dropbear: CVE-2018-15599

Debian Bug report logs - #906890
dropbear: CVE-2018-15599

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: dropbear: CVE-2018-15599

Date: Tue, 21 Aug 2018 22:57:40 +0200

Source: dropbear
Version: 2016.74-1
Severity: grave
Tags: security
Forwarded: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html

Hi,

The following vulnerability was published for dropbear.

CVE-2018-15599[0]:
| The recv_msg_userauth_request function in svr-auth.c in Dropbear
| through 2018.76 is prone to a user enumeration vulnerability because
| username validity affects how fields in SSH_MSG_USERAUTH messages are
| handled, a similar issue to CVE-2018-15473 in an unrelated codebase.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-15599
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15599
[1] http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #14 received at 906890@bugs.debian.org (full text, mbox, reply):

From: Guilhem Moulin <guilhem@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 906890@bugs.debian.org

Subject: Re: Bug#906890: dropbear: CVE-2018-15599

Date: Tue, 21 Aug 2018 23:30:00 +0200

[Message part 1 (text/plain, inline)]

Control: found -1 2014.65-1+deb8u2

Hi Salvatore,

Wow, you're fast :-)  I read the the discussion in the upstream list but
wasn't aware a CVE had been assigned yet.

Upstream replied “I should have a patch in the next couple of days”, and
I'll propose an upload to stretch-security after that.  (Hopefully the
patch will be easy to backport as ‘svr-auth.c’ hasn't changed much since
oldstable.)

> Please adjust the affected versions in the BTS as needed.

Added 2014.65-1+deb8u2 from jessie-security.

Cheers,
-- 
Guilhem.

[signature.asc (application/pgp-signature, inline)]

Message #21 received at 906890@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Guilhem Moulin <guilhem@debian.org>, 906890@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#906890: dropbear: CVE-2018-15599

Date: Wed, 22 Aug 2018 06:21:27 +0200

Hi Guilhem

[adding team@s.d.o to the loop]

On Tue, Aug 21, 2018 at 11:30:00PM +0200, Guilhem Moulin wrote:
> Control: found -1 2014.65-1+deb8u2
> 
> Hi Salvatore,
> 
> Wow, you're fast :-)  I read the the discussion in the upstream list but
> wasn't aware a CVE had been assigned yet.
> 
> Upstream replied “I should have a patch in the next couple of days”, and
> I'll propose an upload to stretch-security after that.  (Hopefully the
> patch will be easy to backport as ‘svr-auth.c’ hasn't changed much since
> oldstable.)

Thanks! We were discussing this related issue (similar to openssh) in
the team yesterday, and we were thinking whilst we might issue a DSA
for openssh, we tend to not issue a DSA for dropbear itself fo the
similar issue. The use cases are likely different where they are used,
so we think updating for the next point release via stretch-pu might
suffice here for drobear.

Would you agree and could you instead update dropbear for the next
point release?

Regards,
Salvatore

Message #26 received at 906890@bugs.debian.org (full text, mbox, reply):

From: Guilhem Moulin <guilhem@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 906890@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#906890: dropbear: CVE-2018-15599

Date: Wed, 22 Aug 2018 11:19:37 +0200

[Message part 1 (text/plain, inline)]

On Wed, 22 Aug 2018 at 06:21:27 +0200, Salvatore Bonaccorso wrote:
> Would you agree and could you instead update dropbear for the next
> point release?

Makes sense indeed, I'll do that instead.

Cheers,
-- 
Guilhem.

[signature.asc (application/pgp-signature, inline)]

Message #31 received at 906890@bugs.debian.org (full text, mbox, reply):

From: Guilhem Moulin <guilhem@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 906890@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#906890: dropbear: CVE-2018-15599

Date: Fri, 24 Aug 2018 03:26:12 +0200

[Message part 1 (text/plain, inline)]

On Wed, 22 Aug 2018 at 11:19:37 +0200, Guilhem Moulin wrote:
> On Wed, 22 Aug 2018 at 06:21:27 +0200, Salvatore Bonaccorso wrote:
>> Would you agree and could you instead update dropbear for the next
>> point release?
> 
> Makes sense indeed, I'll do that instead.

Just for the record, upstream fixed that in changeset 1616:5d2d1021ca00
https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00 , and the request
to add it to stretch-pu is filed as #907124.

-- 
Guilhem.

