Ubuntu
dropbear package

CVE-2012-0920 needs fixing, server use-after-free

  1. Oneiric (11.10)
  2. Bug #976360
Bug #976360 reported by Matt Johnston
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dropbear (Debian)
Fix Released
Unknown
dropbear (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned
Natty
Fix Released
Undecided
Unassigned
Oneiric
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned

Bug Description

2012.55 was released in February to fix a use-after-free, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661150

Debian also has a backport for 0.52, the bug affects 0.52 to 2011.54.

Related branches

lp://staging/~jtaylor/ubuntu/lucid/dropbear/2012-0920
Jamie Strandboge: Approve
Diff: 71 lines (+47/-1)
3 files modified
debian/changelog (+10/-0)
debian/control (+2/-1)
debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff (+35/-0)
lp://staging/~jtaylor/ubuntu/oneiric/dropbear/CVE-2012-0920
Jamie Strandboge: Approve
Ubuntu branches: Pending requested
Diff: 122 lines (+110/-0)
2 files modified
debian/changelog (+10/-0)
debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff (+100/-0)
lp://staging/~jtaylor/ubuntu/precise/dropbear/CVE-2012-0920
Jamie Strandboge: Approve
Ubuntu branches: Pending requested
Diff: 136 lines (+112/-1)
3 files modified
debian/changelog (+10/-0)
debian/control (+2/-1)
debian/diff/0005-Fix-use-after-free-bug-CVE-2012-0920.diff (+100/-0)
lp://staging/ubuntu/oneiric-security/dropbear
lp://staging/ubuntu/lucid-updates/dropbear
lp://staging/ubuntu/precise-security/dropbear

CVE References

Bug Watch Updater (bug-watch-updater)
Changed in dropbear (Debian):
status: Unknown → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. I see that you have attached patches to update the Ubuntu packages to the new upstream version. While this work is appreciated, we cannot publish your patches because this does not follow Ubuntu's policy of backporting security patches. If you are able, perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityUpdateProcedures.

visibility: private → public
visibility: private → public
Changed in dropbear (Ubuntu):
status: New → Incomplete
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Opps, wrong bug response. Here comes the correct one.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in dropbear (Ubuntu):
status: Incomplete → Triaged
Revision history for this message
Julian Taylor (jtaylor) wrote :

natty and precise can be synced from debian

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Natty was fake synced from Debian. Precise will need to be patched at this point.

Changed in dropbear (Ubuntu Natty):
status: New → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the patches! Based on https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging, the lucid update should use 0.52-4ubuntu0.10.04.1 as the version. Oneiric should use a patch name of 0004-Fix-use-after-free-bug-CVE-2012-0920.diff since 0004 already exists. I have adjust both for this and uploaded.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Unsubscribing ubuntu-security-sponsors for now. Please resubscribe when a patch is prepared for precise.

Changed in dropbear (Ubuntu Lucid):
status: New → Fix Committed
Changed in dropbear (Ubuntu Oneiric):
status: New → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

dropbear (0.52-5+squeeze1build0.11.04.1) natty-security; urgency=low

  * fake sync from Debian

dropbear (0.52-5+squeeze1) stable-security; urgency=high

  * debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff: new:
    Fix use-after-free bug (CVE-2012-0920) (closes: #661150).

Changed in dropbear (Ubuntu Natty):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dropbear - 0.53.1-1ubuntu1.1

---------------
dropbear (0.53.1-1ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: remote execution via use after free (LP: #976360)
    - debian/diff/0005-Fix-use-after-free-bug-CVE-2012-0920.diff
      pulled from https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749
      Thanks to Matt Johnston
    - CVE-2012-0920
 -- Julian Taylor <email address hidden> Tue, 24 Apr 2012 22:54:41 +0200

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dropbear - 0.52-4ubuntu0.10.04.1

---------------
dropbear (0.52-4ubuntu0.10.04.1) lucid-security; urgency=low

  * SECURITY UPDATE: remote execution via use after free (LP: #976360)
    - debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff
      backported from https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749
      Thanks to Gerrit Pape
    - CVE-2012-0920
 -- Julian Taylor <email address hidden> Tue, 24 Apr 2012 22:54:41 +0200

Changed in dropbear (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in dropbear (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for your patch! Looks good though I renamed 0005-Fix-use-after-free-bug-CVE-2012-0920.diff to 0004-Fix-use-after-free-bug-CVE-2012-0920.diff since there was no 0004* patch in precise. Uploaded.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

FYI, I had someone reject the merges since they were against the release version of the package and not -security, but I have uploaded them.

Changed in dropbear (Ubuntu Precise):
status: Triaged → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

When Quantal opens, feel free to ask for a sync request.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dropbear - 2011.54-1ubuntu0.12.04.1

---------------
dropbear (2011.54-1ubuntu0.12.04.1) precise-security; urgency=low

  * SECURITY UPDATE: remote execution via use after free (LP: #976360)
    - debian/diff/0004-Fix-use-after-free-bug-CVE-2012-0920.diff
      pulled from https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749
      Thanks to Matt Johnston
    - CVE-2012-0920
 -- Julian Taylor <email address hidden> Tue, 24 Apr 2012 22:54:41 +0200

Changed in dropbear (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Unsubscribing ubuntu-security-sponsors since there is nothing to do.

Revision history for this message
Julian Taylor (jtaylor) wrote :

This bug was fixed in the package dropbear - 2012.55-1

---------------
dropbear (2012.55-1) unstable; urgency=high

  * New upstream release.
    * Fix use-after-free bug that could be triggered if command="..."
      authorized_keys restrictions are used. Could allow arbitrary
      code execution or bypass of the command="..." restriction to an
      authenticated user. This bug affects releases 0.52 onwards.
      Ref CVE-2012-0920 (closes: #661150). Thanks to Danny Fullerton
      of Mantor Organization for reporting the bug.

 -- Gerrit Pape <email address hidden> Mon, 27 Feb 2012 14:18:53 +0000

Changed in dropbear (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.