Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: dropb...@packages.debian.org Control: affects -1 + src:dropbear User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] Keepalive packets are being ignored when the ‛-k’ flag (or ‛no-port-forwarding’ authorized_keys(5) restriction) is used. AFAICT buster is affected as well, so this is not a regression in bullseye. [ Impact ] dropbear-initramfs users unlocking the root file system remotely with message keepalive enabled (ssh -oServerAliveInterval≠0) might lock themselves out, see #1069768. [ Tests ] I did manually tests that dropbear-bin=2020.81-3+deb11u2 replies to message keepalives even when remote TCP forwarding is disabled. [ Risks ] The patch is trivial and was cleanly cherry-picked from upstream. With 2020.81-3+deb11u1, the workarounds to prevent being locked out is to either disable message keepalives on the SSH client, or not to disable remote TCP forwarding on the SSH server (dropbear). [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in oldstable [x] the issue is verified as fixed in unstable [ Changes ] Cherry-pick upstream patch to fix noremotetcp behavior. Keepalive packets were being ignored when the ‛-k’ flag (or ‛no-port-forwarding’ authorized_keys(5) restriction) was used. (Closes: #1069768) -- Guilhem.
diffstat for dropbear-2020.81 dropbear-2020.81 changelog | 8 ++++++ patches/fix-noremotetcp-behavior.patch | 39 +++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 48 insertions(+) diff -Nru dropbear-2020.81/debian/changelog dropbear-2020.81/debian/changelog --- dropbear-2020.81/debian/changelog 2024-01-26 12:00:26.000000000 +0100 +++ dropbear-2020.81/debian/changelog 2024-07-09 15:51:42.000000000 +0200 @@ -1,3 +1,11 @@ +dropbear (2020.81-3+deb11u2) bullseye; urgency=medium + + * Fix noremotetcp behavior. Keepalive packets were being ignored when the + ‛-k’ flag (or ‛no-port-forwarding’ authorized_keys(5) restriction) was + used. (Closes: #1069768) + + -- Guilhem Moulin <guil...@debian.org> Tue, 09 Jul 2024 15:51:42 +0200 + dropbear (2020.81-3+deb11u1) bullseye; urgency=medium * Fix CVE-2021-36369: Due to a non-RFC-compliant check of the available diff -Nru dropbear-2020.81/debian/patches/fix-noremotetcp-behavior.patch dropbear-2020.81/debian/patches/fix-noremotetcp-behavior.patch --- dropbear-2020.81/debian/patches/fix-noremotetcp-behavior.patch 1970-01-01 01:00:00.000000000 +0100 +++ dropbear-2020.81/debian/patches/fix-noremotetcp-behavior.patch 2024-07-09 15:51:42.000000000 +0200 @@ -0,0 +1,39 @@ +From: Justin Chen <justin.c...@broadcom.com> +Date: Fri, 8 Sep 2023 11:35:18 -0700 +Subject: src: svr-tcpfwd: Fix noremotetcp behavior + +If noremotetcp is set, we should still reply with +send_msg_request_failed. This matches the behavior +of !DROPBEAR_SVR_REMOTETCPFWD. + +We were seeing keepalive packets being ignored when +the "-k" option was used. + +Origin: https://github.com/mkj/dropbear/commit/3cf8344769eda55e26eee53c1898b2c66544f188 +Bug-Debian: https://bugs.debian.org/1069768 +--- + svr-tcpfwd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/svr-tcpfwd.c b/svr-tcpfwd.c +index 9a2310d..b5e7855 100644 +--- a/svr-tcpfwd.c ++++ b/svr-tcpfwd.c +@@ -73,14 +73,14 @@ void recv_msg_global_request_remotetcp() { + + TRACE(("enter recv_msg_global_request_remotetcp")) + ++ reqname = buf_getstring(ses.payload, &namelen); ++ wantreply = buf_getbool(ses.payload); ++ + if (svr_opts.noremotetcp || !svr_pubkey_allows_tcpfwd()) { + TRACE(("leave recv_msg_global_request_remotetcp: remote tcp forwarding disabled")) + goto out; + } + +- reqname = buf_getstring(ses.payload, &namelen); +- wantreply = buf_getbool(ses.payload); +- + if (namelen > MAX_NAME_LEN) { + TRACE(("name len is wrong: %d", namelen)) + goto out; diff -Nru dropbear-2020.81/debian/patches/series dropbear-2020.81/debian/patches/series --- dropbear-2020.81/debian/patches/series 2024-01-26 12:00:26.000000000 +0100 +++ dropbear-2020.81/debian/patches/series 2024-07-09 15:51:42.000000000 +0200 @@ -1,3 +1,4 @@ local-options.patch CVE-2021-36369.patch CVE-2023-48795.patch +fix-noremotetcp-behavior.patch
signature.asc
Description: PGP signature