[signature.asc (application/pgp-signature, inline)]

Message #36 received at 906890-close@bugs.debian.org (full text, mbox, reply):

From: Guilhem Moulin <guilhem@debian.org>

To: 906890-close@bugs.debian.org

Subject: Bug#906890: fixed in dropbear 2018.76-4

Date: Fri, 24 Aug 2018 13:19:20 +0000

Source: dropbear
Source-Version: 2018.76-4

We believe that the bug you reported is fixed in the latest version of
dropbear, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 906890@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated dropbear package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 24 Aug 2018 14:36:51 +0200
Source: dropbear
Binary: dropbear-bin dropbear-run dropbear-initramfs dropbear
Architecture: source amd64 all
Version: 2018.76-4
Distribution: unstable
Urgency: medium
Maintainer: Guilhem Moulin <guilhem@debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Description:
 dropbear   - transitional dummy package for dropbear-{run,initramfs}
 dropbear-bin - lightweight SSH2 server and client - command line tools
 dropbear-initramfs - lightweight SSH2 server and client - initramfs integration
 dropbear-run - lightweight SSH2 server and client - startup scripts
Closes: 906890
Changes:
 dropbear (2018.76-4) unstable; urgency=medium
 .
   * Backport security fix for CVE-2018-15599: The recv_msg_userauth_request
     function in svr-auth.c in Dropbear through 2018.76 is prone to a user
     enumeration vulnerability because username validity affects how fields in
     SSH_MSG_USERAUTH messages are handled.  (Closes: #906890.)
     Cherry-picked from https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00 .
   * debian/control: Bump Standards-Version to 4.2.0 (no changes necessary).
Checksums-Sha1:
 25ef362d883f356c5f968b8c9366b7854ab9e5ea 2397 dropbear_2018.76-4.dsc
 e8c6ef46e21f7b162c55042cf46f825fccf4eaae 25240 dropbear_2018.76-4.debian.tar.xz
 b78357ad6315fe9a767b36bf426d9036f08ae815 1080904 dropbear-bin-dbgsym_2018.76-4_amd64.deb
 ba42d0b837a371e3f2985a6a9bc0e37103c1656c 131124 dropbear-bin_2018.76-4_amd64.deb
 ba18a86cc2c0d422d2ad987e71d52250741b1197 40456 dropbear-initramfs_2018.76-4_all.deb
 4f0d327c9e1d825db39e32695bc7086e2d285015 37568 dropbear-run_2018.76-4_all.deb
 a772057ea4f47d4dccb08a7c23a21b3caa0f9026 35316 dropbear_2018.76-4_all.deb
 8d1218b5d73ebf68352ae7210cfc82a6b0344fab 6858 dropbear_2018.76-4_amd64.buildinfo
Checksums-Sha256:
 82bbb3a2af6fac80f93e8cfb53b379293fba434b69294677de0554e42be75ded 2397 dropbear_2018.76-4.dsc
 87d2aca6976546d64c8ac5dda4f1de88289526643678f9957fadd96bf846c800 25240 dropbear_2018.76-4.debian.tar.xz
 4f18e7a6dfab43802a951b5f53b188b67e0590af3f0208a8ebc6bdaddfa0e2e4 1080904 dropbear-bin-dbgsym_2018.76-4_amd64.deb
 24daa5adab17a34b8b033e1f097336f7ad72cc9d75f3586f03b1f6ef69baa98a 131124 dropbear-bin_2018.76-4_amd64.deb
 fe3036e8b36b56588c71b34613a374fe6787685abacd41ac33f96d5c162f449c 40456 dropbear-initramfs_2018.76-4_all.deb
 ea8ef23dd0c4201c5fb9939554ab72a68a9dad180376febe02bf2142b087f3b3 37568 dropbear-run_2018.76-4_all.deb
 9ab195012ba8e41a39c38e936eff522ecbc91c5856047a57ea893b41b656845e 35316 dropbear_2018.76-4_all.deb
 f17c8949b54b8b219eac220dce39590ff591cd51f029f33eb0eac7462c9583ed 6858 dropbear_2018.76-4_amd64.buildinfo
Files:
 9b7b8976954d30bf9a5d9a8ef7119a18 2397 net optional dropbear_2018.76-4.dsc
 e508bccede1ba78ed92397c3ec5cbdcb 25240 net optional dropbear_2018.76-4.debian.tar.xz
 cabc16e39d352477d5dda984535916a5 1080904 debug optional dropbear-bin-dbgsym_2018.76-4_amd64.deb
 921cd49b9256ff3fdae8a3cdb023eb2a 131124 net optional dropbear-bin_2018.76-4_amd64.deb
 86de09b21c2da6a54001fbdec0f76fbe 40456 net optional dropbear-initramfs_2018.76-4_all.deb
 1b93ab389d51068a3576232a648bda15 37568 net optional dropbear-run_2018.76-4_all.deb
 e9d8298376aa0f8cc1b083984ef00190 35316 oldlibs optional dropbear_2018.76-4_all.deb
 6026fe4cf8054e1afb2ed90f3db21315 6858 net optional dropbear_2018.76-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAlt//f0ACgkQ05pJnDwh
pVLsDg/+NUqoxcJkvFZYi+XSCzzyQ9xzzaXaeNMR0dgJMcJK2JO5C8CeeMLzMbLb
R+TIedxtYQO0yRA+gmJBcRrDAxP+X7hnQa+Ewz5kuBXnejCbQ3X4dr3EHgWqZi2Y
zpA6NCY2Rzi8TvcUDAQpLRwuUBm/ytGHs+N3u3fGbcBrTEQNY72XySeZZV8cPZ94
yHIy4NqnsLpo5SggTG1g1c7iaefH9HRJS5Du+evgGQfNA+wBmG/fMnnfpQR/VgQR
7/pki83t3m787JZCkC63C8AT4H0Vx6mtpJafJtUPco2/uWVfs88DyO0lbA/Rec5+
zkgd0ZE1M7grump3AIvAQGctItKVBk6lv6ekXlbofx7sgGaNKuyntg4QRWYy2vkZ
N03k5sR0pynLhznJ2x07/gHgyjE0+GwHy3kFKDFF2bl4aMyQihN2v29w7e4IxU5R
tHwH8jAK9SHqS0XjmbuK8ft9aPSG9ydZJ6GS9CW5UiDpEVBkBagC9GGHdyMvckGx
6lJNlvdpRXEP1TgyBvDhml9lkP74kmb3MbsmD5E4JNYhsMNkr0P3SJRyW0Yw5kJE
dBaEnKmHX3MBtkfbkf26IDa9u0kyCZt6gH/cSUk7Fi15ZpUGojEkcdXbjuc7ty60
2x0OX1wl4WrKunuOuEr6RDeCiKlN36N6lmMu8WbKmR9NZJyZn6c=
=8Jjr
-----END PGP SIGNATURE-----

