Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 576954 (CVE-2016-1908, CVE-2016-3115) - <net-misc/openssh-7.2_p2: Multiple vulnerabilities
Summary: <net-misc/openssh-7.2_p2: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-1908, CVE-2016-3115
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks: 593238
  Show dependency tree
 
Reported: 2016-03-10 13:32 UTC by Agostino Sarubbo
Modified: 2016-12-07 10:32 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-03-10 13:32:57 UTC
From ${URL} :

This document may be found at: http://www.openssh.com/txt/x11fwd.adv

1. Affected configurations

        All versions of OpenSSH prior to 7.2p2 with X11Forwarding
	enabled.

2. Vulnerability

	Missing sanitisation of untrusted input allows an
	authenticated user who is able to request X11 forwarding
	to inject commands to xauth(1).

	Injection of xauth commands grants the ability to read
	arbitrary files under the authenticated user's privilege,
	Other xauth commands allow limited information leakage,
	file overwrite, port probing and generally expose xauth(1),
	which was not written with a hostile user in mind, as an
	attack surface.

	xauth(1) is run under the user's privilege, so this
	vulnerability offers no additional access to unrestricted
	accounts, but could circumvent key or account restrictions
	such as sshd_config ForceCommand, authorized_keys
	command="..." or restricted shells.

3. Mitigation

        Set X11Forwarding=no in sshd_config. This is the default.

	For authorized_keys that specify a "command" restriction,
	also set the "restrict" (available in OpenSSH >=7.2) or
	"no-x11-forwarding" restrictions.

4. Details

        As part of establishing an X11 forwarding session, sshd(8)
	accepts an X11 authentication credential from the client.
	This credential is supplied to the xauth(1) utility to
	establish it for X11 applications that the user subsequently
	runs.

	The contents of the credential's components (authentication
	scheme and credential data) were not sanitised to exclude
	meta-characters such as newlines. An attacker could
	therefore supply a credential that injected commands to
	xauth(1). The attacker could then use a number of xauth
	commands to read or overwrite arbitrary files subject to
	file permissions, connect to local ports or perform attacks
	on xauth(1) itself.

	OpenSSH 7.2p2 implements a whitelist of characters that
	are permitted to appear in X11 authentication credentials.

5. Credit

        This issue was identified by github.com/tintinweb and
	communicated to the OpenSSH developers on March 3rd, 2016.

6. Fix

        Portable OpenSSH 7.2p2 contains a fix for this vulnerability.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2016-03-11 05:53:28 UTC
now in the tree.  don't know of any reason to not stabilize.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6cd19cc42eac1e72dff6585b9c83bce69048df6
Comment 2 Agostino Sarubbo gentoo-dev 2016-03-11 08:43:22 UTC
Arches, please test and mark stable:                                                                                                                                                                                                                                           
=net-misc/openssh-7.2_p2                                                                                                                                                                                                                                                       
Target keywords : "alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-03-11 11:56:36 UTC
CVE-2016-1908:
It should be noted, that the new openSSH 7.2p2 also includes the fix for
CVE-2016-1908 as it had been assigned here:
http://seclists.org/oss-sec/2016/q1/115

* SECURITY: Eliminate the fallback from untrusted X11-forwarding to trusted
forwarding for cases when the X server disables
  the SECURITY extension. Reported by Thomas Hoger.

The associated commit (
https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c)
did not make it into the last release as per last-minute decision (see:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034684.html
)
Comment 4 Richard Freeman gentoo-dev 2016-03-11 13:30:12 UTC
amd64 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-03-12 09:12:08 UTC
Stable for HPPA PPC64.
Comment 6 Agostino Sarubbo gentoo-dev 2016-03-15 16:44:00 UTC
x86 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2016-03-16 09:35:07 UTC
Stable on alpha.
Comment 8 Agostino Sarubbo gentoo-dev 2016-03-16 12:08:48 UTC
ppc stable
Comment 9 Markus Meier gentoo-dev 2016-03-18 06:12:54 UTC
arm stable
Comment 10 Uwe Sauter 2016-03-18 09:01:33 UTC
Don't know if this is the right place or a new bug would be better but net-misc/openssh-7.2_p2 failes to compile when USE=hpn is set.

 * Messages for package net-misc/openssh-7.2_p2:

 * Package:    net-misc/openssh-7.2_p2
 * Repository: gentoo
 * Maintainer: base-system@gentoo.org robbat2@gentoo.org
 * USE:        X abi_x86_64 amd64 elibc_glibc hpn kernel_linux pam pie ssl userland_GNU
 * FEATURES:   preserve-libs sandbox splitdebug userpriv usersandbox
 * Sorry, but this version does not yet support features
 * that you requested:	 hpn
 * Please mask openssh-7.2_p2 for now and check back later:
 *  # echo '=net-misc/openssh-7.2_p2' >> /etc/portage/package.mask
 * ERROR: net-misc/openssh-7.2_p2::gentoo failed (setup phase):
 *   booooo
 * 
 * Call stack:
 *               ebuild.sh, line 133:  Called pkg_setup
 *   openssh-7.2_p2.ebuild, line  90:  Called die
 * The specific snippet of code:
 *   		die "booooo"
Comment 11 Uwe Sauter 2016-03-18 09:03:46 UTC
Regarding the previous comment:

It probably would be better to advise the user to disable the USE flag instead of masking this version as it is a matter of security…
Comment 12 SpanKY gentoo-dev 2016-03-18 21:24:52 UTC
we don't block stable for hpn.  it'll come back when the update is stable.
Comment 13 SpanKY gentoo-dev 2016-03-18 21:27:45 UTC
i've done the remaining arches
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2016-09-17 05:10:28 UTC
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s) - 7.1_p2-r1
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2016-12-07 10:32:37 UTC
This issue was resolved and addressed in
 GLSA 201612-18 at https://security.gentoo.org/glsa/201612-18
by GLSA coordinator Aaron Bauman (b-man).