Re: CVE request for Dropbear SSH <2016.74

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> The first one has different exposure for
> client/server parts so I assume it should have separate
> CVEs?

We don't feel that it's a case of independent mistakes in the client
and server. The type of exposure is not, by itself, relevant to the
number of CVEs.


> - Security: Message printout was vulnerable to format string injection.
>
>   If specific usernames including "%" symbols can be created on a system
>   (validated by getpwnam()) then an attacker could run arbitrary code as root
>   when connecting to Dropbear server.
>
>   A dbclient user who can control username or host arguments could potentially
>   run arbitrary code as the dbclient user. This could be a problem if scripts
>   or webpages pass untrusted input to the dbclient program.
>   https://secure.ucc.asn.au/hg/dropbear/rev/b66a483f3dcb

Use CVE-2016-7406 for all of this.


> - Security: dropbearconvert import of OpenSSH keys could run arbitrary code as
>   the local dropbearconvert user when parsing malicious key files
>   https://secure.ucc.asn.au/hg/dropbear/rev/34e6127ef02e

Use CVE-2016-7407. (Admittedly, we do not completely understand
whether this is identical to a code problem previously found in
PuTTY.)


> - Security: dbclient could run arbitrary code as the local dbclient user if
>   particular -m or -c arguments are provided. This could be an issue where
>   dbclient is used in scripts.
>   https://secure.ucc.asn.au/hg/dropbear/rev/eed9376a4ad6

Use CVE-2016-7408.


> - Security: dbclient or dropbear server could expose process memory to the
>   running user if compiled with DEBUG_TRACE and running with -v
>   https://secure.ucc.asn.au/hg/dropbear/rev/6a14b1f6dc04

Use CVE-2016-7409.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX2i6BAAoJEHb/MwWLVhi2JT0P/RAN6ZPGdz5CQVvwxeZktmlW
0YO1CqcbjygdvN05/9gH0SDi4y+tKd1EEDsUoC9D40QKj1z2gACSbjdaxr3p8QSE
M9ifpotk7+9Qr6mjD+HXDWc+4gQTXH7SzLNiEv3PR/bu3lgc7+jRGU0bQRYSG8Vs
aYwGioFpu6QT57a+fdoaTEffz323eK3EY3CwQLGzKKJX7njeNos9H4nkv63KtU+z
dp5487NPuGxJmuC3XWpD9fwZSy4+vpIOD74zvf9POnwb04jQxHSJanhJ82vmFH/f
//MbplQeZzqz4ahcdLi5Gl6oXoLqn0f1nB4hJF5qHkuSXCN3ZSSM6+vbS4PZFpGP
7kVQFcV1RZmOVPLb+sMPWFARfQs/tkJ/aBtNbo8Pz/22jZaJBvIu3jm/qI60CaMi
CgWjBRYzJc8G3R5CkPJhEsdZmiRvEKgKukA1deQK/rn7pIskRecXomiM0NgdOsE/
Lds+20GxqOUA61we6rT5SDdSG2Cvmcp5cFxx+aZNeSIp3zBjQQ7er1p/41KZHPt/
Ro6ButS2P2/uJO/wyoCTYSpVgevxUT/fjhqBqRv8kviCYQIBt8h/WVrf/7aAPUFT
u7zs4V+/GkIX3tfy4NF+wi1JfLBAFLI5qeOnEgsIabuKODklyfZJ/P2Y8/csNo/8
HvkiTNnp74e393zYdSmH
=1PAi
-----END PGP SIGNATURE-----