Ubuntu
dropbear package

Merge lp:~jtaylor/ubuntu/oneiric/dropbear/CVE-2012-0920 into lp:ubuntu/oneiric/dropbear

  1. Oneiric (11.10)
  2. CVE-2012-0920
  3. Merge into oneiric
Proposed by Julian Taylor
Status: Rejected
Rejected by: Martin Pitt
Proposed branch: lp:~jtaylor/ubuntu/oneiric/dropbear/CVE-2012-0920
Merge into: lp:ubuntu/oneiric/dropbear
Diff against target: 122 lines (+110/-0)
2 files modified
debian/changelog (+10/-0)
debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff (+100/-0)
To merge this branch: bzr merge lp:~jtaylor/ubuntu/oneiric/dropbear/CVE-2012-0920
Reviewer Review Type Date Requested Status
Jamie Strandboge Approve
Ubuntu branches Pending
Review via email: mp+103385@code.launchpad.net

Description of the change

patch from upstream 2012.55 applies to oneiric, fuzz svr-chansession.c irrelevant

To post a comment you must log in.
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Oneiric should use a patch name of 0004-Fix-use-after-free-bug-CVE-2012-0920.diff since 0004 already exists. I fixed this.

review: Approve

Unmerged revisions

17. By Julian Taylor

* SECURITY UPDATE: remote execution via use after free (LP: #976360)
  - debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff
    pulled from https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749
    Thanks to Matt Johnston
  - CVE-2012-0920

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'debian/changelog'
--- debian/changelog 2011-06-27 22:39:11 +0000
+++ debian/changelog 2012-04-24 22:04:25 +0000
@@ -1,3 +1,13 @@
1dropbear (0.53.1-1ubuntu1.1) oneiric-security; urgency=low
2
3 * SECURITY UPDATE: remote execution via use after free (LP: #976360)
4 - debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff
5 pulled from https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749
6 Thanks to Matt Johnston
7 - CVE-2012-0920
8
9 -- Julian Taylor <jtaylor@ubuntu.com> Tue, 24 Apr 2012 22:54:41 +0200
10
1dropbear (0.53.1-1ubuntu1) oneiric; urgency=low11dropbear (0.53.1-1ubuntu1) oneiric; urgency=low
212
3 * debian/diff/0004-fix-ftbfs-with-binutils-gold.diff:13 * debian/diff/0004-fix-ftbfs-with-binutils-gold.diff:
414
=== added file 'debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff'
--- debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff 1970-01-01 00:00:00 +0000
+++ debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff 2012-04-24 22:04:25 +0000
@@ -0,0 +1,100 @@
1From: Matt Johnston <matt@ucc.asn.au>
2Date: Mon, 27 Feb 2012 16:33:55 +0000
3Subject: Fix use-after-free bug (CVE-2012-0920)
4Origin: https://secure.ucc.asn.au/hg/dropbear/raw-rev/818108bf7749
5
6# HG changeset patch
7# User Matt Johnston <matt@ucc.asn.au>
8# Date 1322947885 -28800
9# Node ID 818108bf7749bfecd4715a30e2583aac9dbe25e8
10# Parent 5e8d84f3ee7256d054ecf7e9f248765ccaa7f24f
11- Fix use-after-free if multiple command requests were sent. Move
12the original_command into chansess struct since that makes more sense
13
14diff -r 5e8d84f3ee72 -r 818108bf7749 auth.h
15--- a/auth.h Sun Dec 04 05:27:57 2011 +0800
16+++ b/auth.h Sun Dec 04 05:31:25 2011 +0800
17@@ -133,7 +133,6 @@
18 int no_pty_flag;
19 /* "command=" option. */
20 unsigned char * forced_command;
21- unsigned char * original_command;
22 };
23 #endif
24
25diff -r 5e8d84f3ee72 -r 818108bf7749 chansession.h
26--- a/chansession.h Sun Dec 04 05:27:57 2011 +0800
27+++ b/chansession.h Sun Dec 04 05:31:25 2011 +0800
28@@ -69,6 +69,10 @@
29 char * agentfile;
30 char * agentdir;
31 #endif
32+
33+#ifdef ENABLE_SVR_PUBKEY_OPTIONS
34+ char *original_command;
35+#endif
36 };
37
38 struct ChildPid {
39diff -r 5e8d84f3ee72 -r 818108bf7749 svr-authpubkeyoptions.c
40--- a/svr-authpubkeyoptions.c Sun Dec 04 05:27:57 2011 +0800
41+++ b/svr-authpubkeyoptions.c Sun Dec 04 05:31:25 2011 +0800
42@@ -92,14 +92,15 @@
43 * by any 'command' public key option. */
44 void svr_pubkey_set_forced_command(struct ChanSess *chansess) {
45 if (ses.authstate.pubkey_options) {
46- ses.authstate.pubkey_options->original_command = chansess->cmd;
47- if (!chansess->cmd)
48- {
49- ses.authstate.pubkey_options->original_command = m_strdup("");
50+ if (chansess->cmd) {
51+ /* original_command takes ownership */
52+ chansess->original_command = chansess->cmd;
53+ } else {
54+ chansess->original_command = m_strdup("");
55 }
56- chansess->cmd = ses.authstate.pubkey_options->forced_command;
57+ chansess->cmd = m_strdup(ses.authstate.pubkey_options->forced_command);
58 #ifdef LOG_COMMANDS
59- dropbear_log(LOG_INFO, "Command forced to '%s'", ses.authstate.pubkey_options->original_command);
60+ dropbear_log(LOG_INFO, "Command forced to '%s'", chansess->original_command);
61 #endif
62 }
63 }
64diff -r 5e8d84f3ee72 -r 818108bf7749 svr-chansession.c
65--- a/svr-chansession.c Sun Dec 04 05:27:57 2011 +0800
66+++ b/svr-chansession.c Sun Dec 04 05:31:25 2011 +0800
67@@ -217,6 +217,8 @@
68
69 struct ChanSess *chansess;
70
71+ TRACE(("new chansess %p", channel))
72+
73 dropbear_assert(channel->typedata == NULL);
74
75 chansess = (struct ChanSess*)m_malloc(sizeof(struct ChanSess));
76@@ -279,6 +281,10 @@
77 m_free(chansess->cmd);
78 m_free(chansess->term);
79
80+#ifdef ENABLE_SVR_PUBKEY_OPTIONS
81+ m_free(chansess->original_command);
82+#endif
83+
84 if (chansess->tty) {
85 /* write the utmp/wtmp login record */
86 li = chansess_login_alloc(chansess);
87@@ -924,10 +930,8 @@
88 }
89
90 #ifdef ENABLE_SVR_PUBKEY_OPTIONS
91- if (ses.authstate.pubkey_options &&
92- ses.authstate.pubkey_options->original_command) {
93- addnewvar("SSH_ORIGINAL_COMMAND",
94- ses.authstate.pubkey_options->original_command);
95+ if (chansess->original_command) {
96+ addnewvar("SSH_ORIGINAL_COMMAND", chansess->original_command);
97 }
98 #endif
99
100

Subscribers

People subscribed via source and target branches

to all changes: