Ubuntu

CVE-2012-0920 needs fixing, server use-after-free

Reported by Matt Johnston on 2012-04-08
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dropbear (Debian)
Fix Released
Unknown
dropbear (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Natty
Undecided
Unassigned
Oneiric
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned

Bug Description

2012.55 was released in February to fix a use-after-free, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661150

Debian also has a backport for 0.52, the bug affects 0.52 to 2011.54.

Changed in dropbear (Debian):
status: Unknown → Fix Released
Jamie Strandboge (jdstrand) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. I see that you have attached patches to update the Ubuntu packages to the new upstream version. While this work is appreciated, we cannot publish your patches because this does not follow Ubuntu's policy of backporting security patches. If you are able, perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityUpdateProcedures.

visibility: private → public
visibility: private → public
Changed in dropbear (Ubuntu):
status: New → Incomplete
Jamie Strandboge (jdstrand) wrote :

Opps, wrong bug response. Here comes the correct one.

Jamie Strandboge (jdstrand) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in dropbear (Ubuntu):
status: Incomplete → Triaged
Julian Taylor (jtaylor) wrote :

natty and precise can be synced from debian

Jamie Strandboge (jdstrand) wrote :

Natty was fake synced from Debian. Precise will need to be patched at this point.

Changed in dropbear (Ubuntu Natty):
status: New → Fix Committed
Jamie Strandboge (jdstrand) wrote :

Thanks for the patches! Based on https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging, the lucid update should use 0.52-4ubuntu0.10.04.1 as the version. Oneiric should use a patch name of 0004-Fix-use-after-free-bug-CVE-2012-0920.diff since 0004 already exists. I have adjust both for this and uploaded.

Jamie Strandboge (jdstrand) wrote :

Unsubscribing ubuntu-security-sponsors for now. Please resubscribe when a patch is prepared for precise.

Changed in dropbear (Ubuntu Lucid):
status: New → Fix Committed
Changed in dropbear (Ubuntu Oneiric):
status: New → Fix Committed
Jamie Strandboge (jdstrand) wrote :

dropbear (0.52-5+squeeze1build0.11.04.1) natty-security; urgency=low

  * fake sync from Debian

dropbear (0.52-5+squeeze1) stable-security; urgency=high

  * debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff: new:
    Fix use-after-free bug (CVE-2012-0920) (closes: #661150).

Changed in dropbear (Ubuntu Natty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dropbear - 0.53.1-1ubuntu1.1

---------------
dropbear (0.53.1-1ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: remote execution via use after free (LP: #976360)
    - debian/diff/0005-Fix-use-after-free-bug-CVE-2012-0920.diff
      pulled from https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749
      Thanks to Matt Johnston
    - CVE-2012-0920
 -- Julian Taylor <email address hidden> Tue, 24 Apr 2012 22:54:41 +0200

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dropbear - 0.52-4ubuntu0.10.04.1

---------------
dropbear (0.52-4ubuntu0.10.04.1) lucid-security; urgency=low

  * SECURITY UPDATE: remote execution via use after free (LP: #976360)
    - debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff
      backported from https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749
      Thanks to Gerrit Pape
    - CVE-2012-0920
 -- Julian Taylor <email address hidden> Tue, 24 Apr 2012 22:54:41 +0200

Changed in dropbear (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in dropbear (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

Thanks for your patch! Looks good though I renamed 0005-Fix-use-after-free-bug-CVE-2012-0920.diff to 0004-Fix-use-after-free-bug-CVE-2012-0920.diff since there was no 0004* patch in precise. Uploaded.

Jamie Strandboge (jdstrand) wrote :

FYI, I had someone reject the merges since they were against the release version of the package and not -security, but I have uploaded them.

Changed in dropbear (Ubuntu Precise):
status: Triaged → Fix Committed
Jamie Strandboge (jdstrand) wrote :

When Quantal opens, feel free to ask for a sync request.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dropbear - 2011.54-1ubuntu0.12.04.1

---------------
dropbear (2011.54-1ubuntu0.12.04.1) precise-security; urgency=low

  * SECURITY UPDATE: remote execution via use after free (LP: #976360)
    - debian/diff/0004-Fix-use-after-free-bug-CVE-2012-0920.diff
      pulled from https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749
      Thanks to Matt Johnston
    - CVE-2012-0920
 -- Julian Taylor <email address hidden> Tue, 24 Apr 2012 22:54:41 +0200

Changed in dropbear (Ubuntu Precise):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

Unsubscribing ubuntu-security-sponsors since there is nothing to do.

Julian Taylor (jtaylor) wrote :

This bug was fixed in the package dropbear - 2012.55-1

---------------
dropbear (2012.55-1) unstable; urgency=high

  * New upstream release.
    * Fix use-after-free bug that could be triggered if command="..."
      authorized_keys restrictions are used. Could allow arbitrary
      code execution or bypass of the command="..." restriction to an
      authenticated user. This bug affects releases 0.52 onwards.
      Ref CVE-2012-0920 (closes: #661150). Thanks to Danny Fullerton
      of Mantor Organization for reporting the bug.

 -- Gerrit Pape <email address hidden> Mon, 27 Feb 2012 14:18:53 +0000

Changed in dropbear (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.