dropbear: fix CVE-2021-36369

(From OE-Core rev: 212dd2ce833aaf7f19111e95fbc22fc8c6d63db4) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Chee Yang Lee <chee.yang.lee@intel.com> 2022-11-30 12:45:10 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-12-07 15:02:45 +0000
commit: 183f2ddcf64584a38044f61c3123ad653d659fe7 (patch)
tree: fa80d270fa2cb384a7f5b717c132bb4091ac10a0
parent: bfec99ed33d00ecb6d4d66e706e16a6a97a6e9eb (diff)
download: poky-183f2ddcf64584a38044f61c3123ad653d659fe7.tar.gz
2 files changed, 148 insertions, 1 deletions
diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
index 2d6e64cf8d..f3f085b616 100644
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -27,7 +27,9 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
           file://dropbear.socket \
           file://dropbear.default \
           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
-           ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} "
+           ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
+           file://CVE-2021-36369.patch \
+           "
 PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
               file://0006-dropbear-configuration-file.patch \
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
new file mode 100644
index 0000000000..5ff11abdd6
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
@@ -0,0 +1,145 @@
+From e9b15a8b1035b62413b2b881315c6bffd02205d4 Mon Sep 17 00:00:00 2001
+From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com>
+Date: Thu, 19 Aug 2021 17:37:14 +0200
+Subject: [PATCH] added option to disable trivial auth methods (#128)
+* added option to disable trivial auth methods
+* rename argument to match with other ssh clients
+* fixed trivial auth detection for pubkeys
+[https://github.com/mkj/dropbear/pull/128]
+Upstream-Status: Backport
+CVE: CVE-2021-36369
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ cli-auth.c         | 3 +++
+ cli-authinteract.c | 1 +
+ cli-authpasswd.c   | 2 +-
+ cli-authpubkey.c   | 1 +
+ cli-runopts.c      | 7 +++++++
+ cli-session.c      | 1 +
+ runopts.h          | 1 +
+ session.h          | 1 +
+ 8 files changed, 16 insertions(+), 1 deletion(-)
+diff --git a/cli-auth.c b/cli-auth.c
+index 2e509e5..6f04495 100644
+--- a/cli-auth.c
+++ b/cli-auth.c
+@@ -267,6 +267,9 @@ void recv_msg_userauth_success() {
+        if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
+ 
+        TRACE(("received msg_userauth_success"))
+       if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
+               dropbear_exit("trivial authentication not allowed");
+       }
+        /* Note: in delayed-zlib mode, setting authdone here 
+         * will enable compression in the transport layer */
+        ses.authstate.authdone = 1;
+diff --git a/cli-authinteract.c b/cli-authinteract.c
+index e1cc9a1..f7128ee 100644
+--- a/cli-authinteract.c
+++ b/cli-authinteract.c
+@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
+        m_free(instruction);
+ 
+        for (i = 0; i < num_prompts; i++) {
+               cli_ses.is_trivial_auth = 0;
+                unsigned int response_len = 0;
+                prompt = buf_getstring(ses.payload, NULL);
+                cleantext(prompt);
+diff --git a/cli-authpasswd.c b/cli-authpasswd.c
+index 00fdd8b..a24d43e 100644
+--- a/cli-authpasswd.c
+++ b/cli-authpasswd.c
+@@ -155,7 +155,7 @@ void cli_auth_password() {
+ 
+        encrypt_packet();
+        m_burn(password, strlen(password));
+-
+       cli_ses.is_trivial_auth = 0;
+        TRACE(("leave cli_auth_password"))
+ }
+ #endif /* DROPBEAR_CLI_PASSWORD_AUTH */
+diff --git a/cli-authpubkey.c b/cli-authpubkey.c
+index 42c4e3f..fa01807 100644
+--- a/cli-authpubkey.c
+++ b/cli-authpubkey.c
+@@ -176,6 +176,7 @@ static void send_msg_userauth_pubkey(sign_key *key, enum signature_type sigtype,
+                buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
+                cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf);
+                buf_free(sigbuf); /* Nothing confidential in the buffer */
+               cli_ses.is_trivial_auth = 0;
+        }
+ 
+        encrypt_packet();
+diff --git a/cli-runopts.c b/cli-runopts.c
+index 3654b9a..255b47e 100644
+--- a/cli-runopts.c
+++ b/cli-runopts.c
+@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+        cli_opts.exit_on_fwd_failure = 0;
+ #endif
+       cli_opts.disable_trivial_auth = 0;
+ #if DROPBEAR_CLI_LOCALTCPFWD
+        cli_opts.localfwds = list_new();
+        opts.listen_fwd_all = 0;
+@@ -889,6 +890,7 @@ static void add_extendedopt(const char* origstr) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+                        "\tExitOnForwardFailure\n"
+ #endif
+                       "\tDisableTrivialAuth\n"
+ #ifndef DISABLE_SYSLOG
+                        "\tUseSyslog\n"
+ #endif
+@@ -916,5 +918,10 @@ static void add_extendedopt(const char* origstr) {
+                return;
+        }
+ 
+       if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) {
+               cli_opts.disable_trivial_auth = parse_flag_value(optstr);
+               return;
+       }
+
+        dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
+ }
+diff --git a/cli-session.c b/cli-session.c
+index 5e5af22..afb54a1 100644
+--- a/cli-session.c
+++ b/cli-session.c
+@@ -165,6 +165,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
+        /* Auth */
+        cli_ses.lastprivkey = NULL;
+        cli_ses.lastauthtype = 0;
+       cli_ses.is_trivial_auth = 1;
+ 
+        /* For printing "remote host closed" for the user */
+        ses.remoteclosed = cli_remoteclosed;
+diff --git a/runopts.h b/runopts.h
+index 6a4a94c..01201d2 100644
+--- a/runopts.h
+++ b/runopts.h
+@@ -159,6 +159,7 @@ typedef struct cli_runopts {
+ #if DROPBEAR_CLI_ANYTCPFWD
+        int exit_on_fwd_failure;
+ #endif
+       int disable_trivial_auth;
+ #if DROPBEAR_CLI_REMOTETCPFWD
+        m_list * remotefwds;
+ #endif
+diff --git a/session.h b/session.h
+index fb5b8cb..6706592 100644
+--- a/session.h
+++ b/session.h
+@@ -316,6 +316,7 @@ struct clientsession {
+ 
+        int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
+                                                 for the last type of auth we tried */
+       int is_trivial_auth;
+        int ignore_next_auth_response;
+ #if DROPBEAR_CLI_INTERACT_AUTH
+        int auth_interact_failed; /* flag whether interactive auth can still
author	Chee Yang Lee <chee.yang.lee@intel.com>	2022-11-30 12:45:10 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-12-07 15:02:45 +0000
commit	183f2ddcf64584a38044f61c3123ad653d659fe7 (patch)
tree	fa80d270fa2cb384a7f5b717c132bb4091ac10a0
parent	bfec99ed33d00ecb6d4d66e706e16a6a97a6e9eb (diff)
download	poky-183f2ddcf64584a38044f61c3123ad653d659fe7.tar.gz

diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc index 2d6e64cf8d..f3f085b616 100644 --- a/meta/recipes-core/dropbear/dropbear.inc +++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -27,7 +27,9 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
27	file://dropbear.socket \	27	file://dropbear.socket \
28	file://dropbear.default \	28	file://dropbear.default \
29	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \	29	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
30	${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} "	30	${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
		31	file://CVE-2021-36369.patch \
		32	"
31		33
32	PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \	34	PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
33	file://0006-dropbear-configuration-file.patch \	35	file://0006-dropbear-configuration-file.patch \


diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch new file mode 100644 index 0000000000..5ff11abdd6 --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
@@ -0,0 +1,145 @@
		1	From e9b15a8b1035b62413b2b881315c6bffd02205d4 Mon Sep 17 00:00:00 2001
		2	From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com>
		3	Date: Thu, 19 Aug 2021 17:37:14 +0200
		4	Subject: [PATCH] added option to disable trivial auth methods (#128)
		5
		6	* added option to disable trivial auth methods
		7
		8	* rename argument to match with other ssh clients
		9
		10	* fixed trivial auth detection for pubkeys
		11
		12	[https://github.com/mkj/dropbear/pull/128]
		13	Upstream-Status: Backport
		14	CVE: CVE-2021-36369
		15	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		16
		17	---
		18	cli-auth.c \| 3 +++
		19	cli-authinteract.c \| 1 +
		20	cli-authpasswd.c \| 2 +-
		21	cli-authpubkey.c \| 1 +
		22	cli-runopts.c \| 7 +++++++
