Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 828521 (CVE-2021-44512, CVE-2021-44513)

Summary: app-misc/tmate: multiple vulnerabilities with tmate-ssh-server
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: trivial CC: dlan
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.openwall.com/lists/oss-security/2021/12/06/2
Whiteboard: ~3 [upstream/ebuild]
Package list:
Runtime testing required: ---

Comment 1 Yixun Lan archtester gentoo-dev 2022-01-13 06:39:19 UTC
hi security team,
  The app-misc/tmate package in portage tree is solely the client side of the application, it do require a server side: tmate-ssh-server. And, this security report mainly focus on the server side, then we probably can't do much at downstream side for the 2-3 section in [1], it's the design issue.
  so, my question here, what should we do for users? p.mask app-misc/tmate? warn user when they install this package? or any other idea/suggestion?


[1] https://www.openwall.com/lists/oss-security/2021/12/06/2
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-18 05:30:08 UTC
(In reply to Yixun Lan from comment #1)
> hi security team,
>   The app-misc/tmate package in portage tree is solely the client side of
> the application, it do require a server side: tmate-ssh-server. And, this
> security report mainly focus on the server side, then we probably can't do
> much at downstream side for the 2-3 section in [1], it's the design issue.

You're right, sorry for not noticing this before!

>   so, my question here, what should we do for users? p.mask app-misc/tmate?
> warn user when they install this package? or any other idea/suggestion?
> 
> 
> [1] https://www.openwall.com/lists/oss-security/2021/12/06/2

In my opinion, when someone installs something, they're explictly trusting it security-wise. Given there doesn't seem to be any specific vulnerabilities in the client that we have packaged, I don't think there's anything to do from a security perspective here. But if you think action is necessary in the client package, feel free!