Bug 11442

Summary: dropbear new security issues CVE-2013-4421 and CVE-2013-4434
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: rwobben, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/571139/
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok MGA3-64-OK MGA3-32-OK
Source RPM: dropbear-2012.55-4.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-10-11 10:55:18 CEST 
A CVE was assigned for a DoS issue fixed in dropbear 2013.59:
http://openwall.com/lists/oss-security/2013/10/11/4

Cauldron already has version 2013.59.

Patched packages uploaded for Mageia 2 and Mageia 3.

Advisory:
========================

Updated dropbear package fixes security vulnerability:

Possible memory exhaustion denial of service due to the size of decompressed
payloads in dropbear before 2013.59 (CVE-2013-4421).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4421
https://matt.ucc.asn.au/dropbear/CHANGES
http://openwall.com/lists/oss-security/2013/10/11/4
========================

Updated packages in core/updates_testing:
========================
dropbear-2012.55-3.1.mga2
dropbear-2012.55-4.1.mga3

from SRPMS:
dropbear-2012.55-3.1.mga2.src.rpm
dropbear-2012.55-4.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-10-11 10:55:26 CEST

Whiteboard: (none) => MGA2TOO

Comment 1 claire robinson 2013-10-14 10:49:48 CEST 
Testing mga3 64

The new package shows an error when uninstalled. Checked with release package and it's the same. I'll create a new bug for it.

# urpmi dropbear

installing dropbear-2012.55-4.1.mga3.x86_64.rpm from /var/cache/urpmi/rpms                                                                  
Preparing...                     ##########################
      1/1: dropbear              ##########################
      1/1: removing dropbear-2012.55-4.mga3.x86_64
                                 ##########################


# service sshd stop
Redirecting to /bin/systemctl stop sshd.service
# netstat -pant | grep :22

# service dropbear start
Starting dropbear (via systemctl):         [  OK  ]

# netstat -pant | grep :22
tcp        0      0 0.0.0.0:22    0.0.0.0:*     LISTEN      21008/dropbear      
tcp        0      0 :::22         :::*          LISTEN      21008/dropbear



$ mv .ssh/known_hosts .ssh/known_hosts.bak
$ dbclient localhost

Host 'localhost' is not in the trusted hosts file.
(fingerprint md5 e0:57:bc:92:f9:c5:95:81:c1:41:41:0f:c2:1d:5c:c1)
Do you want to continue connecting? (y/n) y
claire@localhost's password:

$ exit


$ mv .ssh/known_hosts.bak .ssh/known_hosts
mv: overwrite â.ssh/known_hostsâ? y


# urpme dropbear
removing dropbear-2012.55-4.1.mga3.x86_64
removing package dropbear-2012.55-4.1.mga3.x86_64
      1/1: removing dropbear-2012.55-4.1.mga3.x86_64
                                 ######### warning: file /etc/rc.d/init.d/dropbear: remove failed: No such file or directory
#################

# service sshd start
Redirecting to /bin/systemctl start sshd.service

Whiteboard: MGA2TOO => MGA2TOO has_procedure mga3-64-ok

Comment 2 claire robinson 2013-10-14 10:57:30 CEST 
Testing complete mga2 32 & 64

Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok

Comment 3 claire robinson 2013-10-14 11:05:23 CEST 
Bug 11458 created for the warning
Comment 4 claire robinson 2013-10-14 11:11:22 CEST 
Testing complete mga3 32

Validating. Advisory uploaded.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 5 David Walser 2013-10-14 17:17:19 CEST 
I don't think anything can be done about the warning, other than removing the SysV init script from the package (which we'd probably only do in Cauldron I'd imagine).  Note that there may be another patch coming for this package soon:
http://openwall.com/lists/oss-security/2013/10/12/1
Comment 6 claire robinson 2013-10-14 17:23:34 CEST 
Is it worth waiting for it or should we push as-is and update again when the patch is available.
Comment 7 David Walser 2013-10-14 17:25:39 CEST 
The patch is already available, just waiting on a CVE to be assigned.  Shouldn't be long I wouldn't imagine.  I wonder if Kurt has today off because of Columbus Day.  So it might be tomorrow.  We can wait to push this.
Comment 8 claire robinson 2013-10-14 17:28:40 CEST 
Invalidating previous tests then and removing sysadmins.

I'll add feedback marker until it's ready.

