CVE-2016-3116: dropbear: X11 forwarding input not validated properly

CVE-2016-3116: dropbear: X11 forwarding input not validated properly

[Sona Sarmadi]

Hi guys,

I need your advice how to address this CVE in krogoth (master is not affected)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3116

I couldn't find a patch for this specific CVE in dropbear git or somewhere else, if we want to address this issue it seems that we need to update the dropbear version in krogoth to "2016.72". Is this ok?

Dropbear version in krogoth is 2015.71:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-core/dropbear?h=krogoth
dropbear_2015.71.bb


https://matt.ucc.asn.au/dropbear/CHANGES
.....
2016.72 - 9 March 2016    <<<<<<< dropbear version this CVE has been fixed
- Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions,
  found by github.com/tintinweb. Thanks for Damien Miller for a patch. CVE-2016-3116

2015.71 - 3 December 2015  <<<< dropbear version in krogoth
.....

Looking at dropbear git repo I see some more commits between these versions but CHANGES file doesn't mention this so probably these are minor changes.

Thanks
//Sona

Re: CVE-2016-3116: dropbear: X11 forwarding input not validated properly

[Alexander Kanavin]

On 09/14/2016 11:49 AM, Sona Sarmadi wrote:
> https://matt.ucc.asn.au/dropbear/CHANGES
> .....
> 2016.72 - 9 March 2016    <<<<<<< dropbear version this CVE has been fixed
> - Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions,
>   found by github.com/tintinweb. Thanks for Damien Miller for a patch. CVE-2016-3116
>
> 2015.71 - 3 December 2015  <<<< dropbear version in krogoth

It's *probably* this one. The commit messages in dropbear repository are 
*amazingly* vague and unprofessional.

https://secure.ucc.asn.au/hg/dropbear/rev/a3e8389e01ff

That said, I vote for updating to the version that comes with the fix. 
Backporting fixes should not be the default in the stable yocto 
releases; we should trust the upstream more.


Alex

Re: CVE-2016-3116: dropbear: X11 forwarding input not validated properly

[Richard Purdie]

On Wed, 2016-09-14 at 12:06 +0300, Alexander Kanavin wrote:
> On 09/14/2016 11:49 AM, Sona Sarmadi wrote:
> > 
> > https://matt.ucc.asn.au/dropbear/CHANGES
> > .....
> > 2016.72 - 9 March 2016    <<<<<<< dropbear version this CVE has
> > been fixed
> > - Validate X11 forwarding input. Could allow bypass of
> > authorized_keys command= restrictions,
> >   found by github.com/tintinweb. Thanks for Damien Miller for a
> > patch. CVE-2016-3116
> > 
> > 2015.71 - 3 December 2015  <<<< dropbear version in krogoth
> It's *probably* this one. The commit messages in dropbear repository
> are 
> *amazingly* vague and unprofessional.
> 
> https://secure.ucc.asn.au/hg/dropbear/rev/a3e8389e01ff
> 
> That said, I vote for updating to the version that comes with the
> fix. 
> Backporting fixes should not be the default in the stable yocto 
> releases; we should trust the upstream more.

Taking that argument to the extreme, we should update all versions in
the "stable" release to the latest to ensure we get all the fixes. At
that point, it becomes no different to master and its not the
definition of "stable" which most people want to use.

So whilst I do take the point and in some cases it does make sense, it
doesn't really make sense to have that as the default policy.

In this case, its a question of what else changed in dropbear between
these versions. Were there a ton of new features or was it just
bugfixes? How much risk of other problems is there?

Cheers,

Richard

Re: CVE-2016-3116: dropbear: X11 forwarding input not validated properly

[Alexander Kanavin]

On 09/14/2016 12:43 PM, Richard Purdie wrote:

>> That said, I vote for updating to the version that comes with the
>> fix.
>> Backporting fixes should not be the default in the stable yocto
>> releases; we should trust the upstream more.
>
> Taking that argument to the extreme, we should update all versions in
> the "stable" release to the latest to ensure we get all the fixes. At
> that point, it becomes no different to master and its not the
> definition of "stable" which most people want to use.

But I'm not making this argument at all. What I'm saying, is that master 
branch and stable branches are two different extremes with their own 
problems (one is moving too fast, the other is conservative to a fault), 
and we should try to find a sensible middle ground between them.

> In this case, its a question of what else changed in dropbear between
> these versions. Were there a ton of new features or was it just
> bugfixes? How much risk of other problems is there?

In this case, the only difference between 2015.71 and 2016.72 is indeed 
the CVE fix commit:
https://secure.ucc.asn.au/hg/dropbear/graph

(you need to scroll down some to see it in the graph).

Alex

Re: CVE-2016-3116: dropbear: X11 forwarding input not validated properly

[Sona Sarmadi]

> >> That said, I vote for updating to the version that comes with the
> >> fix.
> >> Backporting fixes should not be the default in the stable yocto
> >> releases; we should trust the upstream more.
> >
> > Taking that argument to the extreme, we should update all versions in
> > the "stable" release to the latest to ensure we get all the fixes. At
> > that point, it becomes no different to master and its not the
> > definition of "stable" which most people want to use.
> 
> But I'm not making this argument at all. What I'm saying, is that master
> branch and stable branches are two different extremes with their own
> problems (one is moving too fast, the other is conservative to a fault), and
> we should try to find a sensible middle ground between them.
> 
> > In this case, its a question of what else changed in dropbear between
> > these versions. Were there a ton of new features or was it just
> > bugfixes? How much risk of other problems is there?
> 
> In this case, the only difference between 2015.71 and 2016.72 is indeed
> the CVE fix commit:
> https://secure.ucc.asn.au/hg/dropbear/graph
> 
> (you need to scroll down some to see it in the graph).


Thanks guys for your feedbacks. I agree that by default we shouldn't upgrade package 
versions in stable branches as far as possible but sometimes we have to. If there isn't a 
suitable patch I personally prefer upgrading (only if it is minor changes) rather than 
sticking to a vulnerable version. We have done this in the past e.g. for OpenSSL (from 
1.0.1x to 1.0.1y). 

I will do some investigation to find out if https://secure.ucc.asn.au/hg/dropbear/rev/a3e8389e01ff 
is the fix for CVE-2016-3116 (by quick analysis it looks the right patch) and use that patch and NOT 
upgrade the dropbear version in krogoth !!

Thanks
//Sona

Re: CVE-2016-3116: dropbear: X11 forwarding input not validated properly

[Alexander Kanavin]

On 09/14/2016 01:24 PM, Sona Sarmadi wrote:

> Thanks guys for your feedbacks. I agree that by default we shouldn't upgrade package
> versions in stable branches as far as possible but sometimes we have to. If there isn't a
> suitable patch I personally prefer upgrading (only if it is minor changes) rather than
> sticking to a vulnerable version. We have done this in the past e.g. for OpenSSL (from
> 1.0.1x to 1.0.1y).

See, often the upstream does have a way to get security fixes out to 
users in a way that doesn't bundle unrelated feature additions and 
changes. By saying 'we should trust the upstream' I mean that we should 
try to fix security in a way provided by upstream instead of doing the 
backporting ourselves (where frequently we have no idea what we're 
really doing because we don't know the codebase, or it's otherwise too 
hard for various reasons).

> I will do some investigation to find out if https://secure.ucc.asn.au/hg/dropbear/rev/a3e8389e01ff
> is the fix for CVE-2016-3116 (by quick analysis it looks the right patch) and use that patch and NOT
> upgrade the dropbear version in krogoth !!

After looking at commit tree, I'm pretty certain that it is. And you can 
just update to 2016.72 because it is the only change in that version.

Alex

Re: CVE-2016-3116: dropbear: X11 forwarding input not validated properly

[akuster808]

On 9/14/16 2:43 AM, Richard Purdie wrote:
> On Wed, 2016-09-14 at 12:06 +0300, Alexander Kanavin wrote:
>> On 09/14/2016 11:49 AM, Sona Sarmadi wrote:
>>> https://matt.ucc.asn.au/dropbear/CHANGES
>>> .....
>>> 2016.72 - 9 March 2016    <<<<<<< dropbear version this CVE has
>>> been fixed
>>> - Validate X11 forwarding input. Could allow bypass of
>>> authorized_keys command= restrictions,
>>>   found by github.com/tintinweb. Thanks for Damien Miller for a
>>> patch. CVE-2016-3116
>>>
>>> 2015.71 - 3 December 2015  <<<< dropbear version in krogoth
>> It's *probably* this one. The commit messages in dropbear repository
>> are 
>> *amazingly* vague and unprofessional.
>>
>> https://secure.ucc.asn.au/hg/dropbear/rev/a3e8389e01ff
>>
>> That said, I vote for updating to the version that comes with the
>> fix. 
>> Backporting fixes should not be the default in the stable yocto 
>> releases; we should trust the upstream more.
> Taking that argument to the extreme, we should update all versions in
> the "stable" release to the latest to ensure we get all the fixes. At
> that point, it becomes no different to master and its not the
> definition of "stable" which most people want to use.
>
> So whilst I do take the point and in some cases it does make sense, it
> doesn't really make sense to have that as the default policy.

I agree. Updating packages in a stable release should not be the default
but the exception. It should be a case-by-case determination.
> In this case, its a question of what else changed in dropbear between
> these versions. Were there a ton of new features or was it just
> bugfixes? How much risk of other problems is there?
If I am not mistaken, this is similar wording as in the "Stable branch
Maintaining" on wiki.

- Armin
>
> Cheers,
>
> Richard