[OE-core] CVE-2016-3116: dropbear: X11 forwarding input not validated properly
akuster808
akuster808 at gmail.com
Wed Sep 14 20:19:50 UTC 2016
On 9/14/16 2:43 AM, Richard Purdie wrote:
> On Wed, 2016-09-14 at 12:06 +0300, Alexander Kanavin wrote:
>> On 09/14/2016 11:49 AM, Sona Sarmadi wrote:
>>> https://matt.ucc.asn.au/dropbear/CHANGES
>>> .....
>>> 2016.72 - 9 March 2016 <<<<<<< dropbear version this CVE has
>>> been fixed
>>> - Validate X11 forwarding input. Could allow bypass of
>>> authorized_keys command= restrictions,
>>> found by github.com/tintinweb. Thanks for Damien Miller for a
>>> patch. CVE-2016-3116
>>>
>>> 2015.71 - 3 December 2015 <<<< dropbear version in krogoth
>> It's *probably* this one. The commit messages in dropbear repository
>> are
>> *amazingly* vague and unprofessional.
>>
>> https://secure.ucc.asn.au/hg/dropbear/rev/a3e8389e01ff
>>
>> That said, I vote for updating to the version that comes with the
>> fix.
>> Backporting fixes should not be the default in the stable yocto
>> releases; we should trust the upstream more.
> Taking that argument to the extreme, we should update all versions in
> the "stable" release to the latest to ensure we get all the fixes. At
> that point, it becomes no different to master and its not the
> definition of "stable" which most people want to use.
>
> So whilst I do take the point and in some cases it does make sense, it
> doesn't really make sense to have that as the default policy.
I agree. Updating packages in a stable release should not be the default
but the exception. It should be a case-by-case determination.
> In this case, its a question of what else changed in dropbear between
> these versions. Were there a ton of new features or was it just
> bugfixes? How much risk of other problems is there?
If I am not mistaken, this is similar wording as in the "Stable branch
Maintaining" on wiki.
- Armin
>
> Cheers,
>
> Richard
More information about the Openembedded-core
mailing list