Keywords: validated_update => (none)
CC: sysadmin-bugs => (none)
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok => MGA2TOO has_procedure feedback

Comment 9 David Walser 2013-10-16 17:32:06 CEST 
CVE-2013-4344 has been allocated for the other issue:
http://openwall.com/lists/oss-security/2013/10/16/11

The upstream patch doesn't quite apply to the version we currently have, and re-diffing some of the parts that don't isn't quite obvious because of some changes in the code.  Looks like it'll be best to update it to the current version, which is the same thing we ultimately had to do for the last dropbear security update.
Comment 10 David Walser 2013-10-16 17:36:21 CEST 
(In reply to David Walser from comment #9)
> CVE-2013-4344 has been allocated for the other issue:
CVE-2013-4434, let me please not make another CVE typo :o)

Whiteboard: MGA2TOO has_procedure feedback => MGA2TOO has_procedure

Comment 11 David Walser 2013-10-16 18:17:09 CEST 
Updated packages uploaded for Mageia 2 and Mageia 3.

Note 2013.60 is not needed for us, as it only fixes build-time errors that don't affect our package.  This updates to 2013.59 which fixed these issues.

Advisory:
========================

Updated dropbear package fixes security vulnerability:

Possible memory exhaustion denial of service due to the size of decompressed
payloads in dropbear before 2013.59 (CVE-2013-4421).

Inconsistent delays in authorization failures could be used to disclose the
existence of valid user accounts in dropbear before 2013.59 (CVE-2013-4434).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4421
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4434
https://matt.ucc.asn.au/dropbear/CHANGES
========================

Updated packages in core/updates_testing:
========================
dropbear-2013.59-1.mga2
dropbear-2013.59-1.mga3

from SRPMS:
dropbear-2013.59-1.mga2.src.rpm
dropbear-2013.59-1.mga3.src.rpm

Summary: dropbear new security issue CVE-2013-4421 => dropbear new security issues CVE-2013-4421 and CVE-2013-4434

Comment 12 roelof Wobben 2013-10-18 18:33:21 CEST 
Sorry to say but the same problem stays in M3 x86_64.


  ######### warning: file /etc/rc.d/init.d/dropbear: remove failed: No such file or directory

The rest of the test does succeed.

Roelof

CC: (none) => rwobben

Comment 13 David Walser 2013-10-18 20:23:43 CEST 
Thanks.  Don't worry about that warning.  I've added the MGA3-64-OK marker to the whiteboard for you.

Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure MGA3-64-OK

Comment 14 roelof Wobben 2013-10-19 20:27:42 CEST 
Tested in Virtualbox containing M3 32 bit Gnome and found no problems.

Roelof
Comment 15 David Walser 2013-10-19 20:33:08 CEST 
(In reply to roelof Wobben from comment #14)
> Tested in Virtualbox containing M3 32 bit Gnome and found no problems.

Thanks.  Please remember the whiteboard markers.

Whiteboard: MGA2TOO has_procedure MGA3-64-OK => MGA2TOO has_procedure MGA3-64-OK MGA3-32-OK

Comment 16 roelof Wobben 2013-10-19 20:46:45 CEST 
I did not forget it. I only do not know if a test in virtualbox can lead to a marker. 


Roelof
Comment 17 David Walser 2013-10-19 20:48:22 CEST 
(In reply to roelof Wobben from comment #16)
> I did not forget it. I only do not know if a test in virtualbox can lead to
> a marker. 

Yes it can, unless it's a package that needs to be tested on real hardware, like kernels and video drivers and virtualbox itself (and a few others).
Comment 18 roelof Wobben 2013-10-19 21:36:47 CEST 
Thanks for the answers
Comment 19 claire robinson 2013-10-21 12:29:27 CEST 
Testing complete mga2 32

Whiteboard: MGA2TOO has_procedure MGA3-64-OK MGA3-32-OK => MGA2TOO has_procedure mga2-32-ok MGA3-64-OK MGA3-32-OK

Comment 20 claire robinson 2013-10-21 15:37:22 CEST 
Testing complete mga2 64

Whiteboard: MGA2TOO has_procedure mga2-32-ok MGA3-64-OK MGA3-32-OK => MGA2TOO has_procedure mga2-32-ok mga2-64-ok MGA3-64-OK MGA3-32-OK

Comment 21 claire robinson 2013-10-21 15:43:46 CEST 
Advisory updated. Re-Validating.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 22 David Walser 2013-10-21 19:18:18 CEST 
Fedora has issued an advisory for this on October 9:
https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119323.html

URL: (none) => http://lwn.net/Vulnerabilities/571139/

Comment 23 Thomas Backlund 2013-10-25 23:24:01 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0318.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 24 David Walser 2013-10-28 22:25:37 CET 
LWN reference for CVE-2013-4434:
http://lwn.net/Vulnerabilities/571987/