This vulnerability is located within the Dropbear daemon and occurs due to the way the server manages channels concurrency. A specially crafted request can trigger a `use after free` condition which can be used to execute arbitrary code under root privileges provided the user has been authenticated using a public key (authorized_keys file) and a command restriction is enforced (command option). Solution: Upgrade to 2012.55 Changelog: https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749 https://secure.ucc.asn.au/hg/dropbear/rev/c015af8a71cf Disclosure Timeline: 2012-01-24 - Vulnerability reported to vendor. 2012-02-24 - Coordinated public release of advisory.
in the tree
Thanks muchly. Arches, please test and mark stable: =net-misc/dropbear-2012.55 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Is sys-libs/zlib-1.2.5.1-r2 good to go stable? sys-libs/zlib-1.2.6 might be too new.
@base-system: Can you respond to jer's question?
i rewrote the dep to not require newer zlib http://sources.gentoo.org/net-misc/dropbear/dropbear-2012.55.ebuild?r1=1.1&r2=1.2
Stable for HPPA.
ppc done
amd64 stable
x86 stable
Stable on alpha.
ppc64 done
arm/ia64/m68k/s390/sh/sparc stable
Thanks, everyone GLSA request filed.
CVE-2012-0920 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0920): Use-after-free vulnerability in Dropbear SSH Server 0.52 through 2012.54, when command restriction and public key authentication are enabled, allows remote authenticated users to execute arbitrary code and bypass command restrictions via multiple crafted command requests, related to "channels concurrency."
This issue was resolved and addressed in GLSA 201309-20 at http://security.gentoo.org/glsa/glsa-201309-20.xml by GLSA coordinator Chris Reffett (creffett).