Bug 17948

Summary: dropbear new security issue CVE-2016-3116
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: dan, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/680178/
Whiteboard: has_procedure advisory MGA5-64-OK MGA5-32-OK
Source RPM: dropbear-2015.71-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-03-10 19:29:09 CET 
A CVE has been assigned for a security issue fixed upstream on March 9:
http://openwall.com/lists/oss-security/2016/03/10/16

(see the bottom half of the message above).

It sounds like it's a similar issue to CVE-2015-3115 in openssh (Bug 17944).

Mageia 5 is also affected.
David Walser 2016-03-10 19:29:15 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Dan Fandrich 2016-03-11 21:27:00 CET 
Cauldron has been updated to 2016.72. I'll look at patching mga5.
Comment 2 Dan Fandrich 2016-03-11 22:18:18 CET 
The upstream patch applied cleanly to mga5's 2014.66 so there's now an update for mga5 available in updates_testing. Coming up with a POC for the exploit fix would likely take some fiddling, but a simple QA test to prove X11 forwarding is still working would be:

sudo systemctl stop sshd.service
sudo systemctl start dropbear.service
ssh -F /dev/null -X localhost zenity --info --text=working

where the part after localhost can be replaced by just about any X11 command if zenity isn't available. If a dialog box with "working" appears, it's working.
Comment 3 David Walser 2016-03-12 00:36:50 CET 
Thanks Dan!

Advisory:
========================

Updated dropbear package fixes security vulnerability:

Missing validation of X11 forwarding input could allow bypassing of
authorized_keys command= restrictions (CVE-2016-3116).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3116
http://openwall.com/lists/oss-security/2016/03/10/16
========================

Updated packages in core/updates_testing:
========================
dropbear-2014.66-1.1.mga5

from dropbear-2014.66-1.1.mga5.src.rpm

CC: (none) => dan
Version: Cauldron => 5
Assignee: dan => qa-bugs
Whiteboard: MGA5TOO => (none)

David Walser 2016-03-15 17:23:34 CET

URL: (none) => http://lwn.net/Vulnerabilities/680178/

Comment 4 Len Lawrence 2016-03-15 18:32:04 CET 
mga5  x86_64  Mate  4.4.5-desktop-1.mga5 

Pre-update:
$ sudo systemctl stop sshd.service
$ sudo systemctl start dropbear.service
$ ssh -F /dev/null -X localhost zenity --info --text=working
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is <......................................>
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
lcl@localhost's password: ...............

The popup information window with the light-bulb and "Working" appeared.
 
After updating dropbear, X11 forwarding worked as before.
$ sudo systemctl stop sshd.service
$ sudo systemctl start dropbear.service
$ ssh -F /dev/null -X localhost zenity --info --text=working
lcl@localhost's password:

CC: (none) => tarazed25

Len Lawrence 2016-03-15 18:32:22 CET

Whiteboard: (none) => MGA5-64-OK

Comment 5 Len Lawrence 2016-03-15 19:19:07 CET 
mga5  i586 in virtualbox  Mate

Installed dropbear before the update.

$ sudo systemctl stop sshd.service
$ sudo systemctl start dropbear.service
$ ssh -F /dev/null -X localhost zenity --info --text=working
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is .............................................
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
lcl@localhost's password:

The box appeared as expected.

Also tried another machine on the local network, not knowing quite what to expect.
$ ssh -F /dev/null -X belexeuli zenity --info --text=working
Password: 
** (zenity:7486): WARNING **: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-WvRFEuVmnD: Connection refused
The "working" box did appear though.  Might need dropbear at the other end.

Updated dropbear.
$ sudo systemctl status sshd.service
รข sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
   Active: inactive (dead) since Tue 2016-03-15 17:41:42 GMT; 27min ago
 Main PID: 19736 (code=exited, status=0/SUCCESS)
$ sudo systemctl start dropbear.service
$ ssh -F /dev/null -X localhost zenity --calendar
lcl@localhost's password: 
03/27/16

The popup calendar returned the date selected.

So, good for 32-bits.
Comment 6 Len Lawrence 2016-03-15 19:22:10 CET 
In addition I tried remote login to ensure that ssh was still working as expected.
$ ssh lcl@belexeuli
Password: 
Last login: Tue Mar  8 16:14:56 2016 from 192.168.1.92
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2021-03-14
[lcl@belexeuli ~]$ exit

That looks alright.

Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK

Len Lawrence 2016-03-15 19:24:17 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 claire robinson 2016-03-15 19:25:24 CET 
Well done Len and thanks for including a procedure Dan.

Validating. Advisory uploaded.

Whiteboard: MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK

Comment 8 Mageia Robot 2016-03-16 19:08:21 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0113.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED