713102 – (CVE-2018-15599) <net-misc/dropbear-2019.78: Multiple vulnerabilities (CVE-2018-15599)

Bug 713102 (CVE-2018-15599) - <net-misc/dropbear-2019.78: Multiple vulnerabilities (CVE-2018-15599)

Summary: <net-misc/dropbear-2019.78: Multiple vulnerabilities (CVE-2018-15599)

Status:	RESOLVED FIXED

Alias:	CVE-2018-15599

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://matt.ucc.asn.au/dropbear/CHANGES
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:	713904
Blocks:
	Show dependency tree

Reported:	2020-03-18 02:59 UTC by Sam James
Modified:	2020-04-01 19:20 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	net-misc/dropbear-2019.78
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-03-18 02:59:02 UTC

1) CVE-2018-15599
Description:
"Change handling of failed authentication to avoid disclosing valid usernames, CVE-2018-15599."
Patch: https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00

2)
Description:
"Improvements to DSS and RSA public key validation, found by OSS-Fuzz. "
Patches: miscellaneous

3)
Description:
"Don't exit when an authorized_keys file has malformed entries. Found by OSS-Fuzz"
Patch: https://secure.ucc.asn.au/hg/dropbear/rev/dc7c9fdb3716

4)
Description:
"Fix null-pointer crash with malformed ECDSA or DSS keys. Found by OSS-Fuzz"

5) (possible?)
Possible issue:
Description:
"While login as root user, after prompt for password, user is being notified about login failure, but after second attempt of prompt for password within same session, login becomes successful."

PR: https://github.com/mkj/dropbear/pull/78
Patch: https://secure.ucc.asn.au/hg/dropbear/rev/258b57b208ae

---
Note that only vulnerability 1 has a CVE.
All were fixed in 2019.77.

Comment 1 Agostino Sarubbo gentoo-dev

2020-03-21 16:15:00 UTC

amd64 stable

Comment 2 Agostino Sarubbo gentoo-dev

2020-03-21 16:19:53 UTC

s390 stable

Comment 3 Agostino Sarubbo gentoo-dev

2020-03-21 16:20:46 UTC

sparc stable

Comment 4 Agostino Sarubbo gentoo-dev

2020-03-21 16:27:07 UTC

ppc stable

Comment 5 Agostino Sarubbo gentoo-dev

2020-03-21 16:27:35 UTC

ppc64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2020-03-21 16:28:41 UTC

x86 stable

Comment 7 Agostino Sarubbo gentoo-dev

2020-03-21 16:48:23 UTC

arm stable

Comment 8 Mart Raudsepp gentoo-dev

2020-03-22 07:40:21 UTC

arm64 stable

Comment 9 Mikle Kolyada (RETIRED) archtester

2020-03-26 14:07:32 UTC

SuperH port disbanded.

Comment 10 Rolf Eike Beer archtester

2020-03-30 21:38:19 UTC

hppa stable

Comment 11 Agostino Sarubbo gentoo-dev

2020-03-31 12:36:20 UTC

ia64 will pass. See https://archives.gentoo.org/gentoo-dev/message/edaadc85d7423810dd6ecfeda29cc85f

Comment 12 Larry the Git Cow gentoo-dev

2020-04-01 19:19:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e95328af49490a2ec8eb58b4a79e0dd154ce18e3

commit e95328af49490a2ec8eb58b4a79e0dd154ce18e3
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-04-01 19:18:53 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-04-01 19:19:06 +0000

    net-misc/dropbear: security cleanup (bug #713102)
    
    Bug: https://bugs.gentoo.org/713102
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-misc/dropbear/Manifest                |   2 -
 net-misc/dropbear/dropbear-2017.75.ebuild |  98 -----------------------------
 net-misc/dropbear/dropbear-2018.76.ebuild | 101 ------------------------------
 3 files changed, 201 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07e4e67df6fbf421f137df51baa4d38725819cba

commit 07e4e67df6fbf421f137df51baa4d38725819cba
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-04-01 19:18:03 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-04-01 19:19:05 +0000

    net-misc/dropbear: ia64 & m68k marked stable (bug #713102)
    
    Bug: https://bugs.gentoo.org/713102
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-misc/dropbear/dropbear-2019.78.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev

2020-04-01 19:20:00 UTC

GLSA Vote: No!

Repository is clean, all done!