A CVE has been assigned for a security issue fixed upstream on March 9: http://openwall.com/lists/oss-security/2016/03/10/16 (see the bottom half of the message above). It sounds like it's a similar issue to CVE-2015-3115 in openssh (Bug 17944). Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Cauldron has been updated to 2016.72. I'll look at patching mga5.
The upstream patch applied cleanly to mga5's 2014.66 so there's now an update for mga5 available in updates_testing. Coming up with a POC for the exploit fix would likely take some fiddling, but a simple QA test to prove X11 forwarding is still working would be: sudo systemctl stop sshd.service sudo systemctl start dropbear.service ssh -F /dev/null -X localhost zenity --info --text=working where the part after localhost can be replaced by just about any X11 command if zenity isn't available. If a dialog box with "working" appears, it's working.
Thanks Dan! Advisory: ======================== Updated dropbear package fixes security vulnerability: Missing validation of X11 forwarding input could allow bypassing of authorized_keys command= restrictions (CVE-2016-3116). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3116 http://openwall.com/lists/oss-security/2016/03/10/16 ======================== Updated packages in core/updates_testing: ======================== dropbear-2014.66-1.1.mga5 from dropbear-2014.66-1.1.mga5.src.rpm
CC: (none) => danVersion: Cauldron => 5Assignee: dan => qa-bugsWhiteboard: MGA5TOO => (none)
URL: (none) => http://lwn.net/Vulnerabilities/680178/
mga5 x86_64 Mate 4.4.5-desktop-1.mga5 Pre-update: $ sudo systemctl stop sshd.service $ sudo systemctl start dropbear.service $ ssh -F /dev/null -X localhost zenity --info --text=working The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is <......................................> Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. lcl@localhost's password: ............... The popup information window with the light-bulb and "Working" appeared. After updating dropbear, X11 forwarding worked as before. $ sudo systemctl stop sshd.service $ sudo systemctl start dropbear.service $ ssh -F /dev/null -X localhost zenity --info --text=working lcl@localhost's password:
CC: (none) => tarazed25
Whiteboard: (none) => MGA5-64-OK
mga5 i586 in virtualbox Mate Installed dropbear before the update. $ sudo systemctl stop sshd.service $ sudo systemctl start dropbear.service $ ssh -F /dev/null -X localhost zenity --info --text=working The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is ............................................. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. lcl@localhost's password: The box appeared as expected. Also tried another machine on the local network, not knowing quite what to expect. $ ssh -F /dev/null -X belexeuli zenity --info --text=working Password: ** (zenity:7486): WARNING **: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-WvRFEuVmnD: Connection refused The "working" box did appear though. Might need dropbear at the other end. Updated dropbear. $ sudo systemctl status sshd.service รข sshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled) Active: inactive (dead) since Tue 2016-03-15 17:41:42 GMT; 27min ago Main PID: 19736 (code=exited, status=0/SUCCESS) $ sudo systemctl start dropbear.service $ ssh -F /dev/null -X localhost zenity --calendar lcl@localhost's password: 03/27/16 The popup calendar returned the date selected. So, good for 32-bits.
In addition I tried remote login to ensure that ssh was still working as expected. $ ssh lcl@belexeuli Password: Last login: Tue Mar 8 16:14:56 2016 from 192.168.1.92 gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2021-03-14 [lcl@belexeuli ~]$ exit That looks alright.
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Well done Len and thanks for including a procedure Dan. Validating. Advisory uploaded.
Whiteboard: MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0113.html
Status: NEW => RESOLVEDResolution: (none) => FIXED