Bug 220158 - security/dropbear: update to 2017.75
Summary: security/dropbear: update to 2017.75
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Richard Gallamore
URL: https://matt.ucc.asn.au/dropbear/CHANGES
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-20 10:57 UTC by Piotr Kubaj
Modified: 2017-07-06 02:06 UTC (History)
3 users (show)

See Also:
pkubaj: maintainer-feedback+
junovitch: merge-quarterly+


Attachments
patch (4.76 KB, patch)
2017-06-20 10:57 UTC, Piotr Kubaj
pkubaj: maintainer-approval+
Details | Diff
vuxml patch (1.67 KB, patch)
2017-06-20 11:04 UTC, Piotr Kubaj
pkubaj: maintainer-approval+
Details | Diff
patch (4.78 KB, patch)
2017-06-27 07:15 UTC, Piotr Kubaj
pkubaj: maintainer-approval+
Details | Diff
dropbear.diff (4.35 KB, patch)
2017-07-02 22:09 UTC, Richard Gallamore
pkubaj: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Piotr Kubaj freebsd_committer 2017-06-20 10:57:29 UTC
Created attachment 183650 [details]
patch

This patch updates the port to 2017.75, fixing CVE-2017-9078 and CVE-2017-9079.
Changelog:
- Security: Fix double-free in server TCP listener cleanup A double-free in the server could be triggered by an authenticated user if dropbear is running with -a (Allow connections to forwarded ports from any host) This could potentially allow arbitrary code execution as root by an authenticated user. Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for reporting the crash. CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c

- Security: Fix information disclosure with ~/.ssh/authorized_keys symlink. Dropbear parsed authorized_keys as root, even if it were a symlink. The fix is to switch to user permissions when opening authorized_keys A user could symlink their ~/.ssh/authorized_keys to a root-owned file they couldn't normally read. If they managed to get that file to contain valid authorized_keys with command= options it might be possible to read other contents of that file. This information disclosure is to an already authenticated user. Thanks to Jann Horn of Google Project Zero for reporting this. CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123

- Generate hostkeys with dropbearkey atomically and flush to disk with fsync Thanks to Andrei Gherzan for a patch

- Fix out of tree builds with bundled libtom Thanks to Henrik Nordström and Peter Krefting for patches.

This patch also adds many options for granular choosing ciphers. I tried to make the defaults secure.

Builds on Poudriere with 10.3-RELEASE using many variations of options.
Comment 1 Piotr Kubaj freebsd_committer 2017-06-20 11:04:13 UTC
Created attachment 183651 [details]
vuxml patch
Comment 2 Richard Gallamore freebsd_committer 2017-06-25 04:05:45 UTC
Hello, thanks updating the port. Can you please check the new options? Currently it will build with all options on, and defaults. It will however fail with inverted defaults.

https://poudriere.ultimasbox.com/data/103amd64-test/2017-06-24_16h49m02s/logs/errors/dropbear-2017.75.log

cat security_dropbear/options                                                                                                             
# This file is auto-generated by 'make config'.                                                                                                                                                                                               
# Options for dropbear-2017.75                                                                                                                                                                                                                
_OPTIONS_READ=dropbear-2017.75                                                                                                                                                                                                                
_FILE_COMPLETE_OPTIONS_LIST=DH_GROUP1 SMALL_CODE STATIC AES128 3DES AES256 BLOWFISH TWOFISH256 TWOFISH128 ECDSA DSA RSA MD5 SHA1 SHA1_96 SHA2_256 SHA2_512 CBC CTR                                                                            
OPTIONS_FILE_SET+=DH_GROUP1                                                                                                                                                                                                                   
OPTIONS_FILE_UNSET+=SMALL_CODE                                                                                                                                                                                                                
OPTIONS_FILE_SET+=STATIC                                                                                                                                                                                                                      
OPTIONS_FILE_UNSET+=AES128                                                                                                                                                                                                                    
OPTIONS_FILE_SET+=3DES                                                                                                                                                                                                                        
OPTIONS_FILE_UNSET+=AES256                                                                                                                                                                                                                    
OPTIONS_FILE_SET+=BLOWFISH                                                                                                                                                                                                                    
OPTIONS_FILE_UNSET+=TWOFISH256                                                                                                                                                                                                                
OPTIONS_FILE_UNSET+=TWOFISH128                                                                                                                                                                                                                
OPTIONS_FILE_SET+=ECDSA                                                                                                                                                                                                                       
OPTIONS_FILE_SET+=DSA                                                                                                                                                                                                                         
OPTIONS_FILE_UNSET+=RSA                                                                                                                                                                                                                       
OPTIONS_FILE_SET+=MD5                                                                                                                                                                                                                         
OPTIONS_FILE_SET+=SHA1                                                                                                                                                                                                                        
OPTIONS_FILE_SET+=SHA1_96                                                                                                                                                                                                                     
OPTIONS_FILE_UNSET+=SHA2_256                                                                                                                                                                                                                  
OPTIONS_FILE_UNSET+=SHA2_512                                                                                                                                                                                                                  
OPTIONS_FILE_SET+=CBC                                                                                                                                                                                                                         
OPTIONS_FILE_UNSET+=CTR
Comment 3 Piotr Kubaj freebsd_committer 2017-06-27 07:15:11 UTC
Created attachment 183828 [details]
patch

