summaryrefslogtreecommitdiff
path: root/package/network/services/dropbear/patches
diff options
context:
space:
mode:
authorKevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>2017-05-20 12:54:11 +0100
committerHauke Mehrtens <hauke@hauke-m.de>2017-05-24 18:04:51 +0200
commitdd19a41520c54f13f9d9da2f5ff7dcebd3d8f085 (patch)
tree23c71509e1aa106e72e5993e2a56ce06213adefb /package/network/services/dropbear/patches
parent51db1f5a9a3ecd5cc2c5de724641c4636a0a86e2 (diff)
downloadmtk-20170518-dd19a41520c54f13f9d9da2f5ff7dcebd3d8f085.zip
mtk-20170518-dd19a41520c54f13f9d9da2f5ff7dcebd3d8f085.tar.gz
mtk-20170518-dd19a41520c54f13f9d9da2f5ff7dcebd3d8f085.tar.bz2
dropbear: bump to 2017.75
- Security: Fix double-free in server TCP listener cleanup A double-free in the server could be triggered by an authenticated user if dropbear is running with -a (Allow connections to forwarded ports from any host) This could potentially allow arbitrary code execution as root by an authenticated user. Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for reporting the crash. CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c - Security: Fix information disclosure with ~/.ssh/authorized_keys symlink. Dropbear parsed authorized_keys as root, even if it were a symlink. The fix is to switch to user permissions when opening authorized_keys A user could symlink their ~/.ssh/authorized_keys to a root-owned file they couldn't normally read. If they managed to get that file to contain valid authorized_keys with command= options it might be possible to read other contents of that file. This information disclosure is to an already authenticated user. Thanks to Jann Horn of Google Project Zero for reporting this. CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123 Refresh patches, rework 100-pubkey_path.patch to work with new authorized_keys validation. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Diffstat (limited to 'package/network/services/dropbear/patches')
-rw-r--r--package/network/services/dropbear/patches/100-pubkey_path.patch24
1 files changed, 10 insertions, 14 deletions
diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch
index 41fdc1a..401c7e1 100644
--- a/package/network/services/dropbear/patches/100-pubkey_path.patch
+++ b/package/network/services/dropbear/patches/100-pubkey_path.patch
@@ -1,6 +1,6 @@
--- a/svr-authpubkey.c
+++ b/svr-authpubkey.c
-@@ -218,17 +218,21 @@ static int checkpubkey(char* algo, unsig
+@@ -220,14 +220,20 @@ static int checkpubkey(char* algo, unsig
goto out;
}
@@ -12,9 +12,6 @@
- filename = m_malloc(len + 22);
- snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
- ses.authstate.pw_dir);
--
-- /* open the file */
-- authfile = fopen(filename, "r");
+ if (ses.authstate.pw_uid != 0) {
+ /* we don't need to check pw and pw_dir for validity, since
+ * its been done in checkpubkeyperms. */
@@ -22,18 +19,17 @@
+ /* allocate max required pathname storage,
+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+ filename = m_malloc(len + 22);
-+ snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
-+ ses.authstate.pw_dir);
-+
-+ /* open the file */
-+ authfile = fopen(filename, "r");
++ snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
++ ses.authstate.pw_dir);
+ } else {
-+ authfile = fopen("/etc/dropbear/authorized_keys","r");
++ filename = m_malloc(30);
++ strncpy(filename, "/etc/dropbear/authorized_keys", 30);
+ }
- if (authfile == NULL) {
- goto out;
- }
-@@ -381,26 +385,35 @@ static int checkpubkeyperms() {
++
+
+ /* open the file as the authenticating user. */
+ origuid = getuid();
+@@ -396,26 +402,35 @@ static int checkpubkeyperms() {
goto out;
}