diff options
author | Lee Chee Yang <chee.yang.lee@intel.com> | 2022-12-08 13:00:37 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-12-23 23:05:44 +0000 |
commit | 9b1d9ad3b48524798fea6986af3a2096ab0220c0 (patch) | |
tree | 2180ec2185f0eaba7a6edd56befa221e57c0a4c7 | |
parent | 0ca03139809ff866688e0d94b0a1fd0c3b537887 (diff) | |
download | poky-9b1d9ad3b48524798fea6986af3a2096ab0220c0.tar.gz |
dropbear: fix CVE-2021-36369
(From OE-Core rev: c0e44595555a81d1a1cd206c2235cbc419d02bd1)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-core/dropbear/dropbear.inc | 1 | ||||
-rw-r--r-- | meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch | 145 |
2 files changed, 146 insertions, 0 deletions
diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc index 026292230c..0f5e9ba4ac 100644 --- a/meta/recipes-core/dropbear/dropbear.inc +++ b/meta/recipes-core/dropbear/dropbear.inc | |||
@@ -29,6 +29,7 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \ | |||
29 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ | 29 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ |
30 | ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \ | 30 | ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \ |
31 | file://CVE-2020-36254.patch \ | 31 | file://CVE-2020-36254.patch \ |
32 | file://CVE-2021-36369.patch \ | ||
32 | " | 33 | " |
33 | 34 | ||
34 | PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \ | 35 | PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \ |
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch new file mode 100644 index 0000000000..5cabe8339d --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch | |||
@@ -0,0 +1,145 @@ | |||
1 | From e10dec82930863e487b22978d3df107274f366b2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com> | ||
3 | Date: Thu, 19 Aug 2021 17:37:14 +0200 | ||
4 | Subject: [PATCH] added option to disable trivial auth methods (#128) | ||
5 | |||
6 | * added option to disable trivial auth methods | ||
7 | |||
8 | * rename argument to match with other ssh clients | ||
9 | |||
10 | * fixed trivial auth detection for pubkeys | ||
11 | |||
12 | [https://github.com/mkj/dropbear/pull/128] | ||
13 | Upstream-Status: Backport | ||
14 | CVE: CVE-2021-36369 | ||
15 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
16 | |||
17 | --- | ||
18 | cli-auth.c | 3 +++ | ||
19 | cli-authinteract.c | 1 + | ||
20 | cli-authpasswd.c | 2 +- | ||
21 | cli-authpubkey.c | 1 + | ||
22 | cli-runopts.c | 7 +++++++ | ||
23 | cli-session.c | 1 + | ||
24 | runopts.h | 1 + | ||
25 | session.h | 1 + | ||
26 | 8 files changed, 16 insertions(+), 1 deletion(-) | ||
27 | |||
28 | diff --git a/cli-auth.c b/cli-auth.c | ||
29 | index 2e509e5..6f04495 100644 | ||
30 | --- a/cli-auth.c | ||
31 | +++ b/cli-auth.c | ||
32 | @@ -267,6 +267,9 @@ void recv_msg_userauth_success() { | ||
33 | if DROPBEAR_CLI_IMMEDIATE_AUTH is set */ | ||
34 | |||
35 | TRACE(("received msg_userauth_success")) | ||
36 | + if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) { | ||
37 | + dropbear_exit("trivial authentication not allowed"); | ||
38 | + } | ||
39 | /* Note: in delayed-zlib mode, setting authdone here | ||
40 | * will enable compression in the transport layer */ | ||
41 | ses.authstate.authdone = 1; | ||
42 | diff --git a/cli-authinteract.c b/cli-authinteract.c | ||
43 | index e1cc9a1..f7128ee 100644 | ||
44 | --- a/cli-authinteract.c | ||
45 | +++ b/cli-authinteract.c | ||
46 | @@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() { | ||
47 | m_free(instruction); | ||
48 | |||
49 | for (i = 0; i < num_prompts; i++) { | ||
50 | + cli_ses.is_trivial_auth = 0; | ||
51 | unsigned int response_len = 0; | ||