Added 3DES_IMPLIES=CTR.
Comment 4 Richard Gallamore freebsd_committer 2017-06-29 19:06:14 UTC
(In reply to Piotr Kubaj from comment #3)
Instead of commenting out all the options, can you please make simpler by removing the lines entirely. Something like

`-e '/#define DROPBEAR_SMALL_CODE/d'
Comment 5 Richard Gallamore freebsd_committer 2017-07-02 22:09:55 UTC
Created attachment 184020 [details]
dropbear.diff

simplified the option removal
Comment 6 commit-hook freebsd_committer 2017-07-03 19:30:39 UTC
A commit references this bug:

Author: ultima
Date: Mon Jul  3 19:29:40 UTC 2017
New revision: 444984
URL: https://svnweb.freebsd.org/changeset/ports/444984

Log:
  Added vxvml entry for security/dropbear

  PR:		220158
  Submitted by:	Piotr Kubaj <pkubaj@anongoth.pl> (maintainer)
  Reviewed by:	lifanov (mentor)
  Approved by:	lifanov (mentor)
  MFH:		2017Q3
  Security:	http://www.vuxml.org/freebsd/60931f98-55a7-11e7-8514-589cfc0654e1.html
  Differential Revision:	https://reviews.freebsd.org/D11400

Changes:
  head/security/vuxml/vuln.xml
Comment 7 commit-hook freebsd_committer 2017-07-03 19:32:43 UTC
A commit references this bug:

Author: ultima
Date: Mon Jul  3 19:32:12 UTC 2017
New revision: 444987
URL: https://svnweb.freebsd.org/changeset/ports/444987

Log:
  Updated to 2017.75

  Changelog:	https://matt.ucc.asn.au/dropbear/CHANGES

  PR:		220158
  Submitted by:	Piotr Kubaj <pkubaj@anongoth.pl> (maintainer)
  Reviewed by:	lifanov (mentor)
  Approved by:	lifanov (mentor)
  MFH:		2017Q3
  Security:	http://www.vuxml.org/freebsd/60931f98-55a7-11e7-8514-589cfc0654e1.html
  Differential Revision:	https://reviews.freebsd.org/D11400

Changes:
  head/security/dropbear/Makefile
  head/security/dropbear/distinfo
Comment 8 Richard Gallamore freebsd_committer 2017-07-03 19:35:27 UTC
Committed, thanks!

Pending approval from ports-secteam@ for MFH.
Comment 9 commit-hook freebsd_committer 2017-07-06 01:53:40 UTC
A commit references this bug:

Author: junovitch
Date: Thu Jul  6 01:53:11 UTC 2017
New revision: 445122
URL: https://svnweb.freebsd.org/changeset/ports/445122

Log:
  MFH: r444987

  Updated to 2017.75

  Changelog:	https://matt.ucc.asn.au/dropbear/CHANGES

  PR:		220158
  Submitted by:	Piotr Kubaj <pkubaj@anongoth.pl> (maintainer)
  Reviewed by:	lifanov (mentor)
  Approved by:	ports-secteam (with hat), lifanov (mentor)
  Security:	http://www.vuxml.org/freebsd/60931f98-55a7-11e7-8514-589cfc0654e1.html
  Differential Revision:	https://reviews.freebsd.org/D11400

Changes:
_U  branches/2017Q3/
  branches/2017Q3/security/dropbear/Makefile
  branches/2017Q3/security/dropbear/distinfo
Comment 10 Jason Unovitch freebsd_committer 2017-07-06 02:06:53 UTC
Sorry for the MFH approval delay.