First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 214985
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
20080329-105215.log build.log text/plain Christian Faulhammer 2008-03-29 11:08 0000 1.99 KB Details
openssh-4.7p1-gsskex-20070927.patch-15150.out patch.out text/plain Christian Faulhammer 2008-03-29 11:09 0000 72.03 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 214985 depends on: Show dependency tree
Bug 214985 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-03-26 21:59 0000 
CVE-2008-1483 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1483):
  OpenSSH 4.3p2, and probably other versions, allows local users to hijack
  forwarded X connections by causing ssh to set DISPLAY to :10, even when
  another process is listening on the associated port, as demonstrated by
  opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.

------- Comment #1 From Robert Buchholz 2008-03-26 23:10:10 0000 ------- 
According to the openssh upstream, this also affects vanilla versions later
than 4.3. See

------- Comment #2 From Robert Buchholz 2008-03-26 23:10:42 0000 ------- 
... $URL for details

------- Comment #3 From SpanKY 2008-03-29 03:07:43 0000 ------- 
openssh-4.7_p1-r5 in the tree for people to stabilize

------- Comment #4 From Robert Buchholz 2008-03-29 10:20:37 0000 ------- 
Arches, please test and mark stable:
=net-misc/openssh-4.7_p1-r5
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh
sparc x86"

@base-system, please also apply the patch in -r20 and above.

------- Comment #5 From Christian Faulhammer 2008-03-29 11:08:28 0000 ------- 
Created an attachment (id=147620) [edit]
build.log

[ebuild     U ] net-misc/openssh-4.7_p1-r5 [4.7_p1-r3] USE="X X509* chroot*
hpn* kerberos* ldap libedit* pam skey* smartcard* tcpd (-selinux) -static" 0 kB

Portage 2.1.4.4 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0,
2.6.24-gentoo-r3 i686)
=================================================================
System uname: 2.6.24-gentoo-r3 i686 AMD Athlon(tm) X2 Dual Core Processor
BE-2400
Timestamp of tree: Sat, 29 Mar 2008 10:16:01 +0000
app-shells/bash:     3.2_p17-r1
dev-java/java-config: 1.3.7, 2.1.4
dev-lang/python:     2.4.4-r9
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /opt/openjms/config
/usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown
/usr/share/config /var/lib/hsqldb /var/vpopmail/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf
/etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo
/etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache distlocks metadata-transfer parallel-fetch sandbox sfperms
strict unmerge-orphans userfetch userpriv"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE.utf8"
LC_ALL="de_DE.utf8"
LINGUAS="de"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --stats --timeout=180 --exclude=/distfiles
--exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
USE="3dnow 3dnowext X a52 acl acpi aiglx alsa apache2 apm applet artworkextra
asf audiofile avahi bash-completion beagle berkdb bidi bogofilter bootsplash
branding bzip2 cairo ccache cdda cddb cdparanoia cdr cli console cracklib crypt
css cups curl custom-cflags dbus dga directfb divx4linux dri dts dvd dvdr
dvdread dvi eds emacs emboss encode esd evince evo exif fam fat fbcon fdftk
ffmpeg firefox flac foomaticdb fortran ftp gb gcj gdbm gif glitz gnome gpm gsf
gstreamer gtk gtk2 gtkhtml hal howl iconv icq idn imagemagick imap imlib
immqt-bc isdnlog java javascript jpeg jpeg2k kde ldap libnotify lirc lm_sensors
mad maildir matroska mbox midi mikmod mime mmx mmxext mng mono mp3 mpeg mpeg2
mudflap mule mysql nautilus ncurses nforce2 nls nocardbus nptl nptlonly
nsplugin nvidia objc objc++ objc-gc offensive ogg opengl openmp pam pango pcre
pdf perl php plotutils pmu png ppds pppd prediction preview-latex print python
qt3 qt3support qt4 quicktime readline reflection samba sdk session slang spell
spl sse ssl svg svga t1lib tcl tcpd tetex theora threads thumbnailing tiff tk
toolkit-scroll-bars totem tracker truetype truetype-fonts type1-fonts udev
unicode usb userlocales vcd videos vorbis win32codecs wmf wxwindows x86 xface
xft xine xml xorg xosd xpm xv xvid zlib" ALSA_CARDS="intel8x0"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route
share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias
authn_anon authn_dbm authn_default authn_file authz_dbm authz_default
authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs
dav_lock deflate dir disk_cache env expires ext_filter file_cache filter
headers include info log_config logio mem_cache mime mime_magic negotiation
rewrite setenvif speling status unique_id userdir usertrack vhost_alias"
CAMERAS="canon ptp2" ELIBC="glibc" INPUT_DEVICES="mouse keyboard"
KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001
mtxorb ncurses text" LINGUAS="de" LIRC_DEVICES="atiusb" USERLAND="GNU"
VIDEO_CARDS="vesa fbdev fglrx"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS,
PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

------- Comment #6 From Christian Faulhammer 2008-03-29 11:09:22 0000 ------- 
Created an attachment (id=147621) [edit]
patch.out

------- Comment #7 From SpanKY 2008-03-29 15:23:17 0000 ------- 
-r20 needs to get sorted out otherwise first.  we're focusing on stable here,
not ~arrch.

fixed patch failure with USE=X509 by not applying the gsskex patch

------- Comment #8 From Brent Baude 2008-03-29 16:07:58 0000 ------- 
ppc and ppc64 stablized openssh-4.7_p1-r5

------- Comment #9 From Jeroen Roovers 2008-03-29 17:14:42 0000 ------- 
Stable for HPPA.

------- Comment #10 From Christian Faulhammer 2008-03-29 18:12:25 0000 ------- 
x86 stable

------- Comment #11 From Richard Freeman 2008-03-29 19:11:40 0000 ------- 
amd64 stable

------- Comment #12 From Robert Buchholz 2008-03-29 19:37:10 0000 ------- 
(In reply to comment #7)
> -r20 needs to get sorted out otherwise first.  we're focusing on stable here,
> not ~arrch.

~arch is what I meant. We don't need to stable -r20+, but a simple rev-bump and
inclusion of the patch should secure ~arch users. Vulnerabilities should be
fixed in latest arch and ~arch versions. ~arch will not be covered by the GLSA
process though.

------- Comment #13 From Raúl Porcel 2008-03-30 09:32:49 0000 ------- 
alpha/ia64/sparc stable

------- Comment #14 From Peter Volkov 2008-03-30 11:39:29 0000 ------- 
Fixed in release snapshot. CC'ing Diego, take a look at #12.

------- Comment #15 From Diego E. 'Flameeyes' Pettenò 2008-03-30 13:59:35 0000 ------- 
Not sure what I have to look at, I used -r20 so that -r5 and so on can be kept
for stable non-pambase-aware ebuilds and -r21 could follow that path... is
there a problem with providing two ebuilds? (-r5 and -r21)?

------- Comment #16 From Robert Buchholz 2008-03-30 22:21:10 0000 ------- 
(In reply to comment #15)
> Not sure what I have to look at, I used -r20 so that -r5 and so on can be kept
> for stable non-pambase-aware ebuilds and -r21 could follow that path... is
> there a problem with providing two ebuilds? (-r5 and -r21)?

No problem at all, just bump -r20 to -r21 including the patch, both staying
~arch.

------- Comment #17 From SpanKY 2008-03-30 23:56:54 0000 ------- 
that patch isnt the only thing to go into the ebuild.  i'll take care of the
-r21 transition, but as i said i'm not doing it just yet until other things get
sorted out (specific to the -r20 ebuild).

as you already noted, security is concerned about stable, not unstable

------- Comment #18 From Robert Buchholz 2008-03-31 15:53:33 0000 ------- 
request filed.

------- Comment #19 From Robert Buchholz 2008-04-05 12:55:13 0000 ------- 
GLSA 200804-03

Fixed for ~arch in 5.0_p1
First Last Prev Next    No search results available      Search page      Enter new bug