Message #43 received at 906890@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Guilhem Moulin <guilhem@debian.org>, 906890@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#906890: dropbear: CVE-2018-15599

Date: Sun, 2 Sep 2018 09:29:53 +0200

Hi Guilhem,

On Fri, Aug 24, 2018 at 03:26:12AM +0200, Guilhem Moulin wrote:
> On Wed, 22 Aug 2018 at 11:19:37 +0200, Guilhem Moulin wrote:
> > On Wed, 22 Aug 2018 at 06:21:27 +0200, Salvatore Bonaccorso wrote:
> >> Would you agree and could you instead update dropbear for the next
> >> point release?
> > 
> > Makes sense indeed, I'll do that instead.
> 
> Just for the record, upstream fixed that in changeset 1616:5d2d1021ca00
> https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00 , and the request
> to add it to stretch-pu is filed as #907124.

Perfect, thank you!

Regards,
Salvatore

Message #48 received at 906890-close@bugs.debian.org (full text, mbox, reply):

From: Guilhem Moulin <guilhem@debian.org>

To: 906890-close@bugs.debian.org

Subject: Bug#906890: fixed in dropbear 2016.74-5+deb9u1

Date: Sun, 02 Sep 2018 20:47:10 +0000

Source: dropbear
Source-Version: 2016.74-5+deb9u1

We believe that the bug you reported is fixed in the latest version of
dropbear, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 906890@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated dropbear package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 24 Aug 2018 02:08:38 +0200
Source: dropbear
Binary: dropbear-bin dropbear-run dropbear-initramfs dropbear
Architecture: source amd64 all
Version: 2016.74-5+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Guilhem Moulin <guilhem@debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Description:
 dropbear   - transitional dummy package for dropbear-{run,initramfs}
 dropbear-bin - lightweight SSH2 server and client - command line tools
 dropbear-initramfs - lightweight SSH2 server and client - initramfs integration
 dropbear-run - lightweight SSH2 server and client - startup scripts
Closes: 906890
Changes:
 dropbear (2016.74-5+deb9u1) stretch; urgency=medium
 .
   * Backport security fix for CVE-2018-15599: The recv_msg_userauth_request
     function in svr-auth.c in Dropbear through 2018.76 is prone to a user
     enumeration vulnerability because username validity affects how fields in
     SSH_MSG_USERAUTH messages are handled.  (Closes: #906890.)
     Adapted from https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00 .
Checksums-Sha1:
 a7502ff8ada889bfbcf4fc99f44a057fbff96e32 2162 dropbear_2016.74-5+deb9u1.dsc
 a4fecfe804057902b8597c549de3e25629643253 24276 dropbear_2016.74-5+deb9u1.debian.tar.xz
 4e8229e67f1b956e4a3c334428a17e38dad84c05 1251362 dropbear-bin-dbgsym_2016.74-5+deb9u1_amd64.deb
 5c27275a9cc1f9a86d444370e20621652dd6bdb1 183412 dropbear-bin_2016.74-5+deb9u1_amd64.deb
