49349 2024-02-10 18:05:42 +0300 dropbear segfault при попытке соединения 2024-02-11 04:56:24 +0300 1 1 4 Development Sisyphus dropbear unstable x86_64 Linux CLOSED FIXED P5 critical --- 1 sfslinux vt george sfslinux vt qa-sisyphus oldest_to_newest 241392 0 15523 sfslinux 2024-02-10 18:05:42 +0300 Created attachment 15523 CVE-2023-48795 фев 10 08:20:18 fas dropbear[55378]: [55378] Feb 10 08:20:18 Child connection from 127.0.0.1:52906 фев 10 08:20:18 fas dropbear[55378]: Aiee, segfault! You should probably report this as a bug to th> фев 10 08:20:18 fas dropbear[55380]: [55380] Feb 10 08:20:18 Child connection from 127.0.0.1:52914 фев 10 08:20:18 fas dropbear[55380]: Aiee, segfault! You should probably report this as a bug to th> фев 10 08:21:11 fas dropbear[55238]: [55238] Feb 10 08:21:11 Early exit: Terminated by signal Починить удалось только отказом от static Кроме того не пропатчен CVE-2023-48795 241402 1 vt 2024-02-11 02:43:11 +0300 Link to upstream bug report https://github.com/mkj/dropbear/issues/280 241404 2 vt 2024-02-11 04:07:21 +0300 Пока я прихожу к выводу, что его невозможно собрать статически и работающим одновременно. Видимо, придется отказаться от этой идеи и или просто пересобрать с шаред либами, или удалить. 241405 3 vt 2024-02-11 04:32:40 +0300 Да вот еще посоветовали на Musl перейти. Но это уже в другой раз. Сейчас я соберу alt2 без статической линковки. ¯\_(ツ)_/¯ 241406 4 repository-robot 2024-02-11 04:56:24 +0300 dropbear-2022.83-alt2 -> sisyphus: Sun Feb 11 2024 Vitaly Chikunov <vt@altlinux> 2022.83-alt2 - Backport the fix for the Terrapin attack (fixes CVE-2023-48795). - Undo static linking (ALT#49349). 15523 2024-02-10 18:05:42 +0300 2024-02-10 18:05:42 +0300 CVE-2023-48795 6e43be5c7b99dbee49dc72b6f989f29fdd7e9356.patch text/plain 6055 sfslinux RnJvbSA2ZTQzYmU1YzdiOTlkYmVlNDlkYzcyYjZmOTg5ZjI5ZmRkN2U5MzU2IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBNYXR0IEpvaG5zdG9uIDxtYXR0QHVjYy5hc24uYXU+CkRhdGU6 IE1vbiwgMjAgTm92IDIwMjMgMTQ6MDI6NDcgKzA4MDAKU3ViamVjdDogW1BBVENIXSBJbXBsZW1l bnQgU3RyaWN0IEtFWCBtb2RlCgpBcyBzcGVjaWZpZWQgYnkgT3BlblNTSCB3aXRoIGtleC1zdHJp Y3QtYy12MDBAb3BlbnNzaC5jb20gYW5kCmtleC1zdHJpY3Qtcy12MDBAb3BlbnNzaC5jb20uCi0t LQogY2xpLXNlc3Npb24uYyAgICB8IDExICsrKysrKysrKysrCiBjb21tb24tYWxnby5jICAgIHwg IDYgKysrKysrCiBjb21tb24ta2V4LmMgICAgIHwgMjYgKysrKysrKysrKysrKysrKysrKysrKysr Ky0KIGtleC5oICAgICAgICAgICAgfCAgMyArKysKIHByb2Nlc3MtcGFja2V0LmMgfCAzNCArKysr KysrKysrKysrKysrKysrLS0tLS0tLS0tLS0tLS0tCiBzc2guaCAgICAgICAgICAgIHwgIDQgKysr Kwogc3ZyLXNlc3Npb24uYyAgICB8ICAzICsrKwogNyBmaWxlcyBjaGFuZ2VkLCA3MSBpbnNlcnRp b25zKCspLCAxNiBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9jbGktc2Vzc2lvbi5jIGIvY2xp LXNlc3Npb24uYwppbmRleCA1OTgxYjI0NzAuLmQyNjFjOGY4MiAxMDA2NDQKLS0tIGEvY2xpLXNl c3Npb24uYworKysgYi9jbGktc2Vzc2lvbi5jCkBAIC00Niw2ICs0Niw3IEBAIHN0YXRpYyB2b2lk IGNsaV9maW5pc2hlZCh2b2lkKSBBVFRSSUJfTk9SRVRVUk47CiBzdGF0aWMgdm9pZCByZWN2X21z Z19zZXJ2aWNlX2FjY2VwdCh2b2lkKTsKIHN0YXRpYyB2b2lkIGNsaV9zZXNzaW9uX2NsZWFudXAo dm9pZCk7CiBzdGF0aWMgdm9pZCByZWN2X21zZ19nbG9iYWxfcmVxdWVzdF9jbGkodm9pZCk7Citz dGF0aWMgdm9pZCBjbGlfYWxnb3NfaW5pdGlhbGlzZSh2b2lkKTsKIAogc3RydWN0IGNsaWVudHNl c3Npb24gY2xpX3NlczsgLyogR0xPQkFMICovCiAKQEAgLTExNyw2ICsxMTgsNyBAQCB2b2lkIGNs aV9zZXNzaW9uKGludCBzb2NrX2luLCBpbnQgc29ja19vdXQsIHN0cnVjdCBkcm9wYmVhcl9wcm9n cmVzc19jb25uZWN0aW9uCiAJfQogCiAJY2hhbmluaXRpYWxpc2UoY2xpX2NoYW50eXBlcyk7CisJ Y2xpX2FsZ29zX2luaXRpYWxpc2UoKTsKIAogCS8qIFNldCB1cCBjbGlfc2VzIHZhcnMgKi8KIAlj bGlfc2Vzc2lvbl9pbml0KHByb3h5X2NtZF9waWQpOwpAQCAtNDg3LDMgKzQ4OSwxMiBAQCB2b2lk IGNsaV9kcm9wYmVhcl9sb2coaW50IHByaW9yaXR5LCBjb25zdCBjaGFyKiBmb3JtYXQsIHZhX2xp c3QgcGFyYW0pIHsKIAlmZmx1c2goc3RkZXJyKTsKIH0KIAorc3RhdGljIHZvaWQgY2xpX2FsZ29z X2luaXRpYWxpc2Uodm9pZCkgeworCWFsZ29fdHlwZSAqYWxnbzsKKwlmb3IgKGFsZ28gPSBzc2hr ZXg7IGFsZ28tPm5hbWU7IGFsZ28rKykgeworCQlpZiAoc3RyY21wKGFsZ28tPm5hbWUsIFNTSF9T VFJJQ1RfS0VYX1MpID09IDApIHsKKwkJCWFsZ28tPnVzYWJsZSA9IDA7CisJCX0KKwl9Cit9CisK ZGlmZiAtLWdpdCBhL2NvbW1vbi1hbGdvLmMgYi9jb21tb24tYWxnby5jCmluZGV4IDM3OGYwY2E4 