Date: Sun, 11 Dec 2005 23:30:02 +0800 From: Matt Johnston To: dropbear@ucc.gu.uwa.edu.au Subject: Dropbear 0.47 (and security fix) Message-ID: <20051211153002.GH28839@ucc.gu.uwa.edu.au> Hi all. I've put up a new release 0.47 of Dropbear, which has various fixes and new features - see the change summary below. http://matt.ucc.asn.au/dropbear/dropbear.html is the url as usual or directly at http://matt.ucc.asn.au/dropbear/dropbear-0.47.tar.bz2 This release also fixes a potential security issue, which may allow authenticated users to run arbitrary code as the server user. I'm unsure exactly how likely it is to be exploitable, but anyone who's running a multi-user server is advised to upgrade. For older releases, the patch is: (against chanesssion.c for 0.43 and earlier). --- dropbear/svr-chansession.c +++ dropbear/svr-chansession.c @@ -810,7 +810,7 @@ /* need to increase size */ if (i == svr_ses.childpidsize) { svr_ses.childpids = (struct ChildPid*)m_realloc(svr_ses.childpids, - sizeof(struct ChildPid) * svr_ses.childpidsize+1); + sizeof(struct ChildPid) * (svr_ses.childpidsize+1)); svr_ses.childpidsize++; } Matt 0.47 - Thurs Dec 8 2005 - SECURITY: fix for buffer allocation error in server code, could potentially allow authenticated users to gain elevated privileges. All multi-user systems running the server should upgrade (or apply the patch available on the Dropbear webpage). - Fix channel handling code so that redirecting to /dev/null doesn't use 100% CPU. - Turn on zlib compression for dbclient. - Set "low delay" TOS bit, can significantly improve interactivity over some links. - Added client keyboard-interactive mode support, allows operation with newer OpenSSH servers in default config. - Log when pubkey auth fails because of bad ~/.ssh/authorized_keys permissions - Improve logging of assertions - Added aes-256 cipher and sha1-96 hmac. - Fix twofish so that it actually works. - Improve PAM prompt comparison. - Added -g (dbclient) and -a (dropbear server) options to allow connections to listening forwarded ports from remote machines. - Various other minor fixes - Compile fixes for glibc 2.1 (ss_family vs __ss_family) and NetBSD (netinet/in_systm.h needs to be included).