[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1076015: bookworm-pu: package dropbear/2022.83-1+deb12u2

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: dropbear@packages.debian.org
Control: affects -1 + src:dropbear
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]

Keepalive packets are being ignored when the ‛-k’ flag (or
‛no-port-forwarding’ authorized_keys(5) restriction) is used.

Bullseye is affected as well, so this is not a regression in bookworm.

[ Impact ]

dropbear-initramfs users unlocking the root file system remotely with
message keepalive enabled (ssh -oServerAliveInterval≠0) might lock
themselves out, see #1069768.

[ Tests ]

I did manually tests that dropbear-bin=2022.83-1+deb12u2 replies to
message keepalives even when remote TCP forwarding is disabled.

[ Risks ]

The patch is trivial and was cleanly cherry-picked from upstream.
Without 2022.83-1+deb12u1, the workarounds to prevent being locked out
is to either disable message keepalives on the SSH client, or not to
disable remote TCP forwarding on the SSH server (dropbear).

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

Cherry-pick upstream patch to fix noremotetcp behavior.  Keepalive
packets were being ignored when the ‛-k’ flag (or ‛no-port-forwarding’
authorized_keys(5) restriction) was used.  (Closes: #1069768)

-- 
Guilhem.

diffstat for dropbear-2022.83 dropbear-2022.83

 changelog                              |    8 ++++++
 patches/fix-noremotetcp-behavior.patch |   39 +++++++++++++++++++++++++++++++++
 patches/series                         |    1 
 3 files changed, 48 insertions(+)

diff -Nru dropbear-2022.83/debian/changelog dropbear-2022.83/debian/changelog
--- dropbear-2022.83/debian/changelog	2024-01-26 10:01:00.000000000 +0100
+++ dropbear-2022.83/debian/changelog	2024-07-09 14:22:02.000000000 +0200
@@ -1,3 +1,11 @@
+dropbear (2022.83-1+deb12u2) bookworm; urgency=medium
+
+  * Fix noremotetcp behavior.  Keepalive packets were being ignored when the
+    ‛-k’ flag (or ‛no-port-forwarding’ authorized_keys(5) restriction) was
+    used.  (Closes: #1069768)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Tue, 09 Jul 2024 14:22:02 +0200
+
 dropbear (2022.83-1+deb12u1) bookworm; urgency=medium
 
   * Fix CVE-2023-48795: (terrapin attack): The SSH transport protocol with
diff -Nru dropbear-2022.83/debian/patches/fix-noremotetcp-behavior.patch dropbear-2022.83/debian/patches/fix-noremotetcp-behavior.patch
--- dropbear-2022.83/debian/patches/fix-noremotetcp-behavior.patch	1970-01-01 01:00:00.000000000 +0100
+++ dropbear-2022.83/debian/patches/fix-noremotetcp-behavior.patch	2024-07-09 14:22:02.000000000 +0200
@@ -0,0 +1,39 @@
+From: Justin Chen <justin.chen@broadcom.com>
+Date: Fri, 8 Sep 2023 11:35:18 -0700
+Subject: src: svr-tcpfwd: Fix noremotetcp behavior
+
+If noremotetcp is set, we should still reply with
+send_msg_request_failed. This matches the behavior
+of !DROPBEAR_SVR_REMOTETCPFWD.
+
+We were seeing keepalive packets being ignored when
+the "-k" option was used.
+
+Origin: https://github.com/mkj/dropbear/commit/3cf8344769eda55e26eee53c1898b2c66544f188
+Bug-Debian: https://bugs.debian.org/1069768
+---
+ svr-tcpfwd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/svr-tcpfwd.c b/svr-tcpfwd.c
+index 7967cfa..01a76a2 100644
+--- a/svr-tcpfwd.c
++++ b/svr-tcpfwd.c
+@@ -79,14 +79,14 @@ void recv_msg_global_request_remotetcp() {
+ 
+ 	TRACE(("enter recv_msg_global_request_remotetcp"))
+ 
++	reqname = buf_getstring(ses.payload, &namelen);
++	wantreply = buf_getbool(ses.payload);
++
+ 	if (svr_opts.noremotetcp || !svr_pubkey_allows_tcpfwd()) {
+ 		TRACE(("leave recv_msg_global_request_remotetcp: remote tcp forwarding disabled"))
+ 		goto out;
+ 	}
+ 
+-	reqname = buf_getstring(ses.payload, &namelen);
+-	wantreply = buf_getbool(ses.payload);
+-
+ 	if (namelen > MAX_NAME_LEN) {
+ 		TRACE(("name len is wrong: %d", namelen))
+ 		goto out;
diff -Nru dropbear-2022.83/debian/patches/series dropbear-2022.83/debian/patches/series
--- dropbear-2022.83/debian/patches/series	2024-01-26 10:01:00.000000000 +0100
+++ dropbear-2022.83/debian/patches/series	2024-07-09 14:22:02.000000000 +0200
@@ -2,3 +2,4 @@
 support-running-test_aslr-without-venv.patch
 raise-connection-delay-in-tests.patch
 CVE-2023-48795.patch
+fix-noremotetcp-behavior.patch

Attachment: signature.asc
Description: PGP signature

Reply to: