Bug#1076016: bullseye-pu: package dropbear/2020.81-3+deb11u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1076016: bullseye-pu: package dropbear/2020.81-3+deb11u2
From: Guilhem Moulin <guilhem@debian.org>
Date: Tue, 9 Jul 2024 17:20:59 +0200
Message-id: <[🔎] Zo1VWyYCbmPgqyg-@debian.org>
Reply-to: Guilhem Moulin <guilhem@debian.org>, 1076016@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: dropbear@packages.debian.org
Control: affects -1 + src:dropbear
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]

Keepalive packets are being ignored when the ‛-k’ flag (or
‛no-port-forwarding’ authorized_keys(5) restriction) is used.

AFAICT buster is affected as well, so this is not a regression in
bullseye.

[ Impact ]

dropbear-initramfs users unlocking the root file system remotely with
message keepalive enabled (ssh -oServerAliveInterval≠0) might lock
themselves out, see #1069768.

[ Tests ]

I did manually tests that dropbear-bin=2020.81-3+deb11u2 replies to
message keepalives even when remote TCP forwarding is disabled.

[ Risks ]

The patch is trivial and was cleanly cherry-picked from upstream.
With 2020.81-3+deb11u1, the workarounds to prevent being locked out
is to either disable message keepalives on the SSH client, or not to
disable remote TCP forwarding on the SSH server (dropbear).

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable

[ Changes ]

Cherry-pick upstream patch to fix noremotetcp behavior.  Keepalive
packets were being ignored when the ‛-k’ flag (or ‛no-port-forwarding’
authorized_keys(5) restriction) was used.  (Closes: #1069768)

-- 
Guilhem.

diffstat for dropbear-2020.81 dropbear-2020.81

 changelog                              |    8 ++++++
 patches/fix-noremotetcp-behavior.patch |   39 +++++++++++++++++++++++++++++++++
 patches/series                         |    1 
 3 files changed, 48 insertions(+)

diff -Nru dropbear-2020.81/debian/changelog dropbear-2020.81/debian/changelog
--- dropbear-2020.81/debian/changelog	2024-01-26 12:00:26.000000000 +0100
+++ dropbear-2020.81/debian/changelog	2024-07-09 15:51:42.000000000 +0200
@@ -1,3 +1,11 @@
+dropbear (2020.81-3+deb11u2) bullseye; urgency=medium
+
+  * Fix noremotetcp behavior.  Keepalive packets were being ignored when the
+    ‛-k’ flag (or ‛no-port-forwarding’ authorized_keys(5) restriction) was
+    used.  (Closes: #1069768)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Tue, 09 Jul 2024 15:51:42 +0200
+
 dropbear (2020.81-3+deb11u1) bullseye; urgency=medium
 
   * Fix CVE-2021-36369: Due to a non-RFC-compliant check of the available
diff -Nru dropbear-2020.81/debian/patches/fix-noremotetcp-behavior.patch dropbear-2020.81/debian/patches/fix-noremotetcp-behavior.patch
--- dropbear-2020.81/debian/patches/fix-noremotetcp-behavior.patch	1970-01-01 01:00:00.000000000 +0100
+++ dropbear-2020.81/debian/patches/fix-noremotetcp-behavior.patch	2024-07-09 15:51:42.000000000 +0200
@@ -0,0 +1,39 @@
+From: Justin Chen <justin.chen@broadcom.com>
+Date: Fri, 8 Sep 2023 11:35:18 -0700
+Subject: src: svr-tcpfwd: Fix noremotetcp behavior
+
+If noremotetcp is set, we should still reply with
+send_msg_request_failed. This matches the behavior
+of !DROPBEAR_SVR_REMOTETCPFWD.
+
+We were seeing keepalive packets being ignored when
+the "-k" option was used.
+
+Origin: https://github.com/mkj/dropbear/commit/3cf8344769eda55e26eee53c1898b2c66544f188
+Bug-Debian: https://bugs.debian.org/1069768
+---
+ svr-tcpfwd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/svr-tcpfwd.c b/svr-tcpfwd.c
+index 9a2310d..b5e7855 100644
+--- a/svr-tcpfwd.c
++++ b/svr-tcpfwd.c
+@@ -73,14 +73,14 @@ void recv_msg_global_request_remotetcp() {
+ 
+ 	TRACE(("enter recv_msg_global_request_remotetcp"))
+ 
++	reqname = buf_getstring(ses.payload, &namelen);
++	wantreply = buf_getbool(ses.payload);
++
+ 	if (svr_opts.noremotetcp || !svr_pubkey_allows_tcpfwd()) {
+ 		TRACE(("leave recv_msg_global_request_remotetcp: remote tcp forwarding disabled"))
+ 		goto out;
+ 	}
+ 
+-	reqname = buf_getstring(ses.payload, &namelen);
+-	wantreply = buf_getbool(ses.payload);
+-
+ 	if (namelen > MAX_NAME_LEN) {
+ 		TRACE(("name len is wrong: %d", namelen))
+ 		goto out;
diff -Nru dropbear-2020.81/debian/patches/series dropbear-2020.81/debian/patches/series
--- dropbear-2020.81/debian/patches/series	2024-01-26 12:00:26.000000000 +0100
+++ dropbear-2020.81/debian/patches/series	2024-07-09 15:51:42.000000000 +0200
@@ -1,3 +1,4 @@
 local-options.patch
 CVE-2021-36369.patch
 CVE-2023-48795.patch
+fix-noremotetcp-behavior.patch

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Processed: bullseye-pu: package dropbear/2020.81-3+deb11u2
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: bullseye-pu: package dropbear/2020.81-3+deb11u2
Next by Date: Processed: Re: Bug#1051232: bookworm-pu: package 7zip/23.01+dfsg-3~deb12u1
Previous by thread: Processed: bookworm-pu: package dropbear/2022.83-1+deb12u2
Next by thread: Processed: bullseye-pu: package dropbear/2020.81-3+deb11u2
Index(es):
- Date
- Thread