Hi there, dropbear 2012.55-1.3+deb7u1 from wheezy-security is vulnerable to CVE-2017-9079. I backported the fix from 2017.75 to sid and jessie-security, and here is a debdiff against 2012.55-1.3+deb7u1. I also uploaded the source package to people.d.o, you'll find it at
dget -x
https://people.debian.org/~guilhem/tmp/dropbear_2012.55-1.3+deb7u2.dsc
I did check that public key authentication is still working under
2012.55-1.3+deb7u2 (I didn't make any other check though).
Note that 2017.75 fixes another security vulnerability, namely
CVE-2017-9078, but I believe that 2012.55 is not affected by the double
free. Not sure how to tell the security tracker, though.
Thanks for your work on Debian LTS!
--
Guilhem (dropbear maintainer since 2015.68-1).
diff -Nru dropbear-2012.55/debian/changelog dropbear-2012.55/debian/changelog
--- dropbear-2012.55/debian/changelog 2016-09-23 21:17:02.000000000 +0200
+++ dropbear-2012.55/debian/changelog 2017-05-20 20:49:16.000000000 +0200
@@ -1,3 +1,17 @@
+dropbear (2012.55-1.3+deb7u2) wheezy-security; urgency=high
+
+ * Backport fix for CVE-2017-9079 from 2017.75: information disclosure with
+ ~/.ssh/authorized_keys symlink.
+ Dropbear parsed authorized_keys as root, even if it were a symlink. The
+ fix is to switch to user permissions when opening authorized_keys A user
+ could symlink their ~/.ssh/authorized_keys to a root-owned file they
+ couldn't normally read. If they managed to get that file to contain valid
+ authorized_keys with command= options it might be possible to read other
+ contents of that file.
+ This information disclosure is to an already authenticated user.
+
+ -- Guilhem Moulin <guil...@debian.org> Sat, 20 May 2017 20:49:16 +0200
+
dropbear (2012.55-1.3+deb7u1) wheezy-security; urgency=high
* Move to "3.0 (quilt)" source format for patch clarity.
diff -Nru dropbear-2012.55/debian/patches/CVE-2017-9079.diff
dropbear-2012.55/debian/patches/CVE-2017-9079.diff
--- dropbear-2012.55/debian/patches/CVE-2017-9079.diff 1970-01-01
01:00:00.000000000 +0100
+++ dropbear-2012.55/debian/patches/CVE-2017-9079.diff 2017-05-20
20:48:47.000000000 +0200
@@ -0,0 +1,42 @@
+commit 93f3c31807cc15c19640d7242883b24b374a7fde
+Author: Matt Johnston <m...@ucc.asn.au>
+Date: Wed May 10 00:20:21 2017 +0800
+
+ switch user when opening authorized_keys
+
+diff --git a/svr-authpubkey.c b/svr-authpubkey.c
+index 71c347a..c3bac82 100644
+--- a/svr-authpubkey.c
++++ b/svr-authpubkey.c
+@@ -192,6 +192,8 @@ static int checkpubkey(char* algo, unsigned int algolen,
+ unsigned int len, pos;
+ buffer * options_buf = NULL;
+ int line_num;
++ uid_t origuid;
++ gid_t origgid;
+
+ TRACE(("enter checkpubkey"))
+
+@@ -218,8 +221,21 @@ static int checkpubkey(char* algo, unsigned int algolen,
+ snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
+ ses.authstate.pw_dir);
+
+- /* open the file */
++ /* open the file as the authenticating user. */
++ origuid = getuid();
++ origgid = getgid();
++ if ((setegid(ses.authstate.pw_gid)) < 0 ||
++ (seteuid(ses.authstate.pw_uid)) < 0) {
++ dropbear_exit("Failed to set euid");
++ }
++
+ authfile = fopen(filename, "r");
++
++ if ((seteuid(origuid)) < 0 ||
++ (setegid(origgid)) < 0) {
++ dropbear_exit("Failed to revert euid");
++ }
++
+ if (authfile == NULL) {
+ goto out;
+ }
diff -Nru dropbear-2012.55/debian/patches/series
dropbear-2012.55/debian/patches/series
--- dropbear-2012.55/debian/patches/series 2016-09-23 21:14:46.000000000
+0200
+++ dropbear-2012.55/debian/patches/series 2017-05-20 20:48:01.000000000
+0200
@@ -1,2 +1,3 @@
CVE-2016-7406.diff
CVE-2016-7407.diff
+CVE-2017-9079.diff
signature.asc
Description: PGP signature