 25b4e759b5878e3220ffc4abb486f5bacee9e987 36788 dropbear-initramfs_2016.74-5+deb9u1_all.deb
 440b0dea687a86c2397991f96c957afee5039ea6 34364 dropbear-run_2016.74-5+deb9u1_all.deb
 3798596fcb364de26f9999fd751b4a9ea1d2e385 32056 dropbear_2016.74-5+deb9u1_all.deb
 0b1f0ab23c76d330380cdddabe1de77d56e5af67 7059 dropbear_2016.74-5+deb9u1_amd64.buildinfo
Checksums-Sha256:
 f34cfc94f0686d4b2df1d440336b0db314a886f630a428944edc4d422492882d 2162 dropbear_2016.74-5+deb9u1.dsc
 157ccb0a7cde208462eab99cf246347127c7eac6d0ea571e27434819c43bba83 24276 dropbear_2016.74-5+deb9u1.debian.tar.xz
 0647253204fd0f0a255a560ddb602794d723259eea77e40dbd564c901c316444 1251362 dropbear-bin-dbgsym_2016.74-5+deb9u1_amd64.deb
 f0e9537024ad1d18752a7f6f7ba8b83080b0c30317a0a15bf712584b9d50b06e 183412 dropbear-bin_2016.74-5+deb9u1_amd64.deb
 5dd8db8d5ae4d1d522317ba10754519cd9247941492ab8f446af9b3f8957b920 36788 dropbear-initramfs_2016.74-5+deb9u1_all.deb
 c5650388ca28777d46682db6c61dd35dc3ddf48dd1469a22db1e0edf2b5dff09 34364 dropbear-run_2016.74-5+deb9u1_all.deb
 243b874a9a9b540d433c64cf3ea8686d085a77db9a5a32dc8cc7f1f3b0d161e4 32056 dropbear_2016.74-5+deb9u1_all.deb
 0bffcc3c9a14455f5570b3d9fa0434398c75528e74069d98abbb39ac21e327bc 7059 dropbear_2016.74-5+deb9u1_amd64.buildinfo
Files:
 5f34210dea3f86f218f6fc7f814ae0f6 2162 net optional dropbear_2016.74-5+deb9u1.dsc
 08aa7943af904ccdb9afa8202c20dbf0 24276 net optional dropbear_2016.74-5+deb9u1.debian.tar.xz
 a40bd9af7b9df69360774faddc191fa7 1251362 debug extra dropbear-bin-dbgsym_2016.74-5+deb9u1_amd64.deb
 058577019f26707fe7115beaad5e526a 183412 net optional dropbear-bin_2016.74-5+deb9u1_amd64.deb
 44acfcf15dfdc232a6feaa2f4f8cdca2 36788 net optional dropbear-initramfs_2016.74-5+deb9u1_all.deb
 9bda9019289ccee1e3bf588446d1f229 34364 net optional dropbear-run_2016.74-5+deb9u1_all.deb
 c24b67cc4d3a2c3185301de2674b63d6 32056 oldlibs extra dropbear_2016.74-5+deb9u1_all.deb
 9b317cdfb8437ec88e9262efcc51af40 7059 net optional dropbear_2016.74-5+deb9u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAluFoTMACgkQ05pJnDwh
pVIMmhAAgoZee5eLcUsbinZMfF7LPBTT6nbCTHrIFoIxV0Rl+KxSqsWOXElTa80P
puXu8V685MmHNZdPe5WP/CB26Mp3oUz5hZ0p3nglb0Z/3KOpE89E+aiDbtZBcSXA
QBMznVgmkg+wfg0qrFUk2QDykMaCs2CkBVQMthaaPdRj4fCIyPU5r7SL0BfnwZz9
EvTyf7tMxRm+qjPSYdvhbJ7ox6fVpJDc3+TF/I6kh6YMvcJNZoWbQtD5DeD4v5nh
JMYvRlxmpXbNaiho+rD7RjpAQwhIqFIGnsw7KxMrKtIrjpf9Th7B35V9JbAmgn7Q
XWe3soUisUO5YdMypxpKxRe0pXRaw1LLDJCM1pE3MkpSN6AK1kYs6tQqrd47PRb/
jCuuJMqBGiqk+kursn0dKKgMZoXBw6UN2EiHrgxv9tv2s37CBbw3/QuQX6g9cZSG
KHwB0dXsUvkxF7e89WoO91ZHpKlAJGExo90MgPJgeeqdWFrpbm0Ohj+SIbY8+6CW
SYAEZVjbXhQgI0yen69+6A7NMj6b4Dn8yz0d9gZM043m0HDk6w3hK5Gg6EWIyfAb
wf8X87XeSsAW6mSaszs/HhJoxxJDVYlBqeP38kyQx51UCDifH4jAaLS9Mbmf8FRY
7Z2t4SpZ9Qk+ZmxDF2w+gwPEUlYulDoL+NSdVURro6iYEf5B+oc=
=0qYG
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.