Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 487682 (CVE-2013-4421) - <net-misc/dropbear-2013.60: User Enumeration Weakness and Denial of Service Vulnerability (CVE-2013-{4421,4434})
Summary: <net-misc/dropbear-2013.60: User Enumeration Weakness and Denial of Service V...
Status: RESOLVED FIXED
Alias: CVE-2013-4421
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/55173/
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-11 18:55 UTC by Agostino Sarubbo
Modified: 2014-05-11 13:04 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-10-11 18:55:43 UTC
From ${URL} :

Description

A weakness and a vulnerability have been reported in Dropbear SSH Server, which can be exploited by 
malicious people to disclose certain sensitive information and cause a DoS (Denial of Service).

1) A timing error when authenticating users can be exploited to e.g. enumerate valid user names.

2) An error in the "buf_decompress()" function (packet.c) when handling compressed payloads can be 
exploited to e.g. exhaust available memory resources by sending a specially crafted packet.

The weakness and the vulnerability are reported in versions prior to 2013.59.


Solution:
Update to version 2013.59.

Provided and/or discovered by:
The vendor credits Logan Lamb.

Original Advisory:
https://matt.ucc.asn.au/dropbear/CHANGES




@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 2 Sergey Popov gentoo-dev 2013-10-16 09:38:17 UTC
(In reply to SpanKY from comment #1)
> Commit message: Version bump
> http://sources.gentoo.org/net-misc/dropbear/dropbear-2013.59.ebuild?rev=1.1
> http://sources.gentoo.org/net-misc/dropbear/files/dropbear-2013.59-exec-
> prefix.patch?rev=1.1
> http://sources.gentoo.org/net-misc/dropbear/files/dropbear-2013.59-scp-inst.
> patch?rev=1.1

Good. Is it ready for stabilization? If yes - please CC arches, thanks.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-10-28 16:22:40 UTC
CVE-2013-4434 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4434):
  Dropbear SSH Server before 2013.59 generates error messages for a failed
  logon attempt with different time delays depending on whether the user
  account exists, which allows remote attackers to discover valid usernames.

CVE-2013-4421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4421):
  The buf_decompress function in packet.c in Dropbear SSH Server before
  2013.59 allows remote attackers to cause a denial of service (memory
  consumption) via a compressed packet that has a large size when it is
  decompressed.
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-11-17 10:58:51 UTC
no response in 30 days.

Arches, please test and mark stable:

net-misc/dropbear-2013.60

target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 5 Agostino Sarubbo gentoo-dev 2013-11-17 13:12:01 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-11-17 13:12:09 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-11-17 13:17:36 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-11-17 13:17:43 UTC
ppc64 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2013-11-19 03:03:11 UTC
Stable for HPPA.
Comment 10 Agostino Sarubbo gentoo-dev 2013-11-19 21:22:39 UTC
alpha stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-11-19 21:22:46 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-11-19 21:22:53 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2013-12-30 05:07:11 UTC
Ping!

Maintainer(s), please drop the vulnerable version.
Comment 14 Fabian Köster 2014-04-10 11:22:49 UTC
Shouldn't this bug be closed?
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2014-04-10 11:29:27 UTC
Fabian, not yet. Cleanup was done but there still needs to be a GLSA process.

Security, please vote.
Comment 16 Sergey Popov gentoo-dev 2014-05-11 13:00:14 UTC
Thanks for your work

GLSA vote: no
Comment 17 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-05-11 13:04:34 UTC
GLSA vote: no.

Closing as [noglsa].