		23	cli-session.c \| 1 +
		24	runopts.h \| 1 +
		25	session.h \| 1 +
		26	8 files changed, 16 insertions(+), 1 deletion(-)
		27
		28	diff --git a/cli-auth.c b/cli-auth.c
		29	index 2e509e5..6f04495 100644
		30	--- a/cli-auth.c
		31	+++ b/cli-auth.c
		32	@@ -267,6 +267,9 @@ void recv_msg_userauth_success() {
		33	if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
		34
		35	TRACE(("received msg_userauth_success"))
		36	+ if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
		37	+ dropbear_exit("trivial authentication not allowed");
		38	+ }
		39	/* Note: in delayed-zlib mode, setting authdone here
		40	* will enable compression in the transport layer */
		41	ses.authstate.authdone = 1;
		42	diff --git a/cli-authinteract.c b/cli-authinteract.c
		43	index e1cc9a1..f7128ee 100644
		44	--- a/cli-authinteract.c
		45	+++ b/cli-authinteract.c
		46	@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
		47	m_free(instruction);
		48
		49	for (i = 0; i < num_prompts; i++) {
		50	+ cli_ses.is_trivial_auth = 0;
		51	unsigned int response_len = 0;
		52	prompt = buf_getstring(ses.payload, NULL);
		53	cleantext(prompt);
		54	diff --git a/cli-authpasswd.c b/cli-authpasswd.c
		55	index 00fdd8b..a24d43e 100644
		56	--- a/cli-authpasswd.c
		57	+++ b/cli-authpasswd.c
		58	@@ -155,7 +155,7 @@ void cli_auth_password() {
		59
		60	encrypt_packet();
		61	m_burn(password, strlen(password));
		62	-
		63	+ cli_ses.is_trivial_auth = 0;
		64	TRACE(("leave cli_auth_password"))
		65	}
		66	#endif /* DROPBEAR_CLI_PASSWORD_AUTH */
		67	diff --git a/cli-authpubkey.c b/cli-authpubkey.c
		68	index 42c4e3f..fa01807 100644
		69	--- a/cli-authpubkey.c
		70	+++ b/cli-authpubkey.c
		71	@@ -176,6 +176,7 @@ static void send_msg_userauth_pubkey(sign_key *key, enum signature_type sigtype,
		72	buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
		73	cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf);
		74	buf_free(sigbuf); /* Nothing confidential in the buffer */
		75	+ cli_ses.is_trivial_auth = 0;
		76	}
		77
		78	encrypt_packet();
		79	diff --git a/cli-runopts.c b/cli-runopts.c
		80	index 3654b9a..255b47e 100644
		81	--- a/cli-runopts.c
		82	+++ b/cli-runopts.c
		83	@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
		84	#if DROPBEAR_CLI_ANYTCPFWD
		85	cli_opts.exit_on_fwd_failure = 0;
		86	#endif
		87	+ cli_opts.disable_trivial_auth = 0;
		88	#if DROPBEAR_CLI_LOCALTCPFWD
		89	cli_opts.localfwds = list_new();
		90	opts.listen_fwd_all = 0;
		91	@@ -889,6 +890,7 @@ static void add_extendedopt(const char* origstr) {
		92	#if DROPBEAR_CLI_ANYTCPFWD
		93	"\tExitOnForwardFailure\n"
		94	#endif
		95	+ "\tDisableTrivialAuth\n"
		96	#ifndef DISABLE_SYSLOG
		97	"\tUseSyslog\n"
		98	#endif
		99	@@ -916,5 +918,10 @@ static void add_extendedopt(const char* origstr) {
		100	return;
		101	}
		102
		103	+ if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) {
		104	+ cli_opts.disable_trivial_auth = parse_flag_value(optstr);
		105	+ return;
		106	+ }
		107	+
		108	dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
		109	}
		110	diff --git a/cli-session.c b/cli-session.c
		111	index 5e5af22..afb54a1 100644
		112	--- a/cli-session.c
		113	+++ b/cli-session.c
		114	@@ -165,6 +165,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
		115	/* Auth */
		116	cli_ses.lastprivkey = NULL;
		117	cli_ses.lastauthtype = 0;
		118	+ cli_ses.is_trivial_auth = 1;
		119
		120	/* For printing "remote host closed" for the user */
		121	ses.remoteclosed = cli_remoteclosed;
		122	diff --git a/runopts.h b/runopts.h
		123	index 6a4a94c..01201d2 100644
		124	--- a/runopts.h
		125	+++ b/runopts.h
		126	@@ -159,6 +159,7 @@ typedef struct cli_runopts {
		127	#if DROPBEAR_CLI_ANYTCPFWD
		128	int exit_on_fwd_failure;
		129	#endif
		130	+ int disable_trivial_auth;
		131	#if DROPBEAR_CLI_REMOTETCPFWD
		132	m_list * remotefwds;
		133	#endif
		134	diff --git a/session.h b/session.h
		135	index fb5b8cb..6706592 100644
		136	--- a/session.h
		137	+++ b/session.h
		138	@@ -316,6 +316,7 @@ struct clientsession {
		139
		140	int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
		141	for the last type of auth we tried */
		142	+ int is_trivial_auth;
		143	int ignore_next_auth_response;
		144	#if DROPBEAR_CLI_INTERACT_AUTH
		145	int auth_interact_failed; /* flag whether interactive auth can still