Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 576954 (CVE-2016-1908, CVE-2016-3115)

Summary: <net-misc/openssh-7.2_p2: Multiple vulnerabilities
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: base-system, bertrand, chutzpah, gentoo
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 593238    

Description Agostino Sarubbo gentoo-dev 2016-03-10 13:32:57 UTC
From ${URL} :

This document may be found at:

1. Affected configurations

        All versions of OpenSSH prior to 7.2p2 with X11Forwarding

2. Vulnerability

	Missing sanitisation of untrusted input allows an
	authenticated user who is able to request X11 forwarding
	to inject commands to xauth(1).

	Injection of xauth commands grants the ability to read
	arbitrary files under the authenticated user's privilege,
	Other xauth commands allow limited information leakage,
	file overwrite, port probing and generally expose xauth(1),
	which was not written with a hostile user in mind, as an
	attack surface.

	xauth(1) is run under the user's privilege, so this
	vulnerability offers no additional access to unrestricted
	accounts, but could circumvent key or account restrictions
	such as sshd_config ForceCommand, authorized_keys
	command="..." or restricted shells.

3. Mitigation

        Set X11Forwarding=no in sshd_config. This is the default.

	For authorized_keys that specify a "command" restriction,
	also set the "restrict" (available in OpenSSH >=7.2) or
	"no-x11-forwarding" restrictions.

4. Details

        As part of establishing an X11 forwarding session, sshd(8)
	accepts an X11 authentication credential from the client.
	This credential is supplied to the xauth(1) utility to
	establish it for X11 applications that the user subsequently

	The contents of the credential's components (authentication
	scheme and credential data) were not sanitised to exclude
	meta-characters such as newlines. An attacker could
	therefore supply a credential that injected commands to
	xauth(1). The attacker could then use a number of xauth
	commands to read or overwrite arbitrary files subject to
	file permissions, connect to local ports or perform attacks
	on xauth(1) itself.

	OpenSSH 7.2p2 implements a whitelist of characters that
	are permitted to appear in X11 authentication credentials.

5. Credit

        This issue was identified by and
	communicated to the OpenSSH developers on March 3rd, 2016.

6. Fix

        Portable OpenSSH 7.2p2 contains a fix for this vulnerability.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2016-03-11 05:53:28 UTC
now in the tree.  don't know of any reason to not stabilize.
Comment 2 Agostino Sarubbo gentoo-dev 2016-03-11 08:43:22 UTC
Arches, please test and mark stable:                                                                                                                                                                                                                                           
Target keywords : "alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-03-11 11:56:36 UTC
It should be noted, that the new openSSH 7.2p2 also includes the fix for
CVE-2016-1908 as it had been assigned here:

* SECURITY: Eliminate the fallback from untrusted X11-forwarding to trusted
forwarding for cases when the X server disables
  the SECURITY extension. Reported by Thomas Hoger.

The associated commit (
did not make it into the last release as per last-minute decision (see:
Comment 4 Richard Freeman gentoo-dev 2016-03-11 13:30:12 UTC
amd64 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-03-12 09:12:08 UTC
Stable for HPPA PPC64.
Comment 6 Agostino Sarubbo gentoo-dev 2016-03-15 16:44:00 UTC
x86 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2016-03-16 09:35:07 UTC
Stable on alpha.
Comment 8 Agostino Sarubbo gentoo-dev 2016-03-16 12:08:48 UTC
ppc stable
Comment 9 Markus Meier gentoo-dev 2016-03-18 06:12:54 UTC
arm stable
Comment 10 Uwe Sauter 2016-03-18 09:01:33 UTC
Don't know if this is the right place or a new bug would be better but net-misc/openssh-7.2_p2 failes to compile when USE=hpn is set.

 * Messages for package net-misc/openssh-7.2_p2:

 * Package:    net-misc/openssh-7.2_p2
 * Repository: gentoo
 * Maintainer:
 * USE:        X abi_x86_64 amd64 elibc_glibc hpn kernel_linux pam pie ssl userland_GNU
 * FEATURES:   preserve-libs sandbox splitdebug userpriv usersandbox
 * Sorry, but this version does not yet support features
 * that you requested:	 hpn
 * Please mask openssh-7.2_p2 for now and check back later:
 *  # echo '=net-misc/openssh-7.2_p2' >> /etc/portage/package.mask
 * ERROR: net-misc/openssh-7.2_p2::gentoo failed (setup phase):
 *   booooo
 * Call stack:
 *     , line 133:  Called pkg_setup
 *   openssh-7.2_p2.ebuild, line  90:  Called die
 * The specific snippet of code:
 *   		die "booooo"
Comment 11 Uwe Sauter 2016-03-18 09:03:46 UTC
Regarding the previous comment:

It probably would be better to advise the user to disable the USE flag instead of masking this version as it is a matter of security…
Comment 12 SpanKY gentoo-dev 2016-03-18 21:24:52 UTC
we don't block stable for hpn.  it'll come back when the update is stable.
Comment 13 SpanKY gentoo-dev 2016-03-18 21:27:45 UTC
i've done the remaining arches
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2016-09-17 05:10:28 UTC
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s) - 7.1_p2-r1
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2016-12-07 10:32:37 UTC
This issue was resolved and addressed in
 GLSA 201612-18 at
by GLSA coordinator Aaron Bauman (b-man).