Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: dropb...@packages.debian.org Control: affects -1 + src:dropbear User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] Keepalive packets are being ignored when the ‛-k’ flag (or ‛no-port-forwarding’ authorized_keys(5) restriction) is used. Bullseye is affected as well, so this is not a regression in bookworm. [ Impact ] dropbear-initramfs users unlocking the root file system remotely with message keepalive enabled (ssh -oServerAliveInterval≠0) might lock themselves out, see #1069768. [ Tests ] I did manually tests that dropbear-bin=2022.83-1+deb12u2 replies to message keepalives even when remote TCP forwarding is disabled. [ Risks ] The patch is trivial and was cleanly cherry-picked from upstream. Without 2022.83-1+deb12u1, the workarounds to prevent being locked out is to either disable message keepalives on the SSH client, or not to disable remote TCP forwarding on the SSH server (dropbear). [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable [ Changes ] Cherry-pick upstream patch to fix noremotetcp behavior. Keepalive packets were being ignored when the ‛-k’ flag (or ‛no-port-forwarding’ authorized_keys(5) restriction) was used. (Closes: #1069768) -- Guilhem.
diffstat for dropbear-2022.83 dropbear-2022.83 changelog | 8 ++++++ patches/fix-noremotetcp-behavior.patch | 39 +++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 48 insertions(+) diff -Nru dropbear-2022.83/debian/changelog dropbear-2022.83/debian/changelog --- dropbear-2022.83/debian/changelog 2024-01-26 10:01:00.000000000 +0100 +++ dropbear-2022.83/debian/changelog 2024-07-09 14:22:02.000000000 +0200 @@ -1,3 +1,11 @@ +dropbear (2022.83-1+deb12u2) bookworm; urgency=medium + + * Fix noremotetcp behavior. Keepalive packets were being ignored when the + ‛-k’ flag (or ‛no-port-forwarding’ authorized_keys(5) restriction) was + used. (Closes: #1069768) + + -- Guilhem Moulin <guil...@debian.org> Tue, 09 Jul 2024 14:22:02 +0200 + dropbear (2022.83-1+deb12u1) bookworm; urgency=medium * Fix CVE-2023-48795: (terrapin attack): The SSH transport protocol with diff -Nru dropbear-2022.83/debian/patches/fix-noremotetcp-behavior.patch dropbear-2022.83/debian/patches/fix-noremotetcp-behavior.patch --- dropbear-2022.83/debian/patches/fix-noremotetcp-behavior.patch 1970-01-01 01:00:00.000000000 +0100 +++ dropbear-2022.83/debian/patches/fix-noremotetcp-behavior.patch 2024-07-09 14:22:02.000000000 +0200 @@ -0,0 +1,39 @@ +From: Justin Chen <justin.c...@broadcom.com> +Date: Fri, 8 Sep 2023 11:35:18 -0700 +Subject: src: svr-tcpfwd: Fix noremotetcp behavior + +If noremotetcp is set, we should still reply with +send_msg_request_failed. This matches the behavior +of !DROPBEAR_SVR_REMOTETCPFWD. + +We were seeing keepalive packets being ignored when +the "-k" option was used. + +Origin: https://github.com/mkj/dropbear/commit/3cf8344769eda55e26eee53c1898b2c66544f188 +Bug-Debian: https://bugs.debian.org/1069768 +--- + svr-tcpfwd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/svr-tcpfwd.c b/svr-tcpfwd.c +index 7967cfa..01a76a2 100644 +--- a/svr-tcpfwd.c ++++ b/svr-tcpfwd.c +@@ -79,14 +79,14 @@ void recv_msg_global_request_remotetcp() { + + TRACE(("enter recv_msg_global_request_remotetcp")) + ++ reqname = buf_getstring(ses.payload, &namelen); ++ wantreply = buf_getbool(ses.payload); ++ + if (svr_opts.noremotetcp || !svr_pubkey_allows_tcpfwd()) { + TRACE(("leave recv_msg_global_request_remotetcp: remote tcp forwarding disabled")) + goto out; + } + +- reqname = buf_getstring(ses.payload, &namelen); +- wantreply = buf_getbool(ses.payload); +- + if (namelen > MAX_NAME_LEN) { + TRACE(("name len is wrong: %d", namelen)) + goto out; diff -Nru dropbear-2022.83/debian/patches/series dropbear-2022.83/debian/patches/series --- dropbear-2022.83/debian/patches/series 2024-01-26 10:01:00.000000000 +0100 +++ dropbear-2022.83/debian/patches/series 2024-07-09 14:22:02.000000000 +0200 @@ -2,3 +2,4 @@ support-running-test_aslr-without-venv.patch raise-connection-delay-in-tests.patch CVE-2023-48795.patch +fix-noremotetcp-behavior.patch
signature.asc
Description: PGP signature
