Bug 723848 (CVE-2018-12437)

Summary:	<net-misc/dropbear-2020.80: Multiple vulnerabilities (CVE-2018-{0739,12437,20685})
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	embedded
Priority:	Normal	Keywords:	CC-ARCHES, PullRequest
Version:	unspecified	Flags:	nattka: sanity-check+
Hardware:	All
OS:	Linux
See Also:	https://github.com/gentoo/gentoo/pull/15897 https://bugs.gentoo.org/show_bug.cgi?id=723844 https://github.com/gentoo/gentoo/pull/16440 https://bugs.gentoo.org/show_bug.cgi?id=732664 https://github.com/gentoo/gentoo/pull/16906 https://github.com/gentoo/gentoo/pull/18734
Whiteboard:	B3 [glsa+ cve]
Package list:	net-misc/dropbear-2020.80	Runtime testing required:	---
Bug Depends on:
Bug Blocks:	723846, 728412

Description Sam James archtester

2020-05-18 21:34:06 UTC

From https://github.com/libtom/libtomcrypt/blob/54e6db588a96fe8d29984033c56d105babc88210/changes#L1
      -- Fix Side Channel Based ECDSA Key Extraction (CVE-2018-12437) (PR #408)
      -- Fix potential stack overflow when DER flexi-decoding (CVE-2018-0739) (PR #373)

These were fixed in 1.18.2 (1st July 2018), but the bundled version in net-misc/dropbear is 1.18.1 (22nd Jan 2018): https://github.com/mkj/dropbear/blob/e612aec5d9f25a7334d9e2981f1aabf12b889b64/libtomcrypt/changes#L1

Comment 1 Sam James archtester

2020-05-18 21:39:25 UTC

We can either update the bundled version or just package it in tree finally.

Comment 2 Sam James archtester

2020-06-15 19:59:09 UTC

From 2020.79 release notes:
"scp fix for CVE-2018-20685 where a server could modify name of output files"

Comment 3 Sam James archtester

2020-06-26 22:50:38 UTC

Note that 2020.79 bumps the bundled versions, so we can do that for now.

Comment 4 Sam James archtester

2020-07-18 21:52:25 UTC

x86 stable

Comment 5 Sam James archtester

2020-07-18 22:50:50 UTC

arm64 stable

Comment 6 Sam James archtester

2020-07-18 22:51:19 UTC

sparc stable

Comment 7 Sam James archtester

2020-07-19 00:10:09 UTC

ppc stable

Comment 8 Sam James archtester

2020-07-19 00:35:59 UTC

amd64 stable

Comment 9 Sam James archtester

2020-07-19 01:49:44 UTC

arm stable

Comment 10 Sam James archtester

2020-07-19 11:52:55 UTC

ppc64 stable

Comment 11 Agostino Sarubbo gentoo-dev

2020-07-21 09:31:51 UTC

s390 stable

Comment 12 Sam James archtester

2020-07-27 18:45:56 UTC

hppa: ping

Comment 13 Sam James archtester

2020-07-27 22:58:05 UTC

GLSA vote: yes

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2020-07-28 19:34:45 UTC

This issue was resolved and addressed in
 GLSA 202007-53 at https://security.gentoo.org/glsa/202007-53
by GLSA coordinator Sam James (sam_c).

Comment 15 Sam James archtester

2020-07-28 19:44:29 UTC

Reopening for hppa.

Comment 16 Rolf Eike Beer archtester

2020-07-29 17:35:16 UTC

hppa stable

Comment 17 Sam James archtester

2020-07-29 19:16:49 UTC

Please cleanup.

Comment 18 Larry the Git Cow gentoo-dev

2020-07-29 23:11:56 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77996c702667b32eec00164b9e2eca0c69a2ba27

commit 77996c702667b32eec00164b9e2eca0c69a2ba27
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-29 19:47:56 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-29 23:11:44 +0000

    net-misc/dropbear: security cleanup
    
    Bug: https://bugs.gentoo.org/723848
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/dropbear/Manifest                |   1 -
 net-misc/dropbear/dropbear-2019.78.ebuild | 107 ------------------------------
 net-misc/dropbear/dropbear-2020.80.ebuild | 105 -----------------------------
 3 files changed, 213 deletions(-)