[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1076016: marked as done (bullseye-pu: package dropbear/2020.81-3+deb11u2)

Your message dated Sat, 31 Aug 2024 12:30:55 +0100
with message-id <27c418b1a49ffc566f1b9635359e59f6a742be26.camel@adam-barratt.org.uk>
and subject line Closing bugs for 11.11
has caused the Debian Bug report #1076016,
regarding bullseye-pu: package dropbear/2020.81-3+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1076016: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076016
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: dropbear@packages.debian.org
Control: affects -1 + src:dropbear
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]

Keepalive packets are being ignored when the ‛-k’ flag (or
‛no-port-forwarding’ authorized_keys(5) restriction) is used.

AFAICT buster is affected as well, so this is not a regression in
bullseye.

[ Impact ]

dropbear-initramfs users unlocking the root file system remotely with
message keepalive enabled (ssh -oServerAliveInterval≠0) might lock
themselves out, see #1069768.

[ Tests ]

I did manually tests that dropbear-bin=2020.81-3+deb11u2 replies to
message keepalives even when remote TCP forwarding is disabled.

[ Risks ]

The patch is trivial and was cleanly cherry-picked from upstream.
With 2020.81-3+deb11u1, the workarounds to prevent being locked out
is to either disable message keepalives on the SSH client, or not to
disable remote TCP forwarding on the SSH server (dropbear).

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable

[ Changes ]

Cherry-pick upstream patch to fix noremotetcp behavior.  Keepalive
packets were being ignored when the ‛-k’ flag (or ‛no-port-forwarding’
authorized_keys(5) restriction) was used.  (Closes: #1069768)

-- 
Guilhem.

diffstat for dropbear-2020.81 dropbear-2020.81

 changelog                              |    8 ++++++
 patches/fix-noremotetcp-behavior.patch |   39 +++++++++++++++++++++++++++++++++
 patches/series                         |    1 
 3 files changed, 48 insertions(+)

diff -Nru dropbear-2020.81/debian/changelog dropbear-2020.81/debian/changelog
--- dropbear-2020.81/debian/changelog	2024-01-26 12:00:26.000000000 +0100
+++ dropbear-2020.81/debian/changelog	2024-07-09 15:51:42.000000000 +0200
@@ -1,3 +1,11 @@
+dropbear (2020.81-3+deb11u2) bullseye; urgency=medium
+
+  * Fix noremotetcp behavior.  Keepalive packets were being ignored when the
+    ‛-k’ flag (or ‛no-port-forwarding’ authorized_keys(5) restriction) was
+    used.  (Closes: #1069768)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Tue, 09 Jul 2024 15:51:42 +0200
+
 dropbear (2020.81-3+deb11u1) bullseye; urgency=medium
 
   * Fix CVE-2021-36369: Due to a non-RFC-compliant check of the available
diff -Nru dropbear-2020.81/debian/patches/fix-noremotetcp-behavior.patch dropbear-2020.81/debian/patches/fix-noremotetcp-behavior.patch
--- dropbear-2020.81/debian/patches/fix-noremotetcp-behavior.patch	1970-01-01 01:00:00.000000000 +0100
+++ dropbear-2020.81/debian/patches/fix-noremotetcp-behavior.patch	2024-07-09 15:51:42.000000000 +0200
@@ -0,0 +1,39 @@
+From: Justin Chen <justin.chen@broadcom.com>
+Date: Fri, 8 Sep 2023 11:35:18 -0700
+Subject: src: svr-tcpfwd: Fix noremotetcp behavior
+
+If noremotetcp is set, we should still reply with
+send_msg_request_failed. This matches the behavior
+of !DROPBEAR_SVR_REMOTETCPFWD.
+
+We were seeing keepalive packets being ignored when
+the "-k" option was used.
+
+Origin: https://github.com/mkj/dropbear/commit/3cf8344769eda55e26eee53c1898b2c66544f188
+Bug-Debian: https://bugs.debian.org/1069768
+---
+ svr-tcpfwd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/svr-tcpfwd.c b/svr-tcpfwd.c
+index 9a2310d..b5e7855 100644
+--- a/svr-tcpfwd.c
++++ b/svr-tcpfwd.c
+@@ -73,14 +73,14 @@ void recv_msg_global_request_remotetcp() {
+ 
+ 	TRACE(("enter recv_msg_global_request_remotetcp"))
+ 
++	reqname = buf_getstring(ses.payload, &namelen);
++	wantreply = buf_getbool(ses.payload);
++
+ 	if (svr_opts.noremotetcp || !svr_pubkey_allows_tcpfwd()) {
+ 		TRACE(("leave recv_msg_global_request_remotetcp: remote tcp forwarding disabled"))
+ 		goto out;
+ 	}
+ 
+-	reqname = buf_getstring(ses.payload, &namelen);
+-	wantreply = buf_getbool(ses.payload);
+-
+ 	if (namelen > MAX_NAME_LEN) {
+ 		TRACE(("name len is wrong: %d", namelen))
+ 		goto out;
diff -Nru dropbear-2020.81/debian/patches/series dropbear-2020.81/debian/patches/series
--- dropbear-2020.81/debian/patches/series	2024-01-26 12:00:26.000000000 +0100
+++ dropbear-2020.81/debian/patches/series	2024-07-09 15:51:42.000000000 +0200
@@ -1,3 +1,4 @@
 local-options.patch
 CVE-2021-36369.patch
 CVE-2023-48795.patch
+fix-noremotetcp-behavior.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.11

Hi,

Each of these bugs relates to an update including in today's final
bullseye 11.11 point release.

Regards,

Adam

--- End Message ---
Reply to: