Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 577050 (CVE-2016-3116)

Summary: <net-misc/dropbear-2016.73: Missing validation of X11 forwarding (CVE-2016-3116)
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: embedded
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---

Description Hanno Böck gentoo-dev 2016-03-11 11:07:13 UTC
See upstream changelog:
"Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions, found by github.com/tintinweb. Thanks for Damien Miller for a patch."

Same bug is also in openssh, see #576954.

dropbear-2016.72 is already in the tree, needs stabilization.
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-07 10:35:01 UTC
2016.73 is in tree so calling for stabilization of that package.

@arches, please stabilize the following:

=net-misc/dropbear-2016.73
Comment 2 Tobias Klausmann (RETIRED) gentoo-dev 2016-06-07 17:56:22 UTC
Stable on alpha.
Comment 3 Agostino Sarubbo gentoo-dev 2016-06-10 13:02:10 UTC
amd64 stable
Comment 4 Markus Meier gentoo-dev 2016-06-11 13:18:40 UTC
arm stable
Comment 5 SpanKY gentoo-dev 2016-06-21 04:33:40 UTC
done arm64/hppa/ia64/m68k/ppc/ppc64/s390/sh/sparc/x86 now (all the rest)
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-21 05:10:42 UTC
New GLSA request filed.

@maintainer(s), please cleanup the vulnerable versions.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2016-06-21 05:11:42 UTC
CVE-2016-3116 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3116):
  CRLF injection vulnerability in Dropbear SSH before 2016.72 allows remote
  authenticated users to bypass intended shell-command restrictions via
  crafted X11 forwarding data.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-07-20 08:47:53 UTC
This issue was resolved and addressed in
 GLSA 201607-08 at https://security.gentoo.org/glsa/201607-08
by GLSA coordinator Aaron Bauman (b-man).