Bug 800655 (CVE-2012-0920)

Summary: CVE-2012-0920 dropbear: use-after-free vulnerability
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: buytenh, gwync, itamar, jrusnack
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-03 17:27:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 800656, 800657    
Bug Blocks:    

Description Vincent Danen 2012-03-06 21:20:32 UTC 
It was reported [1] that the Dropbear SSH server suffered from a use-after-free flaw in how the server managed channels concurrency.  A specially-crafted request could trigger a use-after-free condition which could then be used to potentially execute arbitrary code with root privileges, provided that the user has been authenticated using a public key and also that a command restriction is enforced (the "command" option must be used in the authorized_keys file).

This has been corrected upstream in version 2012.55 [2] and is reported to affect versions 0.52 through 2011.54.

[1] http://archives.neohapsis.com/archives/fulldisclosure/2012-02/0404.html
[2] https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749
Comment 1 Vincent Danen 2012-03-06 21:36:39 UTC 
Tracking bugs were filed for:

Fedora-all: bug #800656
EPEL-6: bug #800657
Comment 2 Vincent Danen 2012-08-03 17:27:22 UTC 
dropbear-0.55-1 has been pushed to all supported versions of Fedora and EPEL:

http://koji.fedoraproject.org/koji/packageinfo?packageID=5596