From 61502b60d68e8a14b5a0949f3eabb45dcbdce848 Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Tue, 28 Feb 2012 14:39:35 +0000
Subject: main/dropbear: security fix

fixes #1024
---
 main/dropbear/APKBUILD             | 19 +++++---
 main/dropbear/after-free-fix.patch | 96 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 109 insertions(+), 6 deletions(-)
 create mode 100644 main/dropbear/after-free-fix.patch

(limited to 'main/dropbear')

diff --git a/main/dropbear/APKBUILD b/main/dropbear/APKBUILD
index ecd4c4614fe..6253458cfc5 100644
--- a/main/dropbear/APKBUILD
+++ b/main/dropbear/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=dropbear
 pkgver=0.53.1
-pkgrel=1
+pkgrel=2
 pkgdesc="small SSH 2 client/server designed for small memory environments"
 url="http://matt.ucc.asn.au/dropbear/dropbear.html"
 arch="all"
@@ -10,16 +10,22 @@ license='MIT'
 depends=
 makedepends="zlib-dev"
 source="http://matt.ucc.asn.au/dropbear/releases/${pkgname}-${pkgver}.tar.bz2
-dropbear.initd
-dropbear.confd
-dropbear-0.53.1-static_build_fix.patch"
+	dropbear.initd
+	dropbear.confd
+	dropbear-0.53.1-static_build_fix.patch
+	after-free-fix.patch
+	"
 
 _builddir="$srcdir"/$pkgname-$pkgver
 _progs="dropbear dbclient dropbearkey dropbearconvert scp"
 
 prepare() {
 	cd "$_builddir"
-	patch -p1 -i "$srcdir"/dropbear-0.53.1-static_build_fix.patch
+	for i in $source; do
+		case $i in
+		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+		esac
+	done
 }
 
 build() {
@@ -48,4 +54,5 @@ package() {
 md5sums="0284ea239083f04c8b874e08e1aca243  dropbear-0.53.1.tar.bz2
 d181e2234f34ae5b1e45f8ebf5f14e07  dropbear.initd
 af73c487e2be37d65d0e8bf80489357e  dropbear.confd
-d33de2027d5dc851762b65b276f1ac83  dropbear-0.53.1-static_build_fix.patch"
+d33de2027d5dc851762b65b276f1ac83  dropbear-0.53.1-static_build_fix.patch
+4f23b4a4214f98b7dd5c1c1727a9c0b4  after-free-fix.patch"
diff --git a/main/dropbear/after-free-fix.patch b/main/dropbear/after-free-fix.patch
new file mode 100644
index 00000000000..2f239637dfd
--- /dev/null
+++ b/main/dropbear/after-free-fix.patch
@@ -0,0 +1,96 @@
+
+# HG changeset patch
+# User Matt Johnston <matt@ucc.asn.au>
+# Date 1322947885 -28800
+# Node ID 818108bf7749bfecd4715a30e2583aac9dbe25e8
+# Parent  5e8d84f3ee7256d054ecf7e9f248765ccaa7f24f
+- Fix use-after-free if multiple command requests were sent. Move
+the original_command into chansess struct since that makes more sense
+
+diff -r 5e8d84f3ee72 -r 818108bf7749 auth.h
+--- a/auth.h	Sun Dec 04 05:27:57 2011 +0800
++++ b/auth.h	Sun Dec 04 05:31:25 2011 +0800
+@@ -133,7 +133,6 @@
+ 	int no_pty_flag;
+ 	/* "command=" option. */
+ 	unsigned char * forced_command;
+-	unsigned char * original_command;
+ };
+ #endif
+ 
+diff -r 5e8d84f3ee72 -r 818108bf7749 chansession.h
+--- a/chansession.h	Sun Dec 04 05:27:57 2011 +0800
++++ b/chansession.h	Sun Dec 04 05:31:25 2011 +0800
+@@ -69,6 +69,10 @@
+ 	char * agentfile;
+ 	char * agentdir;
+ #endif
++
++#ifdef ENABLE_SVR_PUBKEY_OPTIONS
++	char *original_command;
++#endif
+ };
+ 
+ struct ChildPid {
+diff -r 5e8d84f3ee72 -r 818108bf7749 svr-authpubkeyoptions.c
+--- a/svr-authpubkeyoptions.c	Sun Dec 04 05:27:57 2011 +0800
++++ b/svr-authpubkeyoptions.c	Sun Dec 04 05:31:25 2011 +0800
+@@ -92,14 +92,15 @@
+  * by any 'command' public key option. */
+ void svr_pubkey_set_forced_command(struct ChanSess *chansess) {
+ 	if (ses.authstate.pubkey_options) {
+-		ses.authstate.pubkey_options->original_command = chansess->cmd;
+-		if (!chansess->cmd)
+-		{
+-			ses.authstate.pubkey_options->original_command = m_strdup("");
++		if (chansess->cmd) {
++			/* original_command takes ownership */
++			chansess->original_command = chansess->cmd;
++		} else {
++			chansess->original_command = m_strdup("");
+ 		}
+-		chansess->cmd = ses.authstate.pubkey_options->forced_command;
++		chansess->cmd = m_strdup(ses.authstate.pubkey_options->forced_command);
+ #ifdef LOG_COMMANDS
+-		dropbear_log(LOG_INFO, "Command forced to '%s'", ses.authstate.pubkey_options->original_command);
++		dropbear_log(LOG_INFO, "Command forced to '%s'", chansess->original_command);
+ #endif
+ 	}
+ }
+diff -r 5e8d84f3ee72 -r 818108bf7749 svr-chansession.c
+--- a/svr-chansession.c	Sun Dec 04 05:27:57 2011 +0800
++++ b/svr-chansession.c	Sun Dec 04 05:31:25 2011 +0800
+@@ -217,6 +217,8 @@
+ 
+ 	struct ChanSess *chansess;
+ 
++	TRACE(("new chansess %p", channel))
++
+ 	dropbear_assert(channel->typedata == NULL);
+ 
+ 	chansess = (struct ChanSess*)m_malloc(sizeof(struct ChanSess));
+@@ -279,6 +281,10 @@
+ 	m_free(chansess->cmd);
+ 	m_free(chansess->term);
+ 
++#ifdef ENABLE_SVR_PUBKEY_OPTIONS
++	m_free(chansess->original_command);
++#endif
++
+ 	if (chansess->tty) {
+ 		/* write the utmp/wtmp login record */
+ 		li = chansess_login_alloc(chansess);
+@@ -924,10 +930,8 @@
+ 	}
+ 	
+ #ifdef ENABLE_SVR_PUBKEY_OPTIONS
+-	if (ses.authstate.pubkey_options &&
+-			ses.authstate.pubkey_options->original_command) {
+-		addnewvar("SSH_ORIGINAL_COMMAND", 
+-			ses.authstate.pubkey_options->original_command);
++	if (chansess->original_command) {
++		addnewvar("SSH_ORIGINAL_COMMAND", chansess->original_command);
+ 	}
+ #endif
+ 
+
-- 
cgit v1.2.3