Bug 11442 - dropbear new security issues CVE-2013-4421 and CVE-2013-4434
: dropbear new security issues CVE-2013-4421 and CVE-2013-4434
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/571139/
: MGA2TOO has_procedure mga2-32-ok mga2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-10-11 10:55 CEST by David Walser
Modified: 2013-10-28 22:25 CET (History)
3 users (show)

See Also:
Source RPM: dropbear-2012.55-4.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-10-11 10:55:18 CEST
A CVE was assigned for a DoS issue fixed in dropbear 2013.59:
http://openwall.com/lists/oss-security/2013/10/11/4

Cauldron already has version 2013.59.

Patched packages uploaded for Mageia 2 and Mageia 3.

Advisory:
========================

Updated dropbear package fixes security vulnerability:

Possible memory exhaustion denial of service due to the size of decompressed
payloads in dropbear before 2013.59 (CVE-2013-4421).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4421
https://matt.ucc.asn.au/dropbear/CHANGES
http://openwall.com/lists/oss-security/2013/10/11/4
========================

Updated packages in core/updates_testing:
========================
dropbear-2012.55-3.1.mga2
dropbear-2012.55-4.1.mga3

from SRPMS:
dropbear-2012.55-3.1.mga2.src.rpm
dropbear-2012.55-4.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2013-10-14 10:49:48 CEST
Testing mga3 64

The new package shows an error when uninstalled. Checked with release package and it's the same. I'll create a new bug for it.

# urpmi dropbear

installing dropbear-2012.55-4.1.mga3.x86_64.rpm from /var/cache/urpmi/rpms                                                                  
Preparing...                     ##########################
      1/1: dropbear              ##########################
      1/1: removing dropbear-2012.55-4.mga3.x86_64
                                 ##########################


# service sshd stop
Redirecting to /bin/systemctl stop sshd.service
# netstat -pant | grep :22

# service dropbear start
Starting dropbear (via systemctl):         [  OK  ]

# netstat -pant | grep :22
tcp        0      0 0.0.0.0:22    0.0.0.0:*     LISTEN      21008/dropbear      
tcp        0      0 :::22         :::*          LISTEN      21008/dropbear



$ mv .ssh/known_hosts .ssh/known_hosts.bak
$ dbclient localhost

Host 'localhost' is not in the trusted hosts file.
(fingerprint md5 e0:57:bc:92:f9:c5:95:81:c1:41:41:0f:c2:1d:5c:c1)
Do you want to continue connecting? (y/n) y
claire@localhost's password:

$ exit


$ mv .ssh/known_hosts.bak .ssh/known_hosts
mv: overwrite ‘.ssh/known_hosts’? y


# urpme dropbear
removing dropbear-2012.55-4.1.mga3.x86_64
removing package dropbear-2012.55-4.1.mga3.x86_64
      1/1: removing dropbear-2012.55-4.1.mga3.x86_64
                                 ######### warning: file /etc/rc.d/init.d/dropbear: remove failed: No such file or directory
#################

# service sshd start
Redirecting to /bin/systemctl start sshd.service
Comment 2 claire robinson 2013-10-14 10:57:30 CEST
Testing complete mga2 32 & 64
Comment 3 claire robinson 2013-10-14 11:05:23 CEST
Bug 11458 created for the warning
Comment 4 claire robinson 2013-10-14 11:11:22 CEST
Testing complete mga3 32

Validating. Advisory uploaded.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!
Comment 5 David Walser 2013-10-14 17:17:19 CEST
I don't think anything can be done about the warning, other than removing the SysV init script from the package (which we'd probably only do in Cauldron I'd imagine).  Note that there may be another patch coming for this package soon:
http://openwall.com/lists/oss-security/2013/10/12/1
Comment 6 claire robinson 2013-10-14 17:23:34 CEST
Is it worth waiting for it or should we push as-is and update again when the patch is available.
Comment 7 David Walser 2013-10-14 17:25:39 CEST
The patch is already available, just waiting on a CVE to be assigned.  Shouldn't be long I wouldn't imagine.  I wonder if Kurt has today off because of Columbus Day.  So it might be tomorrow.  We can wait to push this.
Comment 8 claire robinson 2013-10-14 17:28:40 CEST
Invalidating previous tests then and removing sysadmins.

I'll add feedback marker until it's ready.
Comment 9 David Walser 2013-10-16 17:32:06 CEST
CVE-2013-4344 has been allocated for the other issue:
http://openwall.com/lists/oss-security/2013/10/16/11

The upstream patch doesn't quite apply to the version we currently have, and re-diffing some of the parts that don't isn't quite obvious because of some changes in the code.  Looks like it'll be best to update it to the current version, which is the same thing we ultimately had to do for the last dropbear security update.
Comment 10 David Walser 2013-10-16 17:36:21 CEST
(In reply to David Walser from comment #9)
> CVE-2013-4344 has been allocated for the other issue:
CVE-2013-4434, let me please not make another CVE typo :o)
Comment 11 David Walser 2013-10-16 18:17:09 CEST
Updated packages uploaded for Mageia 2 and Mageia 3.

Note 2013.60 is not needed for us, as it only fixes build-time errors that don't affect our package.  This updates to 2013.59 which fixed these issues.

Advisory:
========================

Updated dropbear package fixes security vulnerability:

Possible memory exhaustion denial of service due to the size of decompressed
payloads in dropbear before 2013.59 (CVE-2013-4421).

Inconsistent delays in authorization failures could be used to disclose the
existence of valid user accounts in dropbear before 2013.59 (CVE-2013-4434).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4421
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4434
https://matt.ucc.asn.au/dropbear/CHANGES
========================

Updated packages in core/updates_testing:
========================
dropbear-2013.59-1.mga2
dropbear-2013.59-1.mga3

from SRPMS:
dropbear-2013.59-1.mga2.src.rpm
dropbear-2013.59-1.mga3.src.rpm
Comment 12 roelof Wobben 2013-10-18 18:33:21 CEST
Sorry to say but the same problem stays in M3 x86_64.


  ######### warning: file /etc/rc.d/init.d/dropbear: remove failed: No such file or directory

The rest of the test does succeed.

Roelof
Comment 13 David Walser 2013-10-18 20:23:43 CEST
Thanks.  Don't worry about that warning.  I've added the MGA3-64-OK marker to the whiteboard for you.
Comment 14 roelof Wobben 2013-10-19 20:27:42 CEST
Tested in Virtualbox containing M3 32 bit Gnome and found no problems.

Roelof
Comment 15 David Walser 2013-10-19 20:33:08 CEST
(In reply to roelof Wobben from comment #14)
> Tested in Virtualbox containing M3 32 bit Gnome and found no problems.

Thanks.  Please remember the whiteboard markers.
Comment 16 roelof Wobben 2013-10-19 20:46:45 CEST
I did not forget it. I only do not know if a test in virtualbox can lead to a marker. 


Roelof
Comment 17 David Walser 2013-10-19 20:48:22 CEST
(In reply to roelof Wobben from comment #16)
> I did not forget it. I only do not know if a test in virtualbox can lead to
> a marker. 

Yes it can, unless it's a package that needs to be tested on real hardware, like kernels and video drivers and virtualbox itself (and a few others).
Comment 18 roelof Wobben 2013-10-19 21:36:47 CEST
Thanks for the answers
Comment 19 claire robinson 2013-10-21 12:29:27 CEST
Testing complete mga2 32
Comment 20 claire robinson 2013-10-21 15:37:22 CEST
Testing complete mga2 64
Comment 21 claire robinson 2013-10-21 15:43:46 CEST
Advisory updated. Re-Validating.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!
Comment 22 David Walser 2013-10-21 19:18:18 CEST
Fedora has issued an advisory for this on October 9:
https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119323.html
Comment 23 Thomas Backlund 2013-10-25 23:24:01 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0318.html
Comment 24 David Walser 2013-10-28 22:25:37 CET
LWN reference for CVE-2013-4434:
http://lwn.net/Vulnerabilities/571987/

Note You need to log in before you can comment on or make changes to this bug.