ZS4uZjlkNDZlYmI2IDEwMDY0NAotLS0gYS9jb21tb24tYWxnby5jCisrKyBiL2NvbW1vbi1hbGdv LmMKQEAgLTMwNyw2ICszMDcsMTIgQEAgYWxnb190eXBlIHNzaGtleFtdID0gewogCS8qIFNldCB1 bnVzYWJsZSBieSBzdnJfYWxnb3NfaW5pdGlhbGlzZSgpICovCiAJe1NTSF9FWFRfSU5GT19DLCAw LCBOVUxMLCAxLCBOVUxMfSwKICNlbmRpZgorI2VuZGlmCisjaWYgRFJPUEJFQVJfQ0xJRU5UCisJ e1NTSF9TVFJJQ1RfS0VYX0MsIDAsIE5VTEwsIDEsIE5VTEx9LAorI2VuZGlmCisjaWYgRFJPUEJF QVJfU0VSVkVSCisJe1NTSF9TVFJJQ1RfS0VYX1MsIDAsIE5VTEwsIDEsIE5VTEx9LAogI2VuZGlm CiAJe05VTEwsIDAsIE5VTEwsIDAsIE5VTEx9CiB9OwpkaWZmIC0tZ2l0IGEvY29tbW9uLWtleC5j IGIvY29tbW9uLWtleC5jCmluZGV4IGFjODg0NDI0Ni4uOGUzM2IxMmE2IDEwMDY0NAotLS0gYS9j b21tb24ta2V4LmMKKysrIGIvY29tbW9uLWtleC5jCkBAIC0xODMsNiArMTgzLDEwIEBAIHZvaWQg c2VuZF9tc2dfbmV3a2V5cygpIHsKIAlnZW5fbmV3X2tleXMoKTsKIAlzd2l0Y2hfa2V5cygpOwog CisJaWYgKHNlcy5rZXhzdGF0ZS5zdHJpY3Rfa2V4KSB7CisJCXNlcy50cmFuc3NlcSA9IDA7CisJ fQorCiAJVFJBQ0UoKCJsZWF2ZSBzZW5kX21zZ19uZXdrZXlzIikpCiB9CiAKQEAgLTE5Myw3ICsx OTcsMTEgQEAgdm9pZCByZWN2X21zZ19uZXdrZXlzKCkgewogCiAJc2VzLmtleHN0YXRlLnJlY3Zu ZXdrZXlzID0gMTsKIAlzd2l0Y2hfa2V5cygpOwotCQorCisJaWYgKHNlcy5rZXhzdGF0ZS5zdHJp Y3Rfa2V4KSB7CisJCXNlcy5yZWN2c2VxID0gMDsKKwl9CisKIAlUUkFDRSgoImxlYXZlIHJlY3Zf bXNnX25ld2tleXMiKSkKIH0KIApAQCAtNTUwLDYgKzU1OCwxMCBAQCB2b2lkIHJlY3ZfbXNnX2tl eGluaXQoKSB7CiAKIAlzZXMua2V4c3RhdGUucmVjdmtleGluaXQgPSAxOwogCisJaWYgKHNlcy5r ZXhzdGF0ZS5zdHJpY3Rfa2V4ICYmICFzZXMua2V4c3RhdGUuZG9uZWZpcnN0a2V4ICYmIHNlcy5y ZWN2c2VxICE9IDEpIHsKKwkJZHJvcGJlYXJfZXhpdCgiRmlyc3QgcGFja2V0IHdhc24ndCBrZXhp bml0Iik7CisJfQorCiAJVFJBQ0UoKCJsZWF2ZSByZWN2X21zZ19rZXhpbml0IikpCiB9CiAKQEAg LTg1OSw2ICs4NzEsMTggQEAgc3RhdGljIHZvaWQgcmVhZF9rZXhfYWxnb3MoKSB7CiAJfQogI2Vu ZGlmCiAKKwlpZiAoIXNlcy5rZXhzdGF0ZS5kb25lZmlyc3RrZXgpIHsKKwkJY29uc3QgY2hhciog c3RyaWN0X25hbWU7CisJCWlmIChJU19EUk9QQkVBUl9DTElFTlQpIHsKKwkJCXN0cmljdF9uYW1l ID0gU1NIX1NUUklDVF9LRVhfUzsKKwkJfSBlbHNlIHsKKwkJCXN0cmljdF9uYW1lID0gU1NIX1NU UklDVF9LRVhfQzsKKwkJfQorCQlpZiAoYnVmX2hhc19hbGdvKHNlcy5wYXlsb2FkLCBzdHJpY3Rf bmFtZSkgPT0gRFJPUEJFQVJfU1VDQ0VTUykgeworCQkJc2VzLmtleHN0YXRlLnN0cmljdF9rZXgg PSAxOworCQl9CisJfQorCiAJYWxnbyA9IGJ1Zl9tYXRjaF9hbGdvKHNlcy5wYXlsb2FkLCBzc2hr ZXgsIGtleGd1ZXNzMiwgJmdvb2RndWVzcyk7CiAJYWxsZ29vZCAmPSBnb29kZ3Vlc3M7CiAJaWYg KGFsZ28gPT0gTlVMTCB8fCBhbGdvLT5kYXRhID09IE5VTEwpIHsKZGlmZiAtLWdpdCBhL2tleC5o IGIva2V4LmgKaW5kZXggNzdjZjIxYTM3Li43ZmNjM2MyNTIgMTAwNjQ0Ci0tLSBhL2tleC5oCisr KyBiL2tleC5oCkBAIC04Myw2ICs4Myw5IEBAIHN0cnVjdCBLRVhTdGF0ZSB7CiAKIAl1bnNpZ25l ZCBvdXJfZmlyc3RfZm9sbG93c19tYXRjaGVzIDogMTsKIAorCS8qIEJvb2xlYW4gaW5kaWNhdGlu ZyB0aGF0IHN0cmljdCBrZXggbW9kZSBpcyBpbiB1c2UgKi8KKwl1bnNpZ25lZCBpbnQgc3RyaWN0 X2tleDsKKwogCXRpbWVfdCBsYXN0a2V4dGltZTsgLyogdGltZSBvZiB0aGUgbGFzdCBrZXggKi8K IAl1bnNpZ25lZCBpbnQgZGF0YXRyYW5zOyAvKiBkYXRhIHRyYW5zbWl0dGVkIHNpbmNlIGxhc3Qg a2V4ICovCiAJdW5zaWduZWQgaW50IGRhdGFyZWN2OyAvKiBkYXRhIHJlY2VpdmVkIHNpbmNlIGxh c3Qga2V4ICovCmRpZmYgLS1naXQgYS9wcm9jZXNzLXBhY2tldC5jIGIvcHJvY2Vzcy1wYWNrZXQu YwppbmRleCA5NDU0MTYwMjMuLjEzM2ExNTJkMCAxMDA2NDQKLS0tIGEvcHJvY2Vzcy1wYWNrZXQu YworKysgYi9wcm9jZXNzLXBhY2tldC5jCkBAIC00NCw2ICs0NCw3IEBAIHZvaWQgcHJvY2Vzc19w YWNrZXQoKSB7CiAKIAl1bnNpZ25lZCBjaGFyIHR5cGU7CiAJdW5zaWduZWQgaW50IGk7CisJdW5z aWduZWQgaW50IGZpcnN0X3N0cmljdF9rZXggPSBzZXMua2V4c3RhdGUuc3RyaWN0X2tleCAmJiAh c2VzLmtleHN0YXRlLmRvbmVmaXJzdGtleDsKIAl0aW1lX3Qgbm93OwogCiAJVFJBQ0UyKCgiZW50 ZXIgcHJvY2Vzc19wYWNrZXQiKSkKQEAgLTU0LDIyICs1NSwyNCBAQCB2b2lkIHByb2Nlc3NfcGFj a2V0KCkgewogCW5vdyA9IG1vbm90b25pY19ub3coKTsKIAlzZXMubGFzdF9wYWNrZXRfdGltZV9r ZWVwYWxpdmVfcmVjdiA9IG5vdzsKIAotCS8qIFRoZXNlIHBhY2tldHMgd2UgY2FuIHJlY2VpdmUg YXQgYW55IHRpbWUgKi8KLQlzd2l0Y2godHlwZSkgewogCi0JCWNhc2UgU1NIX01TR19JR05PUkU6 Ci0JCQlnb3RvIG91dDsKLQkJY2FzZSBTU0hfTVNHX0RFQlVHOgotCQkJZ290byBvdXQ7CisJaWYg KHR5cGUgPT0gU1NIX01TR19ESVNDT05ORUNUKSB7CisJCS8qIEFsbG93ZWQgYXQgYW55IHRpbWUg Ki8KKwkJZHJvcGJlYXJfY2xvc2UoIkRpc2Nvbm5lY3QgcmVjZWl2ZWQiKTsKKwl9CiAKLQkJY2Fz ZSBTU0hfTVNHX1VOSU1QTEVNRU5URUQ6Ci0JCQkvKiBkZWJ1Z2dpbmcgWFhYICovCi0JCQlUUkFD RSgoIlNTSF9NU0dfVU5JTVBMRU1FTlRFRCIpKQotCQkJZ290byBvdXQ7Ci0JCQkKLQkJY2FzZSBT U0hfTVNHX0RJU0NPTk5FQ1Q6Ci0JCQkvKiBUT0RPIGNsZWFudXA/ICovCi0JCQlkcm9wYmVhcl9j bG9zZSgiRGlzY29ubmVjdCByZWNlaXZlZCIpOworCS8qIFRoZXNlIHBhY2tldHMgbWF5IGJlIHJl Y2VpdmVkIGF0IGFueSB0aW1lLAorCSAgIGV4Y2VwdCBkdXJpbmcgZmlyc3Qga2V4IHdpdGggc3Ry aWN0IGtleCAqLworCWlmICghZmlyc3Rfc3RyaWN0X2tleCkgeworCQlzd2l0Y2godHlwZSkgewor CQkJY2FzZSBTU0hfTVNHX0lHTk9SRToKKwkJCQlnb3RvIG91dDsKKwkJCWNhc2UgU1NIX01TR19E RUJVRzoKKwkJCQlnb3RvIG91dDsKKwkJCWNhc2UgU1NIX01TR19VTklNUExFTUVOVEVEOgorCQkJ CVRSQUNFKCgiU1NIX01TR19VTklNUExFTUVOVEVEIikpCisJCQkJZ290byBvdXQ7CisJCX0KIAl9 CiAKIAkvKiBJZ25vcmUgdGhlc2UgcGFja2V0IHR5cGVzIHNvIHRoYXQga2VlcGFsaXZlcyBkb24n dCBpbnRlcmZlcmUgd2l0aApAQCAtOTgsNyArMTAxLDggQEAgdm9pZCBwcm9jZXNzX3BhY2tldCgp IHsKIAkJCWlmICh0eXBlID49IDEgJiYgdHlwZSA8PSA0OQogCQkJCSYmIHR5cGUgIT0gU1NIX01T R19TRVJWSUNFX1JFUVVFU1QKIAkJCQkmJiB0eXBlICE9IFNTSF9NU0dfU0VSVklDRV9BQ0NFUFQK LQkJCQkmJiB0eXBlICE9IFNTSF9NU0dfS0VYSU5JVCkKKwkJCQkmJiB0eXBlICE9IFNTSF9NU0df S0VYSU5JVAorCQkJCSYmICFmaXJzdF9zdHJpY3Rfa2V4KQogCQkJewogCQkJCVRSQUNFKCgidW5r bm93biBhbGxvd2VkIHBhY2tldCBkdXJpbmcga2V4aW5pdCIpKQogCQkJCXJlY3ZfdW5pbXBsZW1l bnRlZCgpOwpkaWZmIC0tZ2l0IGEvc3NoLmggYi9zc2guaAppbmRleCAxYjRmZWM2NWYuLmVmM2Vm ZGNhMCAxMDA2NDQKLS0tIGEvc3NoLmgKKysrIGIvc3NoLmgKQEAgLTEwMCw2ICsxMDAsMTAgQEAK ICNkZWZpbmUgU1NIX0VYVF9JTkZPX0MgImV4dC1pbmZvLWMiCiAjZGVmaW5lIFNTSF9TRVJWRVJf U0lHX0FMR1MgInNlcnZlci1zaWctYWxncyIKIAorLyogT3BlblNTSCBzdHJpY3QgS0VYIGZlYXR1 cmUgKi8KKyNkZWZpbmUgU1NIX1NUUklDVF9LRVhfUyAia2V4LXN0cmljdC1zLXYwMEBvcGVuc3No LmNvbSIKKyNkZWZpbmUgU1NIX1NUUklDVF9LRVhfQyAia2V4LXN0cmljdC1jLXYwMEBvcGVuc3No LmNvbSIKKwogLyogc2VydmljZSB0eXBlcyAqLwogI2RlZmluZSBTU0hfU0VSVklDRV9VU0VSQVVU SCAic3NoLXVzZXJhdXRoIgogI2RlZmluZSBTU0hfU0VSVklDRV9VU0VSQVVUSF9MRU4gMTIKZGlm ZiAtLWdpdCBhL3N2ci1zZXNzaW9uLmMgYi9zdnItc2Vzc2lvbi5jCmluZGV4IDc2OWYwNzMxZC4u YTUzOGUyYzVjIDEwMDY0NAotLS0gYS9zdnItc2Vzc2lvbi5jCisrKyBiL3N2ci1zZXNzaW9uLmMK QEAgLTM3MCw2ICszNzAsOSBAQCBzdGF0aWMgdm9pZCBzdnJfYWxnb3NfaW5pdGlhbGlzZSh2b2lk KSB7CiAJCQlhbGdvLT51c2FibGUgPSAwOwogCQl9CiAjZW5kaWYKKwkJaWYgKHN0cmNtcChhbGdv LT5uYW1lLCBTU0hfU1RSSUNUX0tFWF9DKSA9PSAwKSB7CisJCQlhbGdvLT51c2FibGUgPSAwOwor CQl9CiAJfQogfQogCg==