[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1009065: marked as done (buster-pu: package dropbear/2018.76-5+deb10u1)

Your message dated Sat, 10 Sep 2022 13:40:55 +0100
with message-id <2cfc9645343bdb910fe19c07bddfec2c428346a3.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 10.13
has caused the Debian Bug report #1009065,
regarding buster-pu: package dropbear/2018.76-5+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1009065: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009065
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]

CVE-2019-12953: Dropbear 2011.54 through 2018.76 has an inconsistent
failure delay that may lead to revealing valid usernames.  This is a
different issue than CVE-2018-15599.

The Security Team decided it didn't warrant a DSA and suggested an
upload via -pu instead.

[ Impact ]

When password authentication is enabled on the SSH daemon (the default
behavior) an attacker could determine whether a given username exists by
trying to authenticate with a very long password and measure response
time.

[ Tests ]

I manually checked that password authentication still works, and that
password of length >100 bytes are rejected without processing.

[ Risks ]

The fix is trivial and is cherry-picked from upstream's 2019.77:
https://hg.ucc.asn.au/dropbear/rev/228b086794b7 .  While this is a
regression for legitimate passwords >100 bytes long, that same fix is in
Bullseye since July 2019 and as far as I know no one has filed a bug for
legitimate use of extra long passwords, so it probably makes sense to
backport the fix to Buster as well.

[ Checklist ]

  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in oldstable
  [*] the issue is verified as fixed in unstable

[ Changes ]

 * Cherry-pick upstream's https://hg.ucc.asn.au/dropbear/rev/228b086794b7
   in order to reject password of length >100 bytes outright as an attempt
   to defeat timing attacks.
 * Set ‘debian-branch = debian/buster’ in debian/gbp.conf.

-- 
Guilhem.

diffstat for dropbear-2018.76 dropbear-2018.76

 changelog                    |   10 ++++++++
 gbp.conf                     |    1 
 patches/CVE-2019-12953.patch |   48 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 4 files changed, 60 insertions(+)

diff -Nru dropbear-2018.76/debian/changelog dropbear-2018.76/debian/changelog
--- dropbear-2018.76/debian/changelog	2019-02-12 13:06:15.000000000 +0100
+++ dropbear-2018.76/debian/changelog	2022-04-06 20:54:24.000000000 +0200
@@ -1,3 +1,13 @@
+dropbear (2018.76-5+deb10u1) buster; urgency=medium
+
+  * Backport security fix for CVE-2019-12953: Inconsistent failure delay that
+    may lead to revealing valid usernames.  The fix limits password length to
+    100 bytes.  (Closes: #1009062.)
+    Cherry-picked from https://hg.ucc.asn.au/dropbear/rev/228b086794b7 .
+  * d/gbp.conf: Set debian-branch = debian/buster.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Wed, 06 Apr 2022 20:54:24 +0200
+
 dropbear (2018.76-5) unstable; urgency=medium
 
   * Put custom options, such as SFTPSERVER_PATH, in localoptions.h not in
diff -Nru dropbear-2018.76/debian/gbp.conf dropbear-2018.76/debian/gbp.conf
--- dropbear-2018.76/debian/gbp.conf	2019-02-12 13:06:15.000000000 +0100
+++ dropbear-2018.76/debian/gbp.conf	2022-04-06 20:54:24.000000000 +0200
@@ -1,4 +1,5 @@
 [DEFAULT]
+debian-branch = debian/buster
 pristine-tar = False
 compression = bzip2
 
diff -Nru dropbear-2018.76/debian/patches/CVE-2019-12953.patch dropbear-2018.76/debian/patches/CVE-2019-12953.patch
--- dropbear-2018.76/debian/patches/CVE-2019-12953.patch	1970-01-01 01:00:00.000000000 +0100
+++ dropbear-2018.76/debian/patches/CVE-2019-12953.patch	2022-04-06 20:54:24.000000000 +0200
@@ -0,0 +1,48 @@
+commit 8b4f60a7a113f4e9ae801dea88606f2663728f03
+Author: Matt Johnston <matt@ucc.asn.au>
+Date:   Thu Mar 21 00:09:07 2019 +0800
+
+    limit password length to 100
+
+diff --git a/svr-authpasswd.c b/svr-authpasswd.c
+index 69c7d8a..a4f3202 100644
+--- a/svr-authpasswd.c
++++ b/svr-authpasswd.c
+@@ -65,7 +65,7 @@ void svr_auth_password(int valid_user) {
+ 	}
+ 
+ 	password = buf_getstring(ses.payload, &passwordlen);
+-	if (valid_user) {
++	if (valid_user && passwordlen <= DROPBEAR_MAX_PASSWORD_LEN) {
+ 		/* the first bytes of passwdcrypt are the salt */
+ 		passwdcrypt = ses.authstate.pw_passwd;
+ 		testcrypt = crypt(password, passwdcrypt);
+@@ -80,6 +80,15 @@ void svr_auth_password(int valid_user) {
+ 		return;
+ 	}
+ 
++	if (passwordlen > DROPBEAR_MAX_PASSWORD_LEN) {
++		dropbear_log(LOG_WARNING,
++				"Too-long password attempt for '%s' from %s",
++				ses.authstate.pw_name,
++				svr_ses.addrstring);
++		send_msg_userauth_failure(0, 1);
++		return;
++	}
++
+ 	if (testcrypt == NULL) {
+ 		/* crypt() with an invalid salt like "!!" */
+ 		dropbear_log(LOG_WARNING, "User account '%s' is locked",
+diff --git a/sysoptions.h b/sysoptions.h
+index 5bdb3e3..8648c4e 100644
+--- a/sysoptions.h
++++ b/sysoptions.h
+@@ -86,6 +86,8 @@
+ /* Required for pubkey auth */
+ #define DROPBEAR_SIGNKEY_VERIFY ((DROPBEAR_SVR_PUBKEY_AUTH) || (DROPBEAR_CLIENT))
+ 
++#define DROPBEAR_MAX_PASSWORD_LEN 100
++
+ #define SHA1_HASH_SIZE 20
+ #define MD5_HASH_SIZE 16
+ #define MAX_HASH_SIZE 64 /* sha512 */
diff -Nru dropbear-2018.76/debian/patches/series dropbear-2018.76/debian/patches/series
--- dropbear-2018.76/debian/patches/series	2019-02-12 13:06:15.000000000 +0100
+++ dropbear-2018.76/debian/patches/series	2022-04-06 20:54:24.000000000 +0200
@@ -1,2 +1,3 @@
 local-options.patch
 CVE-2018-15599.patch
+CVE-2019-12953.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.13

Hi,

Each of the updates referenced in these bugs was included in today's
10.13 point release.

Regards,

Adam

--- End Message ---
Reply to: