Your message dated Sat, 31 Aug 2024 12:34:14 +0100
with message-id
<9e3e8b8cd0db3b52d4adb2cfad04baa007c8e3e8.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 12.7
has caused the Debian Bug report #1076015,
regarding bookworm-pu: package dropbear/2022.83-1+deb12u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1076015: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076015
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: dropb...@packages.debian.org
Control: affects -1 + src:dropbear
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
Keepalive packets are being ignored when the ‛-k’ flag (or
‛no-port-forwarding’ authorized_keys(5) restriction) is used.
Bullseye is affected as well, so this is not a regression in bookworm.
[ Impact ]
dropbear-initramfs users unlocking the root file system remotely with
message keepalive enabled (ssh -oServerAliveInterval≠0) might lock
themselves out, see #1069768.
[ Tests ]
I did manually tests that dropbear-bin=2022.83-1+deb12u2 replies to
message keepalives even when remote TCP forwarding is disabled.
[ Risks ]
The patch is trivial and was cleanly cherry-picked from upstream.
Without 2022.83-1+deb12u1, the workarounds to prevent being locked out
is to either disable message keepalives on the SSH client, or not to
disable remote TCP forwarding on the SSH server (dropbear).
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Cherry-pick upstream patch to fix noremotetcp behavior. Keepalive
packets were being ignored when the ‛-k’ flag (or ‛no-port-forwarding’
authorized_keys(5) restriction) was used. (Closes: #1069768)
--
Guilhem.
diffstat for dropbear-2022.83 dropbear-2022.83
changelog | 8 ++++++
patches/fix-noremotetcp-behavior.patch | 39 +++++++++++++++++++++++++++++++++
patches/series | 1
3 files changed, 48 insertions(+)
diff -Nru dropbear-2022.83/debian/changelog dropbear-2022.83/debian/changelog
--- dropbear-2022.83/debian/changelog 2024-01-26 10:01:00.000000000 +0100
+++ dropbear-2022.83/debian/changelog 2024-07-09 14:22:02.000000000 +0200
@@ -1,3 +1,11 @@
+dropbear (2022.83-1+deb12u2) bookworm; urgency=medium
+
+ * Fix noremotetcp behavior. Keepalive packets were being ignored when the
+ ‛-k’ flag (or ‛no-port-forwarding’ authorized_keys(5) restriction) was
+ used. (Closes: #1069768)
+
+ -- Guilhem Moulin <guil...@debian.org> Tue, 09 Jul 2024 14:22:02 +0200
+
dropbear (2022.83-1+deb12u1) bookworm; urgency=medium
* Fix CVE-2023-48795: (terrapin attack): The SSH transport protocol with
diff -Nru dropbear-2022.83/debian/patches/fix-noremotetcp-behavior.patch
dropbear-2022.83/debian/patches/fix-noremotetcp-behavior.patch
--- dropbear-2022.83/debian/patches/fix-noremotetcp-behavior.patch
1970-01-01 01:00:00.000000000 +0100
+++ dropbear-2022.83/debian/patches/fix-noremotetcp-behavior.patch
2024-07-09 14:22:02.000000000 +0200
@@ -0,0 +1,39 @@
+From: Justin Chen <justin.c...@broadcom.com>
+Date: Fri, 8 Sep 2023 11:35:18 -0700
+Subject: src: svr-tcpfwd: Fix noremotetcp behavior
+
+If noremotetcp is set, we should still reply with
+send_msg_request_failed. This matches the behavior
+of !DROPBEAR_SVR_REMOTETCPFWD.
+
+We were seeing keepalive packets being ignored when
+the "-k" option was used.
+
+Origin:
https://github.com/mkj/dropbear/commit/3cf8344769eda55e26eee53c1898b2c66544f188
+Bug-Debian: https://bugs.debian.org/1069768
+---
+ svr-tcpfwd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/svr-tcpfwd.c b/svr-tcpfwd.c
+index 7967cfa..01a76a2 100644
+--- a/svr-tcpfwd.c
++++ b/svr-tcpfwd.c
+@@ -79,14 +79,14 @@ void recv_msg_global_request_remotetcp() {
+
+ TRACE(("enter recv_msg_global_request_remotetcp"))
+
++ reqname = buf_getstring(ses.payload, &namelen);
++ wantreply = buf_getbool(ses.payload);
++
+ if (svr_opts.noremotetcp || !svr_pubkey_allows_tcpfwd()) {
+ TRACE(("leave recv_msg_global_request_remotetcp: remote tcp
forwarding disabled"))
+ goto out;
+ }
+
+- reqname = buf_getstring(ses.payload, &namelen);
+- wantreply = buf_getbool(ses.payload);
+-
+ if (namelen > MAX_NAME_LEN) {
+ TRACE(("name len is wrong: %d", namelen))
+ goto out;
diff -Nru dropbear-2022.83/debian/patches/series
dropbear-2022.83/debian/patches/series
--- dropbear-2022.83/debian/patches/series 2024-01-26 10:01:00.000000000
+0100
+++ dropbear-2022.83/debian/patches/series 2024-07-09 14:22:02.000000000
+0200
@@ -2,3 +2,4 @@
support-running-test_aslr-without-venv.patch
raise-connection-delay-in-tests.patch
CVE-2023-48795.patch
+fix-noremotetcp-behavior.patch
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.7
Hi,
Each of these bugs relates to an update including in today's bookworm
12.7 point release.
Regards,
Adam
--- End Message ---
