[3.1] dropbear: 2016.74 security update
This includes fixes for multiple security issues.
- Security: Message printout was vulnerable to format string injection.
If specific usernames including “%” symbols can be created on a system
(validated by getpwnam()) then an attacker could run arbitrary code as
root
when connecting to Dropbear server.
A dbclient user who can control username or host arguments could
potentially
run arbitrary code as the dbclient user. This could be a problem if
scripts
or webpages pass untrusted input to the dbclient program.
- Security: dropbearconvert import of OpenSSH keys could run arbitrary
code as
the local dropbearconvert user when parsing malicious key files
- Security: dbclient could run arbitrary code as the local dbclient
user if
particular -m or -c arguments are provided. This could be an issue
where
dbclient is used in scripts.
- Security: dbclient or dropbear server could expose process memory to
the
running user if compiled with DEBUG_TRACE and running with -v
- Fix port forwarding failure when connecting to domains that have
both
IPv4 and IPv6 addresses. The bug was introduced in 2015.68
- Fix 100% CPU use while waiting for rekey to complete.
References:
http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2016q3/001932.html
(from redmine: issue id 5998, created on 2016-08-03, closed on 2016-08-12)
- Relations:
- parent #5994 (closed)