Bug 20901

Summary: dropbear new security issues CVE-2017-9078 and CVE-2017-9079
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://matt.ucc.asn.au/dropbear/CHANGES
Whiteboard: has_procedure advisory MGA5-32-OK MGA5-64-OK
Source RPM: dropbear-2016.74-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-05-20 22:28:29 CEST 
Debian has issued an advisory on May 19:
https://www.debian.org/security/2017/dsa-3859

Mageia 5 may also be affected.
David Walser 2017-05-20 22:28:36 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Dan Fandrich 2017-05-23 19:39:00 CEST 
Freeze push for Cauldron to 2017.75
Comment 2 Dan Fandrich 2017-05-25 09:55:51 CEST 
Fix for mga5 is in svn.
Comment 3 Dan Fandrich 2017-05-25 10:39:26 CEST 
dropbear-2014.66-1.3.mga5 is now available in core/updates_testing.

Test procedure for CVE-2017-9079 fix:

sudo systemctl stop sshd.service
sudo systemctl start dropbear.service
ssh -o PasswordAuthentication=false localhost echo success
# This should print the word "success" if the test is successful.
# The previous command assumes a public key is available and configured for
# use by the current user. If the error "Permission denied" is received,
# try creating a key pair and enabling it for login with these commands:
ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa localhost

I wasn't able to successfully trigger the double free of CVE-2017-9078,
so no test procedure is included here. In any case, the default
Mageia configuration does not set -a so it's not vulnerable.


Proposed security advisory:


Advisory:
========================

Updated dropbear package fixes security vulnerabilities:

A double-free in the server could be triggered by an authenticated user if
dropbear is running with -a (CVE-2017-9078). The default Mageia configuration
does not set -a.

Dropbear parsed authorized_keys as root, even if it were a symlink. The fix
is to switch to user permissions when opening authorized_keys (CVE-2017-9079)

References:
https://matt.ucc.asn.au/dropbear/CHANGES
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9078
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9079

Assignee: dan => qa-bugs
URL: (none) => https://matt.ucc.asn.au/dropbear/CHANGES
Whiteboard: MGA5TOO => MGA5TOO has_procedure advisory

David Walser 2017-05-25 14:44:46 CEST

Version: Cauldron => 5
Whiteboard: MGA5TOO has_procedure advisory => has_procedure advisory

Comment 4 Herman Viaene 2017-05-31 16:07:55 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Following instructions in Comment 3 (including generating a key pair), resulted in "success".

Whiteboard: has_procedure advisory => has_procedure advisory MGA5-32-OK
CC: (none) => herman.viaene

Comment 5 Dave Hodgins 2017-06-10 01:57:07 CEST 
Tested on x86_64 with pre-existing ssh setup. Created the file
/etc/sysconfig/dropbear with ...
OPTIONS='-p munged'

where munged is replaced by the port number I use before starting the service.

Got the warning that key had changed, when connecting to that install, as expected.
Advisory committed to svn. Validating the update.

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory MGA5-32-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2017-06-10 09:02:00 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0165.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED