|Summary:||security/dropbear: update to 2017.75|
|Product:||Ports & Packages||Reporter:||Piotr Kubaj <pkubaj>|
|Component:||Individual Port(s)||Assignee:||Richard Gallamore <ultima>|
|Severity:||Affects Only Me||CC:||junovitch, pkubaj, ultima|
Description Piotr Kubaj 2017-06-20 10:57:29 UTC
Created attachment 183650 [details] patch This patch updates the port to 2017.75, fixing CVE-2017-9078 and CVE-2017-9079. Changelog: - Security: Fix double-free in server TCP listener cleanup A double-free in the server could be triggered by an authenticated user if dropbear is running with -a (Allow connections to forwarded ports from any host) This could potentially allow arbitrary code execution as root by an authenticated user. Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for reporting the crash. CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c - Security: Fix information disclosure with ~/.ssh/authorized_keys symlink. Dropbear parsed authorized_keys as root, even if it were a symlink. The fix is to switch to user permissions when opening authorized_keys A user could symlink their ~/.ssh/authorized_keys to a root-owned file they couldn't normally read. If they managed to get that file to contain valid authorized_keys with command= options it might be possible to read other contents of that file. This information disclosure is to an already authenticated user. Thanks to Jann Horn of Google Project Zero for reporting this. CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123 - Generate hostkeys with dropbearkey atomically and flush to disk with fsync Thanks to Andrei Gherzan for a patch - Fix out of tree builds with bundled libtom Thanks to Henrik NordstrÃ¶m and Peter Krefting for patches. This patch also adds many options for granular choosing ciphers. I tried to make the defaults secure. Builds on Poudriere with 10.3-RELEASE using many variations of options.
Comment 2 Richard Gallamore 2017-06-25 04:05:45 UTC
Hello, thanks updating the port. Can you please check the new options? Currently it will build with all options on, and defaults. It will however fail with inverted defaults. https://poudriere.ultimasbox.com/data/103amd64-test/2017-06-24_16h49m02s/logs/errors/dropbear-2017.75.log cat security_dropbear/options # This file is auto-generated by 'make config'. # Options for dropbear-2017.75 _OPTIONS_READ=dropbear-2017.75 _FILE_COMPLETE_OPTIONS_LIST=DH_GROUP1 SMALL_CODE STATIC AES128 3DES AES256 BLOWFISH TWOFISH256 TWOFISH128 ECDSA DSA RSA MD5 SHA1 SHA1_96 SHA2_256 SHA2_512 CBC CTR OPTIONS_FILE_SET+=DH_GROUP1 OPTIONS_FILE_UNSET+=SMALL_CODE OPTIONS_FILE_SET+=STATIC OPTIONS_FILE_UNSET+=AES128 OPTIONS_FILE_SET+=3DES OPTIONS_FILE_UNSET+=AES256 OPTIONS_FILE_SET+=BLOWFISH OPTIONS_FILE_UNSET+=TWOFISH256 OPTIONS_FILE_UNSET+=TWOFISH128 OPTIONS_FILE_SET+=ECDSA OPTIONS_FILE_SET+=DSA OPTIONS_FILE_UNSET+=RSA OPTIONS_FILE_SET+=MD5 OPTIONS_FILE_SET+=SHA1 OPTIONS_FILE_SET+=SHA1_96 OPTIONS_FILE_UNSET+=SHA2_256 OPTIONS_FILE_UNSET+=SHA2_512 OPTIONS_FILE_SET+=CBC OPTIONS_FILE_UNSET+=CTR
Comment 3 Piotr Kubaj 2017-06-27 07:15:11 UTC
Created attachment 183828 [details] patch Added 3DES_IMPLIES=CTR.
Comment 4 Richard Gallamore 2017-06-29 19:06:14 UTC
(In reply to Piotr Kubaj from comment #3) Instead of commenting out all the options, can you please make simpler by removing the lines entirely. Something like `-e '/#define DROPBEAR_SMALL_CODE/d'
Comment 5 Richard Gallamore 2017-07-02 22:09:55 UTC
Created attachment 184020 [details] dropbear.diff simplified the option removal
Comment 6 commit-hook 2017-07-03 19:30:39 UTC
A commit references this bug: Author: ultima Date: Mon Jul 3 19:29:40 UTC 2017 New revision: 444984 URL: https://svnweb.freebsd.org/changeset/ports/444984 Log: Added vxvml entry for security/dropbear PR: 220158 Submitted by: Piotr Kubaj <firstname.lastname@example.org> (maintainer) Reviewed by: lifanov (mentor) Approved by: lifanov (mentor) MFH: 2017Q3 Security: http://www.vuxml.org/freebsd/60931f98-55a7-11e7-8514-589cfc0654e1.html Differential Revision: https://reviews.freebsd.org/D11400 Changes: head/security/vuxml/vuln.xml
Comment 7 commit-hook 2017-07-03 19:32:43 UTC
A commit references this bug: Author: ultima Date: Mon Jul 3 19:32:12 UTC 2017 New revision: 444987 URL: https://svnweb.freebsd.org/changeset/ports/444987 Log: Updated to 2017.75 Changelog: https://matt.ucc.asn.au/dropbear/CHANGES PR: 220158 Submitted by: Piotr Kubaj <email@example.com> (maintainer) Reviewed by: lifanov (mentor) Approved by: lifanov (mentor) MFH: 2017Q3 Security: http://www.vuxml.org/freebsd/60931f98-55a7-11e7-8514-589cfc0654e1.html Differential Revision: https://reviews.freebsd.org/D11400 Changes: head/security/dropbear/Makefile head/security/dropbear/distinfo
Comment 8 Richard Gallamore 2017-07-03 19:35:27 UTC
Committed, thanks! Pending approval from ports-secteam@ for MFH.
Comment 9 commit-hook 2017-07-06 01:53:40 UTC
A commit references this bug: Author: junovitch Date: Thu Jul 6 01:53:11 UTC 2017 New revision: 445122 URL: https://svnweb.freebsd.org/changeset/ports/445122 Log: MFH: r444987 Updated to 2017.75 Changelog: https://matt.ucc.asn.au/dropbear/CHANGES PR: 220158 Submitted by: Piotr Kubaj <firstname.lastname@example.org> (maintainer) Reviewed by: lifanov (mentor) Approved by: ports-secteam (with hat), lifanov (mentor) Security: http://www.vuxml.org/freebsd/60931f98-55a7-11e7-8514-589cfc0654e1.html Differential Revision: https://reviews.freebsd.org/D11400 Changes: _U branches/2017Q3/ branches/2017Q3/security/dropbear/Makefile branches/2017Q3/security/dropbear/distinfo
Comment 10 Jason Unovitch 2017-07-06 02:06:53 UTC
Sorry for the MFH approval delay.