52 | prompt = buf_getstring(ses.payload, NULL); | ||
53 | cleantext(prompt); | ||
54 | diff --git a/cli-authpasswd.c b/cli-authpasswd.c | ||
55 | index 00fdd8b..a24d43e 100644 | ||
56 | --- a/cli-authpasswd.c | ||
57 | +++ b/cli-authpasswd.c | ||
58 | @@ -155,7 +155,7 @@ void cli_auth_password() { | ||
59 | |||
60 | encrypt_packet(); | ||
61 | m_burn(password, strlen(password)); | ||
62 | - | ||
63 | + cli_ses.is_trivial_auth = 0; | ||
64 | TRACE(("leave cli_auth_password")) | ||
65 | } | ||
66 | #endif /* DROPBEAR_CLI_PASSWORD_AUTH */ | ||
67 | diff --git a/cli-authpubkey.c b/cli-authpubkey.c | ||
68 | index 7cee164..7da1a04 100644 | ||
69 | --- a/cli-authpubkey.c | ||
70 | +++ b/cli-authpubkey.c | ||
71 | @@ -174,6 +174,7 @@ static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign) { | ||
72 | buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len); | ||
73 | cli_buf_put_sign(ses.writepayload, key, type, sigbuf); | ||
74 | buf_free(sigbuf); /* Nothing confidential in the buffer */ | ||
75 | + cli_ses.is_trivial_auth = 0; | ||
76 | } | ||
77 | |||
78 | encrypt_packet(); | ||
79 | diff --git a/cli-runopts.c b/cli-runopts.c | ||
80 | index 7d1fffe..6bf8b8e 100644 | ||
81 | --- a/cli-runopts.c | ||
82 | +++ b/cli-runopts.c | ||
83 | @@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) { | ||
84 | #if DROPBEAR_CLI_ANYTCPFWD | ||
85 | cli_opts.exit_on_fwd_failure = 0; | ||
86 | #endif | ||
87 | + cli_opts.disable_trivial_auth = 0; | ||
88 | #if DROPBEAR_CLI_LOCALTCPFWD | ||
89 | cli_opts.localfwds = list_new(); | ||
90 | opts.listen_fwd_all = 0; | ||
91 | @@ -888,6 +889,7 @@ static void add_extendedopt(const char* origstr) { | ||
92 | #if DROPBEAR_CLI_ANYTCPFWD | ||
93 | "\tExitOnForwardFailure\n" | ||
94 | #endif | ||
95 | + "\tDisableTrivialAuth\n" | ||
96 | #ifndef DISABLE_SYSLOG | ||
97 | "\tUseSyslog\n" | ||
98 | #endif | ||
99 | @@ -915,5 +917,10 @@ static void add_extendedopt(const char* origstr) { | ||
100 | return; | ||
101 | } | ||
102 | |||
103 | + if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) { | ||
104 | + cli_opts.disable_trivial_auth = parse_flag_value(optstr); | ||
105 | + return; | ||
106 | + } | ||
107 | + | ||
108 | dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr); | ||
109 | } | ||
110 | diff --git a/cli-session.c b/cli-session.c | ||
111 | index 56dd4af..73ef0db 100644 | ||
112 | --- a/cli-session.c | ||
113 | +++ b/cli-session.c | ||
114 | @@ -164,6 +164,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) { | ||
115 | /* Auth */ | ||
116 | cli_ses.lastprivkey = NULL; | ||
117 | cli_ses.lastauthtype = 0; | ||
118 | + cli_ses.is_trivial_auth = 1; | ||
119 | |||
120 | /* For printing "remote host closed" for the user */ | ||
121 | ses.remoteclosed = cli_remoteclosed; | ||
122 | diff --git a/runopts.h b/runopts.h | ||
123 | index 31eae1f..8519626 100644 | ||
124 | --- a/runopts.h | ||
125 | +++ b/runopts.h | ||
126 | @@ -154,6 +154,7 @@ typedef struct cli_runopts { | ||
127 | #if DROPBEAR_CLI_ANYTCPFWD | ||
128 | int exit_on_fwd_failure; | ||
129 | #endif | ||
130 | + int disable_trivial_auth; | ||
131 | #if DROPBEAR_CLI_REMOTETCPFWD | ||
132 | m_list * remotefwds; | ||
133 | #endif | ||
134 | diff --git a/session.h b/session.h | ||
135 | index 0f77055..8676054 100644 | ||
136 | --- a/session.h | ||
137 | +++ b/session.h | ||
138 | @@ -287,6 +287,7 @@ struct clientsession { | ||
139 | |||
140 | int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD, | ||
141 | for the last type of auth we tried */ | ||
142 | + int is_trivial_auth; | ||
143 | int ignore_next_auth_response; | ||
144 | #if DROPBEAR_CLI_INTERACT_AUTH | ||
145 | int auth_interact_failed; /* flag whether interactive auth can still | ||