Your message dated Sat, 10 Sep 2022 13:40:55 +0100 with message-id <2cfc9645343bdb910fe19c07bddfec2c428346a3.camel@adam-barratt.org.uk> and subject line Closing requests for updates included in 10.13 has caused the Debian Bug report #1009065, regarding buster-pu: package dropbear/2018.76-5+deb10u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1009065: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009065 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package dropbear/2018.76-5+deb10u1
- From: Guilhem Moulin <guilhem@debian.org>
- Date: Wed, 6 Apr 2022 21:26:26 +0200
- Message-id: <Yk3pYggDuK7EtdMY@debian.org>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu [ Reason ] CVE-2019-12953: Dropbear 2011.54 through 2018.76 has an inconsistent failure delay that may lead to revealing valid usernames. This is a different issue than CVE-2018-15599. The Security Team decided it didn't warrant a DSA and suggested an upload via -pu instead. [ Impact ] When password authentication is enabled on the SSH daemon (the default behavior) an attacker could determine whether a given username exists by trying to authenticate with a very long password and measure response time. [ Tests ] I manually checked that password authentication still works, and that password of length >100 bytes are rejected without processing. [ Risks ] The fix is trivial and is cherry-picked from upstream's 2019.77: https://hg.ucc.asn.au/dropbear/rev/228b086794b7 . While this is a regression for legitimate passwords >100 bytes long, that same fix is in Bullseye since July 2019 and as far as I know no one has filed a bug for legitimate use of extra long passwords, so it probably makes sense to backport the fix to Buster as well. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in oldstable [*] the issue is verified as fixed in unstable [ Changes ] * Cherry-pick upstream's https://hg.ucc.asn.au/dropbear/rev/228b086794b7 in order to reject password of length >100 bytes outright as an attempt to defeat timing attacks. * Set ‘debian-branch = debian/buster’ in debian/gbp.conf. -- Guilhem.diffstat for dropbear-2018.76 dropbear-2018.76 changelog | 10 ++++++++ gbp.conf | 1 patches/CVE-2019-12953.patch | 48 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 4 files changed, 60 insertions(+) diff -Nru dropbear-2018.76/debian/changelog dropbear-2018.76/debian/changelog --- dropbear-2018.76/debian/changelog 2019-02-12 13:06:15.000000000 +0100 +++ dropbear-2018.76/debian/changelog 2022-04-06 20:54:24.000000000 +0200 @@ -1,3 +1,13 @@ +dropbear (2018.76-5+deb10u1) buster; urgency=medium + + * Backport security fix for CVE-2019-12953: Inconsistent failure delay that + may lead to revealing valid usernames. The fix limits password length to + 100 bytes. (Closes: #1009062.) + Cherry-picked from https://hg.ucc.asn.au/dropbear/rev/228b086794b7 . + * d/gbp.conf: Set debian-branch = debian/buster. + + -- Guilhem Moulin <guilhem@debian.org> Wed, 06 Apr 2022 20:54:24 +0200 + dropbear (2018.76-5) unstable; urgency=medium * Put custom options, such as SFTPSERVER_PATH, in localoptions.h not in diff -Nru dropbear-2018.76/debian/gbp.conf dropbear-2018.76/debian/gbp.conf --- dropbear-2018.76/debian/gbp.conf 2019-02-12 13:06:15.000000000 +0100 +++ dropbear-2018.76/debian/gbp.conf 2022-04-06 20:54:24.000000000 +0200 @@ -1,4 +1,5 @@ [DEFAULT] +debian-branch = debian/buster pristine-tar = False compression = bzip2 diff -Nru dropbear-2018.76/debian/patches/CVE-2019-12953.patch dropbear-2018.76/debian/patches/CVE-2019-12953.patch --- dropbear-2018.76/debian/patches/CVE-2019-12953.patch 1970-01-01 01:00:00.000000000 +0100 +++ dropbear-2018.76/debian/patches/CVE-2019-12953.patch 2022-04-06 20:54:24.000000000 +0200 @@ -0,0 +1,48 @@ +commit 8b4f60a7a113f4e9ae801dea88606f2663728f03 +Author: Matt Johnston <matt@ucc.asn.au> +Date: Thu Mar 21 00:09:07 2019 +0800 + + limit password length to 100 + +diff --git a/svr-authpasswd.c b/svr-authpasswd.c +index 69c7d8a..a4f3202 100644 +--- a/svr-authpasswd.c ++++ b/svr-authpasswd.c +@@ -65,7 +65,7 @@ void svr_auth_password(int valid_user) { + } + + password = buf_getstring(ses.payload, &passwordlen); +- if (valid_user) { ++ if (valid_user && passwordlen <= DROPBEAR_MAX_PASSWORD_LEN) { + /* the first bytes of passwdcrypt are the salt */ + passwdcrypt = ses.authstate.pw_passwd; + testcrypt = crypt(password, passwdcrypt); +@@ -80,6 +80,15 @@ void svr_auth_password(int valid_user) { + return; + } + ++ if (passwordlen > DROPBEAR_MAX_PASSWORD_LEN) { ++ dropbear_log(LOG_WARNING, ++ "Too-long password attempt for '%s' from %s", ++ ses.authstate.pw_name, ++ svr_ses.addrstring); ++ send_msg_userauth_failure(0, 1); ++ return; ++ } ++ + if (testcrypt == NULL) { + /* crypt() with an invalid salt like "!!" */ + dropbear_log(LOG_WARNING, "User account '%s' is locked", +diff --git a/sysoptions.h b/sysoptions.h +index 5bdb3e3..8648c4e 100644 +--- a/sysoptions.h ++++ b/sysoptions.h +@@ -86,6 +86,8 @@ + /* Required for pubkey auth */ + #define DROPBEAR_SIGNKEY_VERIFY ((DROPBEAR_SVR_PUBKEY_AUTH) || (DROPBEAR_CLIENT)) + ++#define DROPBEAR_MAX_PASSWORD_LEN 100 ++ + #define SHA1_HASH_SIZE 20 + #define MD5_HASH_SIZE 16 + #define MAX_HASH_SIZE 64 /* sha512 */ diff -Nru dropbear-2018.76/debian/patches/series dropbear-2018.76/debian/patches/series --- dropbear-2018.76/debian/patches/series 2019-02-12 13:06:15.000000000 +0100 +++ dropbear-2018.76/debian/patches/series 2022-04-06 20:54:24.000000000 +0200 @@ -1,2 +1,3 @@ local-options.patch CVE-2018-15599.patch +CVE-2019-12953.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 941901-done@bugs.debian.org, 945578-done@bugs.debian.org, 960396-done@bugs.debian.org, 966028-done@bugs.debian.org, 983841-done@bugs.debian.org, 987538-done@bugs.debian.org, 987941-done@bugs.debian.org, 990372-done@bugs.debian.org, 990739-done@bugs.debian.org, 991120-done@bugs.debian.org, 998390-done@bugs.debian.org, 1003293-done@bugs.debian.org, 1006182-done@bugs.debian.org, 1008056-done@bugs.debian.org, 1008062-done@bugs.debian.org, 1008154-done@bugs.debian.org, 1008163-done@bugs.debian.org, 1008578-done@bugs.debian.org, 1009065-done@bugs.debian.org, 1009076-done@bugs.debian.org, 1009251-done@bugs.debian.org, 1009652-done@bugs.debian.org, 1010060-done@bugs.debian.org, 1010193-done@bugs.debian.org, 1010305-done@bugs.debian.org, 1010380-done@bugs.debian.org, 1010388-done@bugs.debian.org, 1010615-done@bugs.debian.org, 1010858-done@bugs.debian.org, 1011030-done@bugs.debian.org, 1011272-done@bugs.debian.org, 1011286-done@bugs.debian.org, 1011360-done@bugs.debian.org, 1011745-done@bugs.debian.org, 1011943-done@bugs.debian.org, 1012048-done@bugs.debian.org, 1012066-done@bugs.debian.org, 1013347-done@bugs.debian.org, 1014145-done@bugs.debian.org, 1014200-done@bugs.debian.org, 1014346-done@bugs.debian.org, 1014860-done@bugs.debian.org, 1014907-done@bugs.debian.org, 1014909-done@bugs.debian.org, 1014912-done@bugs.debian.org, 1015243-done@bugs.debian.org, 1016169-done@bugs.debian.org, 1016176-done@bugs.debian.org, 1016198-done@bugs.debian.org, 1016439-done@bugs.debian.org, 1016671-done@bugs.debian.org, 1016733-done@bugs.debian.org, 1017112-done@bugs.debian.org, 1017393-done@bugs.debian.org, 1017998-done@bugs.debian.org, 1018048-done@bugs.debian.org, 1018080-done@bugs.debian.org, 1018086-done@bugs.debian.org, 1018092-done@bugs.debian.org, 1018095-done@bugs.debian.org, 1018096-done@bugs.debian.org, 1018097-done@bugs.debian.org, 1018101-done@bugs.debian.org, 1018107-done@bugs.debian.org, 1018108-done@bugs.debian.org, 1018151-done@bugs.debian.org, 1018152-done@bugs.debian.org, 1018178-done@bugs.debian.org, 1018179-done@bugs.debian.org, 1018182-done@bugs.debian.org, 1018184-done@bugs.debian.org, 1018185-done@bugs.debian.org, 1018199-done@bugs.debian.org, 1018241-done@bugs.debian.org, 1018244-done@bugs.debian.org, 1018246-done@bugs.debian.org, 1018250-done@bugs.debian.org
- Subject: Closing requests for updates included in 10.13
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 10 Sep 2022 13:40:55 +0100
- Message-id: <2cfc9645343bdb910fe19c07bddfec2c428346a3.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.13 Hi, Each of the updates referenced in these bugs was included in today's 10.13 point release. Regards, Adam
--- End Message ---