Bug 577050 (CVE-2016-3116)

Summary:	<net-misc/dropbear-2016.73: Missing validation of X11 forwarding (CVE-2016-3116)
Product:	Gentoo Security	Reporter:	Hanno Böck <hanno>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	embedded
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B2 [glsa cve]
Package list:		Runtime testing required:	---

Description Hanno Böck gentoo-dev

2016-03-11 11:07:13 UTC

See upstream changelog:
"Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions, found by github.com/tintinweb. Thanks for Damien Miller for a patch."

Same bug is also in openssh, see #576954.

dropbear-2016.72 is already in the tree, needs stabilization.

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2016-06-07 10:35:01 UTC

2016.73 is in tree so calling for stabilization of that package.

@arches, please stabilize the following:

=net-misc/dropbear-2016.73

Comment 2 Tobias Klausmann (RETIRED) gentoo-dev

2016-06-07 17:56:22 UTC

Stable on alpha.

Comment 3 Agostino Sarubbo gentoo-dev

2016-06-10 13:02:10 UTC

amd64 stable

Comment 4 Markus Meier gentoo-dev

2016-06-11 13:18:40 UTC

arm stable

Comment 5 SpanKY gentoo-dev

2016-06-21 04:33:40 UTC

done arm64/hppa/ia64/m68k/ppc/ppc64/s390/sh/sparc/x86 now (all the rest)

Comment 6 Aaron Bauman (RETIRED) gentoo-dev

2016-06-21 05:10:42 UTC

New GLSA request filed.

@maintainer(s), please cleanup the vulnerable versions.

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2016-06-21 05:11:42 UTC

CVE-2016-3116 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3116):
  CRLF injection vulnerability in Dropbear SSH before 2016.72 allows remote
  authenticated users to bypass intended shell-command restrictions via
  crafted X11 forwarding data.

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2016-07-20 08:47:53 UTC

This issue was resolved and addressed in
 GLSA 201607-08 at https://security.gentoo.org/glsa/201607-08
by GLSA coordinator Aaron Bauman (b-man).