Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 619002 (CVE-2017-9078, CVE-2017-9079) - <net-misc/dropbear-2017.75: multiple vulnerabilities
Summary: <net-misc/dropbear-2017.75: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-9078, CVE-2017-9079
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: C2 [noglsa cve]
Keywords:
: 619198 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-05-20 03:14 UTC by Michael Boyle
Modified: 2018-05-22 13:20 UTC (History)
2 users (show)

See Also:
Package list:
=net-misc/dropbear-2017.75
Runtime testing required: No
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Boyle 2017-05-20 03:14:13 UTC 
Dropbear before 2017.75 might allow local users to read certain files as root, if the file has the authorized_keys file format with a command= option. This occurs because ~/.ssh/authorized_keys is read with root privileges and symlinks are followed. 

The server in Dropbear before 2017.75 might allow post-authentication root remote code execution because of a double free in cleanup of TCP listeners when the -a option is enabled.
Comment 1 Agostino Sarubbo gentoo-dev 2017-05-21 16:05:33 UTC 
*** Bug 619198 has been marked as a duplicate of this bug. ***
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-08 15:33:08 UTC 
@ Maintainer(s): Please bump to >=net-misc/dropbear-2017.75!
Comment 3 Larry the Git Cow gentoo-dev 2018-01-12 05:32:05 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7593221abf949d6e093b986a2d596e9ddf1a504c

commit 7593221abf949d6e093b986a2d596e9ddf1a504c
Author:     Mike Frysinger <vapier@gentoo.org>
AuthorDate: 2018-01-12 05:30:41 +0000
Commit:     Mike Frysinger <vapier@gentoo.org>
CommitDate: 2018-01-12 05:30:41 +0000

    net-misc/dropbear: version bump to 2017.75 #619002
    
    Bug: https://bugs.gentoo.org/619002

 net-misc/dropbear/Manifest                |  1 +
 net-misc/dropbear/dropbear-2017.75.ebuild | 98 +++++++++++++++++++++++++++++++
 2 files changed, 99 insertions(+)}
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2018-01-25 22:18:58 UTC 
@maintainer(s), please call for stable when ready.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2018-03-22 23:18:18 UTC 
@arches, please stabilize.
Comment 6 Agostino Sarubbo gentoo-dev 2018-03-23 10:28:06 UTC 
amd64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-23 23:40:57 UTC 
ia64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-24 11:15:52 UTC 
ppc/ppc64 stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-24 19:33:18 UTC 
hppa stable
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-25 22:44:01 UTC 
x86 stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-26 22:47:52 UTC 
commit 20d8f42c2a866e7992eba06e6d29c5fd40e2a5f9
Author: Rolf Eike Beer <eike@sf-mail.de>
Date:   Mon Mar 26 18:37:53 2018 +0200

    net-misc/dropbear: stable 2017.75 for sparc, bug #619002
Comment 12 Mart Raudsepp gentoo-dev 2018-03-28 19:47:18 UTC 
arm64 stable
Comment 13 Tobias Klausmann (RETIRED) gentoo-dev 2018-03-31 10:12:01 UTC 
Stable on alpha.
Comment 14 Markus Meier gentoo-dev 2018-04-08 10:47:32 UTC 
arm stable
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2018-05-19 21:58:33 UTC 
add missing arches...
Comment 16 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-05-22 13:20:48 UTC 
All done.

GLSA vote: no.