Hello community, here is the log from the commit of package dropbear for openSUSE:Factory checked in at 2016-03-16 10:36:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dropbear (Old) and /work/SRC/openSUSE:Factory/.dropbear.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dropbear" Changes: -------- --- /work/SRC/openSUSE:Factory/dropbear/dropbear.changes 2015-12-06 07:44:04.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.dropbear.new/dropbear.changes 2016-03-16 10:36:20.000000000 +0100 @@ -1,0 +2,8 @@ +Fri Mar 11 16:00:23 UTC 2016 - thard...@suse.com + +- updated to upstream version 2016.72 + * Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions, + found by github.com/tintinweb. Thanks for Damien Miller for a patch. +- used as bug fix release for bnc#970633 - VUL-0: CVE-2016-3116 + +------------------------------------------------------------------- Old: ---- dropbear-2015.71.tar.bz2 dropbear-2015.71.tar.bz2.asc New: ---- dropbear-2016.72.tar.bz2 dropbear-2016.72.tar.bz2.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dropbear.spec ++++++ --- /var/tmp/diff_new_pack.1CF1SH/_old 2016-03-16 10:36:21.000000000 +0100 +++ /var/tmp/diff_new_pack.1CF1SH/_new 2016-03-16 10:36:21.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package dropbear # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,7 +21,7 @@ %endif Name: dropbear -Version: 2015.71 +Version: 2016.72 Release: 0 Summary: A relatively small SSH 2 server and client License: MIT ++++++ dropbear-2015.71.tar.bz2 -> dropbear-2016.72.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.71/.hg_archival.txt new/dropbear-2016.72/.hg_archival.txt --- old/dropbear-2015.71/.hg_archival.txt 2015-12-03 14:23:59.000000000 +0100 +++ new/dropbear-2016.72/.hg_archival.txt 2016-03-09 15:54:53.000000000 +0100 @@ -1,6 +1,6 @@ repo: d7da3b1e15401eb234ec866d5eac992fc4cd5878 -node: 9a944a243f08be6b22d32f166a0690eb4872462b +node: 78b12b6549be08b0bea3da329b2578060a76ca31 branch: default -latesttag: DROPBEAR_2015.70 -latesttagdistance: 10 -changessincelatesttag: 11 +latesttag: DROPBEAR_2015.71 +latesttagdistance: 3 +changessincelatesttag: 3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.71/CHANGES new/dropbear-2016.72/CHANGES --- old/dropbear-2015.71/CHANGES 2015-12-03 14:23:59.000000000 +0100 +++ new/dropbear-2016.72/CHANGES 2016-03-09 15:54:53.000000000 +0100 @@ -1,3 +1,8 @@ +2016.72 - 9 March 2016 + +- Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions, + found by github.com/tintinweb. Thanks for Damien Miller for a patch. + 2015.71 - 3 December 2015 - Fix "bad buf_incrpos" when data is transferred, broke in 2015.69 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.71/debian/changelog new/dropbear-2016.72/debian/changelog --- old/dropbear-2015.71/debian/changelog 2015-12-03 14:23:59.000000000 +0100 +++ new/dropbear-2016.72/debian/changelog 2016-03-09 15:54:53.000000000 +0100 @@ -1,8 +1,8 @@ -dropbear (2015.71-0.1) unstable; urgency=low +dropbear (2016.72-0.1) unstable; urgency=low * New upstream release. - -- Matt Johnston <m...@ucc.asn.au> Thu, 3 Dec 2015 22:52:58 +0800 + -- Matt Johnston <m...@ucc.asn.au> Wed, 10 Mar 2016 22:52:58 +0800 dropbear (2015.70-0.1) unstable; urgency=low diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.71/svr-x11fwd.c new/dropbear-2016.72/svr-x11fwd.c --- old/dropbear-2015.71/svr-x11fwd.c 2015-12-03 14:24:00.000000000 +0100 +++ new/dropbear-2016.72/svr-x11fwd.c 2016-03-09 15:54:54.000000000 +0100 @@ -42,11 +42,29 @@ static int bindport(int fd); static int send_msg_channel_open_x11(int fd, struct sockaddr_in* addr); +/* Check untrusted xauth strings for metacharacters */ +/* Returns DROPBEAR_SUCCESS/DROPBEAR_FAILURE */ +static int +xauth_valid_string(const char *s) +{ + size_t i; + + for (i = 0; s[i] != '\0'; i++) { + if (!isalnum(s[i]) && + s[i] != '.' && s[i] != ':' && s[i] != '/' && + s[i] != '-' && s[i] != '_') { + return DROPBEAR_FAILURE; + } + } + return DROPBEAR_SUCCESS; +} + + /* called as a request for a session channel, sets up listening X11 */ /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ int x11req(struct ChanSess * chansess) { - int fd; + int fd = -1; if (!svr_pubkey_allows_x11fwd()) { return DROPBEAR_FAILURE; @@ -62,6 +80,11 @@ chansess->x11authcookie = buf_getstring(ses.payload, NULL); chansess->x11screennum = buf_getint(ses.payload); + if (xauth_valid_string(chansess->x11authprot) == DROPBEAR_FAILURE || + xauth_valid_string(chansess->x11authcookie) == DROPBEAR_FAILURE) { + dropbear_log(LOG_WARNING, "Bad xauth request"); + goto fail; + } /* create listening socket */ fd = socket(PF_INET, SOCK_STREAM, 0); if (fd < 0) { @@ -159,7 +182,7 @@ return; } - /* popen is a nice function - code is strongly based on OpenSSH's */ + /* code is strongly based on OpenSSH's */ authprog = popen(XAUTH_COMMAND, "w"); if (authprog) { fprintf(authprog, "add %s %s %s\n", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.71/sysoptions.h new/dropbear-2016.72/sysoptions.h --- old/dropbear-2015.71/sysoptions.h 2015-12-03 14:24:00.000000000 +0100 +++ new/dropbear-2016.72/sysoptions.h 2016-03-09 15:54:54.000000000 +0100 @@ -4,7 +4,7 @@ *******************************************************************/ #ifndef DROPBEAR_VERSION -#define DROPBEAR_VERSION "2015.71" +#define DROPBEAR_VERSION "2016.72" #endif #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION