dropbear: fix CVE-2023-36328

Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS). References: https://nvd.nist.gov/vuln/detail/CVE-2023-36328 https://github.com/libtom/libtommath/pull/546 (From OE-Core rev: aa392840d625f5c45832e7ddf60c4dfaba3c4287) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yogita Urade <yogita.urade@windriver.com> 2023-09-08 14:01:15 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-09-09 22:14:41 +0100
commit: a09d8afd4850e3878698ad931b9f8513677ccf80 (patch)
tree: 2243ef11605861d684f6e269cb99f3a0e1de67e8
parent: bcc6c86fb744d0e6eb5714dcea83a77e0f71f069 (diff)
download: poky-a09d8afd4850e3878698ad931b9f8513677ccf80.tar.gz
2 files changed, 145 insertions, 0 deletions
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch b/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch
new file mode 100644
index 0000000000..ec50d69816
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch
@@ -0,0 +1,144 @@
+From beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 Mon Sep 17 00:00:00 2001
+From: czurnieden <czurnieden@gmx.de>
+Date: Fri, 8 Sep 2023 10:07:32 +0000
+Subject: [PATCH] Fix possible integer overflow
+CVE: CVE-2023-36328
+Upstream-Status: Backport [https://github.com/libtom/libtommath/commit/beba892bc0d4e4ded4d667ab1d2a94f4d75109a9]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ libtommath/bn_mp_2expt.c                | 4 ++++
+ libtommath/bn_mp_grow.c                 | 4 ++++
+ libtommath/bn_mp_init_size.c            | 5 +++++
+ libtommath/bn_mp_mul_2d.c               | 4 ++++
+ libtommath/bn_s_mp_mul_digs.c           | 4 ++++
+ libtommath/bn_s_mp_mul_digs_fast.c      | 4 ++++
+ libtommath/bn_s_mp_mul_high_digs.c      | 4 ++++
+ libtommath/bn_s_mp_mul_high_digs_fast.c | 4 ++++
+ 8 files changed, 33 insertions(+)
+diff --git a/libtommath/bn_mp_2expt.c b/libtommath/bn_mp_2expt.c
+index 0ae3df1..ca6fbc3 100644
+--- a/libtommath/bn_mp_2expt.c
+++ b/libtommath/bn_mp_2expt.c
+@@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b)
+ {
+    mp_err    err;
+   if (b < 0) {
+      return MP_VAL;
+   }
+
+    /* zero a as per default */
+    mp_zero(a);
+diff --git a/libtommath/bn_mp_grow.c b/libtommath/bn_mp_grow.c
+index 9e904c5..2b16826 100644
+--- a/libtommath/bn_mp_grow.c
+++ b/libtommath/bn_mp_grow.c
+@@ -9,6 +9,10 @@ mp_err mp_grow(mp_int *a, int size)
+    int     i;
+    mp_digit *tmp;
+   if (size < 0) {
+      return MP_VAL;
+   }
+
+    /* if the alloc size is smaller alloc more ram */
+    if (a->alloc < size) {
+       /* reallocate the array a->dp
+diff --git a/libtommath/bn_mp_init_size.c b/libtommath/bn_mp_init_size.c
+index d622687..5fefa96 100644
+--- a/libtommath/bn_mp_init_size.c
+++ b/libtommath/bn_mp_init_size.c
+@@ -6,6 +6,11 @@
+ /* init an mp_init for a given size */
+ mp_err mp_init_size(mp_int *a, int size)
+ {
+
+   if (size < 0) {
+      return MP_VAL;
+   }
+
+    size = MP_MAX(MP_MIN_PREC, size);
+    /* alloc mem */
+diff --git a/libtommath/bn_mp_mul_2d.c b/libtommath/bn_mp_mul_2d.c
+index 87354de..2744163 100644
+--- a/libtommath/bn_mp_mul_2d.c
+++ b/libtommath/bn_mp_mul_2d.c
+@@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int *a, int b, mp_int *c)
+    mp_digit d;
+    mp_err   err;
+   if (b < 0) {
+      return MP_VAL;
+   }
+
+    /* copy */
+    if (a != c) {
+       if ((err = mp_copy(a, c)) != MP_OKAY) {
+diff --git a/libtommath/bn_s_mp_mul_digs.c b/libtommath/bn_s_mp_mul_digs.c
+index 64509d4..2d2f5b0 100644
+--- a/libtommath/bn_s_mp_mul_digs.c
+++ b/libtommath/bn_s_mp_mul_digs.c
+@@ -16,6 +16,10 @@ mp_err s_mp_mul_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs)
+    mp_word r;
+    mp_digit tmpx, *tmpt, *tmpy;
+   if (digs < 0) {
+      return MP_VAL;
+   }
+
+    /* can we use the fast multiplier? */
+    if ((digs < MP_WARRAY) &&
+        (MP_MIN(a->used, b->used) < MP_MAXFAST)) {
+diff --git a/libtommath/bn_s_mp_mul_digs_fast.c b/libtommath/bn_s_mp_mul_digs_fast.c
+index b2a287b..d6dd3cc 100644
+--- a/libtommath/bn_s_mp_mul_digs_fast.c
+++ b/libtommath/bn_s_mp_mul_digs_fast.c
+@@ -26,6 +26,10 @@ mp_err s_mp_mul_digs_fast(const mp_int *a, const mp_int *b, mp_int *c, int digs)
+    mp_digit W[MP_WARRAY];
+    mp_word  _W;
+   if (digs < 0) {
+      return MP_VAL;
+   }
+
+    /* grow the destination as required */
+    if (c->alloc < digs) {
+       if ((err = mp_grow(c, digs)) != MP_OKAY) {
+diff --git a/libtommath/bn_s_mp_mul_high_digs.c b/libtommath/bn_s_mp_mul_high_digs.c
+index 2bb2a50..c9dd355 100644
+--- a/libtommath/bn_s_mp_mul_high_digs.c
+++ b/libtommath/bn_s_mp_mul_high_digs.c
+@@ -15,6 +15,10 @@ mp_err s_mp_mul_high_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs)
+    mp_word  r;
+    mp_digit tmpx, *tmpt, *tmpy;
+   if (digs < 0) {
+      return MP_VAL;
+   }
+
+    /* can we use the fast multiplier? */
+    if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST)
+        && ((a->used + b->used + 1) < MP_WARRAY)
+diff --git a/libtommath/bn_s_mp_mul_high_digs_fast.c b/libtommath/bn_s_mp_mul_high_digs_fast.c
+index a2c4fb6..afe3e4b 100644
+--- a/libtommath/bn_s_mp_mul_high_digs_fast.c
+++ b/libtommath/bn_s_mp_mul_high_digs_fast.c
+@@ -19,6 +19,10 @@ mp_err s_mp_mul_high_digs_fast(const mp_int *a, const mp_int *b, mp_int *c, int
+    mp_digit W[MP_WARRAY];
+    mp_word  _W;
+   if (digs < 0) {
+      return MP_VAL;
+   }
+
+    /* grow the destination as required */
+    pa = a->used + b->used;
+    if (c->alloc < pa) {
+--
+2.35.5
diff --git a/meta/recipes-core/dropbear/dropbear_2022.83.bb b/meta/recipes-core/dropbear/dropbear_2022.83.bb
index 0c7a8f4caa..12ac732f58 100644
--- a/meta/recipes-core/dropbear/dropbear_2022.83.bb
+++ b/meta/recipes-core/dropbear/dropbear_2022.83.bb
@@ -21,6 +21,7 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
           file://dropbear.default \
           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
           ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
+           file://CVE-2023-36328.patch \
           "
 SRC_URI[sha256sum] = "bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b"
author	Yogita Urade <yogita.urade@windriver.com>	2023-09-08 14:01:15 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-09-09 22:14:41 +0100
commit	a09d8afd4850e3878698ad931b9f8513677ccf80 (patch)
tree	2243ef11605861d684f6e269cb99f3a0e1de67e8
parent	bcc6c86fb744d0e6eb5714dcea83a77e0f71f069 (diff)
download	poky-a09d8afd4850e3878698ad931b9f8513677ccf80.tar.gz

diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch b/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch new file mode 100644 index 0000000000..ec50d69816 --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch
@@ -0,0 +1,144 @@
		1	From beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 Mon Sep 17 00:00:00 2001
		2	From: czurnieden <czurnieden@gmx.de>
		3	Date: Fri, 8 Sep 2023 10:07:32 +0000
		4	Subject: [PATCH] Fix possible integer overflow
		5
		6	CVE: CVE-2023-36328
		7
		8	Upstream-Status: Backport [https://github.com/libtom/libtommath/commit/beba892bc0d4e4ded4d667ab1d2a94f4d75109a9]
		9
		10	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		11	---
		12	libtommath/bn_mp_2expt.c \| 4 ++++
		13	libtommath/bn_mp_grow.c \| 4 ++++
		14	libtommath/bn_mp_init_size.c \| 5 +++++
		15	libtommath/bn_mp_mul_2d.c \| 4 ++++
		16	libtommath/bn_s_mp_mul_digs.c \| 4 ++++
		17	libtommath/bn_s_mp_mul_digs_fast.c \| 4 ++++
		18	libtommath/bn_s_mp_mul_high_digs.c \| 4 ++++
		19	libtommath/bn_s_mp_mul_high_digs_fast.c \| 4 ++++
		20	8 files changed, 33 insertions(+)
		21
		22	diff --git a/libtommath/bn_mp_2expt.c b/libtommath/bn_mp_2expt.c
		23	index 0ae3df1..ca6fbc3 100644
		24	--- a/libtommath/bn_mp_2expt.c
		25	+++ b/libtommath/bn_mp_2expt.c
		26	@@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b)
		27	{
		28	mp_err err;
		29
		30	+ if (b < 0) {
		31	+ return MP_VAL;
		32	+ }
		33	+
		34	/* zero a as per default */
		35	mp_zero(a);
		36
		37	diff --git a/libtommath/bn_mp_grow.c b/libtommath/bn_mp_grow.c
		38	index 9e904c5..2b16826 100644
		39	--- a/libtommath/bn_mp_grow.c
		40	+++ b/libtommath/bn_mp_grow.c
		41	@@ -9,6 +9,10 @@ mp_err mp_grow(mp_int *a, int size)
		42	int i;
		43	mp_digit *tmp;
		44
		45	+ if (size < 0) {
		46	+ return MP_VAL;
		47	+ }
		48	+
		49	/* if the alloc size is smaller alloc more ram */
		50	if (a->alloc < size) {
		51	/* reallocate the array a->dp
		52	diff --git a/libtommath/bn_mp_init_size.c b/libtommath/bn_mp_init_size.c
		53	index d622687..5fefa96 100644
		54	--- a/libtommath/bn_mp_init_size.c
		55	+++ b/libtommath/bn_mp_init_size.c
		56	@@ -6,6 +6,11 @@
		57	/* init an mp_init for a given size */
		58	mp_err mp_init_size(mp_int *a, int size)
		59	{
		60	+
		61	+ if (size < 0) {
		62	+ return MP_VAL;
		63	+ }
		64	+
		65	size = MP_MAX(MP_MIN_PREC, size);
		66
		67	/* alloc mem */
		68	diff --git a/libtommath/bn_mp_mul_2d.c b/libtommath/bn_mp_mul_2d.c
		69	index 87354de..2744163 100644
		70	--- a/libtommath/bn_mp_mul_2d.c
		71	+++ b/libtommath/bn_mp_mul_2d.c
		72	@@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int a, int b, mp_int c)
		73	mp_digit d;
		74	mp_err err;
		75
		76	+ if (b < 0) {
		77	+ return MP_VAL;
		78	+ }
		79	+
		80	/* copy */
		81	if (a != c) {
		82	if ((err = mp_copy(a, c)) != MP_OKAY) {
		83	diff --git a/libtommath/bn_s_mp_mul_digs.c b/libtommath/bn_s_mp_mul_digs.c
		84	index 64509d4..2d2f5b0 100644
		85	--- a/libtommath/bn_s_mp_mul_digs.c
		86	+++ b/libtommath/bn_s_mp_mul_digs.c
		87	@@ -16,6 +16,10 @@ mp_err s_mp_mul_digs(const mp_int a, const mp_int b, mp_int *c, int digs)
		88	mp_word r;
		89	mp_digit tmpx, tmpt, tmpy;
		90
		91	+ if (digs < 0) {
		92	+ return MP_VAL;
		93	+ }
		94	+
		95	/* can we use the fast multiplier? */
		96	if ((digs < MP_WARRAY) &&
		97	(MP_MIN(a->used, b->used) < MP_MAXFAST)) {
		98	diff --git a/libtommath/bn_s_mp_mul_digs_fast.c b/libtommath/bn_s_mp_mul_digs_fast.c
		99	index b2a287b..d6dd3cc 100644
		100	--- a/libtommath/bn_s_mp_mul_digs_fast.c
		101	+++ b/libtommath/bn_s_mp_mul_digs_fast.c
		102	@@ -26,6 +26,10 @@ mp_err s_mp_mul_digs_fast(const mp_int a, const mp_int b, mp_int *c, int digs)
		103	mp_digit W[MP_WARRAY];
		104	mp_word _W;
		105
		106	+ if (digs < 0) {
		107	+ return MP_VAL;
		108	+ }
		109	+
		110	/* grow the destination as required */
		111	if (c->alloc < digs) {
		112	if ((err = mp_grow(c, digs)) != MP_OKAY) {
		113	diff --git a/libtommath/bn_s_mp_mul_high_digs.c b/libtommath/bn_s_mp_mul_high_digs.c
		114	index 2bb2a50..c9dd355 100644
		115	--- a/libtommath/bn_s_mp_mul_high_digs.c
		116	+++ b/libtommath/bn_s_mp_mul_high_digs.c
		117	@@ -15,6 +15,10 @@ mp_err s_mp_mul_high_digs(const mp_int a, const mp_int b, mp_int *c, int digs)
		118	mp_word r;
		119	mp_digit tmpx, tmpt, tmpy;
		120
		121	+ if (digs < 0) {
		122	+ return MP_VAL;
		123	+ }
		124	+
		125	/* can we use the fast multiplier? */
		126	if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST)
		127	&& ((a->used + b->used + 1) < MP_WARRAY)
		128	diff --git a/libtommath/bn_s_mp_mul_high_digs_fast.c b/libtommath/bn_s_mp_mul_high_digs_fast.c
		129	index a2c4fb6..afe3e4b 100644
		130	--- a/libtommath/bn_s_mp_mul_high_digs_fast.c
		131	+++ b/libtommath/bn_s_mp_mul_high_digs_fast.c
		132	@@ -19,6 +19,10 @@ mp_err s_mp_mul_high_digs_fast(const mp_int a, const mp_int b, mp_int *c, int
		133	mp_digit W[MP_WARRAY];
		134	mp_word _W;
		135
		136	+ if (digs < 0) {
		137	+ return MP_VAL;
		138	+ }
		139	+
		140	/* grow the destination as required */
		141	pa = a->used + b->used;
		142	if (c->alloc < pa) {
		143	--
		144	2.35.5


diff --git a/meta/recipes-core/dropbear/dropbear_2022.83.bb b/meta/recipes-core/dropbear/dropbear_2022.83.bb index 0c7a8f4caa..12ac732f58 100644 --- a/meta/recipes-core/dropbear/dropbear_2022.83.bb +++ b/meta/recipes-core/dropbear/dropbear_2022.83.bb
@@ -21,6 +21,7 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
21	file://dropbear.default \	21	file://dropbear.default \
22	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \	22	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
23	${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \	23	${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
		24	file://CVE-2023-36328.patch \
24	"	25	"
25		26
26	SRC_URI[sha256sum] = "bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b"	27	SRC_URI[sha256sum] = "bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b"