dropbear: patch possible use after free by authenticated remote users with active command restrictions (CVE-2012-0920)

SVN-Revision: 30714
2012-02-25 12:40:46 +00:00 · 2012-02-25 12:40:46 +00:00 · 1b7f0f3c0d
parent 30143b715c
commit 1b7f0f3c0d
3 changed files with 94 additions and 3 deletions
--- a/package/dropbear/Makefile
+++ b/package/dropbear/Makefile
@ -1,5 +1,5 @@
 #
-# Copyright (C) 2006-2011 OpenWrt.org
+# Copyright (C) 2006-2012 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=dropbear
 PKG_VERSION:=2011.54
-PKG_RELEASE:=1
+PKG_RELEASE:=2

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
--- a/package/dropbear/patches/140-disable_assert.patch
+++ b/package/dropbear/patches/140-disable_assert.patch
@ -1,6 +1,6 @@
 --- a/dbutil.h
 +++ b/dbutil.h
-@@ -94,6 +94,10 @@
+@@ -94,6 +94,10 @@ int m_str_to_uint(const char* str, unsig
 #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
 
 /* Dropbear assertion */
--- a/package/dropbear/patches/400-CVE-2012-0920.patch
+++ b/package/dropbear/patches/400-CVE-2012-0920.patch
@ -0,0 +1,91 @@
+
+# HG changeset patch
+# User Matt Johnston <matt@ucc.asn.au>
+# Date 1322947885 -28800
+# Node ID 818108bf7749bfecd4715a30e2583aac9dbe25e8
+# Parent  5e8d84f3ee7256d054ecf7e9f248765ccaa7f24f
+- Fix use-after-free if multiple command requests were sent. Move
+the original_command into chansess struct since that makes more sense
+
+--- a/auth.h
+++ b/auth.h
+@@ -133,7 +133,6 @@ struct PubKeyOptions {
+ 	int no_pty_flag;
+ 	/* "command=" option. */
+ 	unsigned char * forced_command;
+-	unsigned char * original_command;
+ };
+ #endif
+ 
+--- a/chansession.h
+++ b/chansession.h
+@@ -69,6 +69,10 @@ struct ChanSess {
+ 	char * agentfile;
+ 	char * agentdir;
+ #endif
+
+#ifdef ENABLE_SVR_PUBKEY_OPTIONS
+	char *original_command;
+#endif
+ };
+ 
+ struct ChildPid {
+--- a/svr-authpubkeyoptions.c
+++ b/svr-authpubkeyoptions.c
+@@ -92,14 +92,15 @@ int svr_pubkey_allows_pty() {
+  * by any 'command' public key option. */
+ void svr_pubkey_set_forced_command(struct ChanSess *chansess) {
+ 	if (ses.authstate.pubkey_options) {
+-		ses.authstate.pubkey_options->original_command = chansess->cmd;
+-		if (!chansess->cmd)
+-		{
+-			ses.authstate.pubkey_options->original_command = m_strdup("");
+		if (chansess->cmd) {
+			/* original_command takes ownership */
+			chansess->original_command = chansess->cmd;
+		} else {
+			chansess->original_command = m_strdup("");
+ 		}
+-		chansess->cmd = ses.authstate.pubkey_options->forced_command;
+		chansess->cmd = m_strdup(ses.authstate.pubkey_options->forced_command);
+ #ifdef LOG_COMMANDS
+-		dropbear_log(LOG_INFO, "Command forced to '%s'", ses.authstate.pubkey_options->original_command);
+		dropbear_log(LOG_INFO, "Command forced to '%s'", chansess->original_command);
+ #endif
+ 	}
+ }
+--- a/svr-chansession.c
+++ b/svr-chansession.c
+@@ -217,6 +217,8 @@ static int newchansess(struct Channel *c
+ 
+ 	struct ChanSess *chansess;
+ 
+	TRACE(("new chansess %p", channel))
+
+ 	dropbear_assert(channel->typedata == NULL);
+ 
+ 	chansess = (struct ChanSess*)m_malloc(sizeof(struct ChanSess));
+@@ -279,6 +281,10 @@ static void closechansess(struct Channel
+ 	m_free(chansess->cmd);
+ 	m_free(chansess->term);
+ 
+#ifdef ENABLE_SVR_PUBKEY_OPTIONS
+	m_free(chansess->original_command);
+#endif
+
+ 	if (chansess->tty) {
+ 		/* write the utmp/wtmp login record */
+ 		li = chansess_login_alloc(chansess);
+@@ -924,10 +930,8 @@ static void execchild(void *user_data) {
+ 	}
+ 	
+ #ifdef ENABLE_SVR_PUBKEY_OPTIONS
+-	if (ses.authstate.pubkey_options &&
+-			ses.authstate.pubkey_options->original_command) {
+-		addnewvar("SSH_ORIGINAL_COMMAND", 
+-			ses.authstate.pubkey_options->original_command);
+	if (chansess->original_command) {
+		addnewvar("SSH_ORIGINAL_COMMAND", chansess->original_command);
+ 	}
+ #endif
+