Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 571892 (CVE-2016-0777) - <net-misc/openssh-7.1_p2: Multiple vulnerabilities related to roaming (CVE-2016-{0777,0778})
Summary: <net-misc/openssh-7.1_p2: Multiple vulnerabilities related to roaming (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2016-0777
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://lists.mindrot.org/pipermail/op...
Whiteboard: A3 [glsa cve]
Keywords:
: 571930 (view as bug list)
Depends on:
Blocks: CVE-2015-5600 557340
  Show dependency tree
 
Reported: 2016-01-14 15:14 UTC by Alex Legler (RETIRED)
Modified: 2016-06-12 00:36 UTC (History)
11 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2016-01-14 15:14:29 UTC
* SECURITY: ssh(1): The OpenSSH client code between 5.4 and 7.1
   contains experimential support for resuming SSH-connections (roaming).

   The matching server code has never been shipped, but the client
   code was enabled by default and could be tricked by a malicious
   server into leaking client memory to the server, including private
   client user keys.

   The authentication of the server host key prevents exploitation
   by a man-in-the-middle, so this information leak is restricted
   to connections to malicious or compromised servers.

   MITIGATION: For OpenSSH >= 5.4 the vulnerable code in the client
   can be completely disabled by adding 'UseRoaming no' to the gobal
   ssh_config(5) file, or to user configuration in ~/.ssh/config,
   or by passing -oUseRoaming=no on the command line.

   PATCH: See below for a patch to disable this feature (Disabling
   Roaming in the Source Code).

   This problem was reported by the Qualys Security Advisory team.
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2016-01-14 15:24:18 UTC
Working on it...
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2016-01-14 15:35:47 UTC
commit ad9f88e38be8085905214a94bc48913b095bd85a
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Thu Jan 14 16:30:58 2016

    net-misc/openssh: Security bump for CVE-2016-0777 (bug #571892).

    Package-Manager: portage-2.2.26
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>


This revision bump only fixes CVE-2016-0777 and not the other two security fixes which went into openssh-7.1p2
The 7.1p2 release requires work on the hpn patches so I decided to release a fixed version for this CVE first.

Arches please test and mark stable =net-misc/openssh-7.1_p1-r3 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux
Comment 3 Hanno Böck gentoo-dev 2016-01-14 16:35:35 UTC
> The 7.1p2 release requires work on the hpn patches so I decided to release a
> fixed version for this CVE first.

This has happened before. I think it is not a good situation when the hpn patches delay the deployment of openssh security fixes. (I also wonder why hpn is enabled by default - very likely these patches got much less security review than stock openssh and also enable potentially dangerous features.)
Comment 4 SpanKY gentoo-dev 2016-01-14 18:37:17 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #2)

i'll take care of the hpn bump
Comment 5 Andreas K. Hüttel gentoo-dev 2016-01-14 20:08:05 UTC
*** Bug 571930 has been marked as a duplicate of this bug. ***
Comment 6 Hanno Böck gentoo-dev 2016-01-14 20:27:42 UTC
Please note the release notes mention two additional security issues not related to roaming:

 * SECURITY: Eliminate the fallback from untrusted X11-forwarding
   to trusted forwarding for cases when the X server disables
   the SECURITY extension. Reported by Thomas Hoger.

 * SECURITY: Fix an out of-bound read access in the packet handling
   code. Reported by Ben Hawkes.

They're probably not very severe, but should be kept in mind.

https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034680.html
Comment 7 Richard Freeman gentoo-dev 2016-01-14 20:40:13 UTC
amd64 stable
Comment 8 SpanKY gentoo-dev 2016-01-14 21:00:34 UTC
7.1p2 is now in the tree with various updates
Comment 9 Lars Wendler (Polynomial-C) gentoo-dev 2016-01-15 08:25:20 UTC
Thank you vapier. Unfortunately I didn't have enough time to finish this yesterday By the way, sorry I didn't test USE="-hpn X509" properly.

Arches please test and mark stable =net-misc/openssh-7.1_p2 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux
Comment 10 Agostino Sarubbo gentoo-dev 2016-01-15 09:16:27 UTC
stable for alpha/amd64/arm/ia64/ppc/ppc64/s390/sh/sparc/x86
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2016-01-15 11:31:34 UTC
(In reply to Agostino Sarubbo from comment #10)
> stable for alpha/amd64/arm/ia64/ppc/ppc64/s390/sh/sparc/x86

Testing 10 different platforms in under an hour. That's really impressive.
Comment 12 SpanKY gentoo-dev 2016-01-15 14:11:07 UTC
i've done the few remaining ones now
Comment 13 Agostino Sarubbo gentoo-dev 2016-01-15 14:47:52 UTC
(In reply to Jeroen Roovers from comment #11)
> Testing 10 different platforms in under an hour. That's really impressive.

Automated tests?
Comment 14 Agostino Sarubbo gentoo-dev 2016-01-15 15:24:56 UTC
maintainer please cleanup
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2016-04-04 20:38:41 UTC
This issue was resolved and addressed in
 GLSA 201601-01 at https://security.gentoo.org/glsa/201601-01
by GLSA coordinator Yury German (BlueKnight).
Comment 16 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-11 11:08:33 UTC
Cleanup needs to be completed.
Comment 17 Lars Wendler (Polynomial-C) gentoo-dev 2016-06-11 12:29:55 UTC
commit 0a6f7c3566cca467497f37ff9ea82c4767f14a2b
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Sat Jun 11 14:29:14 2016

    net-misc/openssh: Security cleanup (bug #571892).

    Kept latest ebuild with hpn USE flag as it's ~arch anyway and gets superseded
    by the latest "secure" version anyway.

    Package-Manager: portage-2.2.28
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 18 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-12 00:36:54 UTC
Lars, thanks for quick cleanup!