 05:27:57 2011 +0800
38++++ b/auth.h Sun Dec 04 05:31:25 2011 +0800
39+@@ -133,7 +133,6 @@
40+ int no_pty_flag;
41+ /* "command=" option. */
42+ unsigned char * forced_command;
43+- unsigned char * original_command;
44+ };
45+ #endif
46+
47+diff -r 5e8d84f3ee72 -r 818108bf7749 chansession.h
48+--- a/chansession.h Sun Dec 04 05:27:57 2011 +0800
49++++ b/chansession.h Sun Dec 04 05:31:25 2011 +0800
50+@@ -69,6 +69,10 @@
51+ char * agentfile;
52+ char * agentdir;
53+ #endif
54++
55++#ifdef ENABLE_SVR_PUBKEY_OPTIONS
56++ char *original_command;
57++#endif
58+ };
59+
60+ struct ChildPid {
61+diff -r 5e8d84f3ee72 -r 818108bf7749 svr-authpubkeyoptions.c
62+--- a/svr-authpubkeyoptions.c Sun Dec 04 05:27:57 2011 +0800
63++++ b/svr-authpubkeyoptions.c Sun Dec 04 05:31:25 2011 +0800
64+@@ -92,14 +92,15 @@
65+ * by any 'command' public key option. */
66+ void svr_pubkey_set_forced_command(struct ChanSess *chansess) {
67+ if (ses.authstate.pubkey_options) {
68+- ses.authstate.pubkey_options->original_command = chansess->cmd;
69+- if (!chansess->cmd)
70+- {
71+- ses.authstate.pubkey_options->original_command = m_strdup("");
72++ if (chansess->cmd) {
73++ /* original_command takes ownership */
74++ chansess->original_command = chansess->cmd;
75++ } else {
76++ chansess->original_command = m_strdup("");
77+ }
78+- chansess->cmd = ses.authstate.pubkey_options->forced_command;
79++ chansess->cmd = m_strdup(ses.authstate.pubkey_options->forced_command);
80+ #ifdef LOG_COMMANDS
81+- dropbear_log(LOG_INFO, "Command forced to '%s'", ses.authstate.pubkey_options->original_command);
82++ dropbear_log(LOG_INFO, "Command forced to '%s'", chansess->original_command);
83+ #endif
84+ }
85+ }
86+diff -r 5e8d84f3ee72 -r 818108bf7749 svr-chansession.c
87+--- a/svr-chansession.c Sun Dec 04 05:27:57 2011 +0800
88++++ b/svr-chansession.c Sun Dec 04 05:31:25 2011 +0800
89+@@ -217,6 +217,8 @@
90+
91+ struct ChanSess *chansess;
92+
93++ TRACE(("new chansess %p", channel))
94++
95+ dropbear_assert(channel->typedata == NULL);
96+
97+ chansess = (struct ChanSess*)m_malloc(sizeof(struct ChanSess));
98+@@ -279,6 +281,10 @@
99+ m_free(chansess->cmd);
100+ m_free(chansess->term);
101+
102++#ifdef ENABLE_SVR_PUBKEY_OPTIONS
103++ m_free(chansess->original_command);
104++#endif
105++
106+ if (chansess->tty) {
107+ /* write the utmp/wtmp login record */
108+ li = chansess_login_alloc(chansess);
109+@@ -924,10 +930,8 @@
110+ }
111+
112+ #ifdef ENABLE_SVR_PUBKEY_OPTIONS
113+- if (ses.authstate.pubkey_options &&
114+- ses.authstate.pubkey_options->original_command) {
115+- addnewvar("SSH_ORIGINAL_COMMAND",
116+- ses.authstate.pubkey_options->original_command);
117++ if (chansess->original_command) {
118++ addnewvar("SSH_ORIGINAL_COMMAND", chansess->original_command);
119+ }
120+ #endif
121+
122+

Subscribers

People subscribed via source and target branches

to all changes: