Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 828521 (CVE-2021-44512, CVE-2021-44513) - app-misc/tmate: multiple vulnerabilities with tmate-ssh-server
Summary: app-misc/tmate: multiple vulnerabilities with tmate-ssh-server
Status: RESOLVED INVALID
Alias: CVE-2021-44512, CVE-2021-44513
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: ~3 [upstream/ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-12-07 17:24 UTC by John Helmert III
Modified: 2022-01-18 05:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Yixun Lan archtester gentoo-dev 2022-01-13 06:39:19 UTC
hi security team,
  The app-misc/tmate package in portage tree is solely the client side of the application, it do require a server side: tmate-ssh-server. And, this security report mainly focus on the server side, then we probably can't do much at downstream side for the 2-3 section in [1], it's the design issue.
  so, my question here, what should we do for users? p.mask app-misc/tmate? warn user when they install this package? or any other idea/suggestion?


[1] https://www.openwall.com/lists/oss-security/2021/12/06/2
Comment 2 John Helmert III gentoo-dev Security 2022-01-18 05:30:08 UTC
(In reply to Yixun Lan from comment #1)
> hi security team,
>   The app-misc/tmate package in portage tree is solely the client side of
> the application, it do require a server side: tmate-ssh-server. And, this
> security report mainly focus on the server side, then we probably can't do
> much at downstream side for the 2-3 section in [1], it's the design issue.

You're right, sorry for not noticing this before!

>   so, my question here, what should we do for users? p.mask app-misc/tmate?
> warn user when they install this package? or any other idea/suggestion?
> 
> 
> [1] https://www.openwall.com/lists/oss-security/2021/12/06/2

In my opinion, when someone installs something, they're explictly trusting it security-wise. Given there doesn't seem to be any specific vulnerabilities in the client that we have packaged, I don't think there's anything to do from a security perspective here. But if you think action is necessary in the client package, feel free!