1 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch b/meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch
new file mode 100644
index 0000000000..a582d0ff81
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch
@@ -0,0 +1,102 @@
+From 8fd720c3e319da773b48c0b191f049dbd1e3c7f0 Mon Sep 17 00:00:00 2001
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Mon, 11 Jul 2016 23:09:33 +0800
+Subject: [PATCH] Improve exit message formatting
+CVE: CVE-2016-7406
+Upstream-Status: Backport [backported from:
+https://secure.ucc.asn.au/hg/dropbear/rev/b66a483f3dcb]
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+diff -ruN a/cli-main.c b/cli-main.c
+--- a/cli-main.c        2016-03-09 15:54:53.000000000 +0100
+++ b/cli-main.c        2016-10-20 12:49:00.323501119 +0200
+@@ -85,29 +85,30 @@
+ #endif /* DBMULTI stuff */
+ 
+ static void cli_dropbear_exit(int exitcode, const char* format, va_list param) {
+       char exitmsg[150];
+       char fullmsg[300];
+ 
+-       char fmtbuf[300];
+-       char exitmsg[500];
+       /* Note that exit message must be rendered before session cleanup */
+ 
+       /* Render the formatted exit message */
+       vsnprintf(exitmsg, sizeof(exitmsg), format, param);
+
+       /* Add the prefix depending on session/auth state */
+        if (!sessinitdone) {
+-               snprintf(fmtbuf, sizeof(fmtbuf), "Exited: %s",
+-                               format);
+               snprintf(fullmsg, sizeof(fullmsg), "Exited: %s", exitmsg);
+        } else {
+-               snprintf(fmtbuf, sizeof(fmtbuf), 
+               snprintf(fullmsg, sizeof(fullmsg), 
+                                "Connection to %s@%s:%s exited: %s", 
+                                cli_opts.username, cli_opts.remotehost, 
+-                               cli_opts.remoteport, format);
+                               cli_opts.remoteport, exitmsg);
+        }
+ 
+-       /* Arguments to the exit printout may be unsafe to use after session_cleanup() */
+-       vsnprintf(exitmsg, sizeof(exitmsg), fmtbuf, param);
+-
+        /* Do the cleanup first, since then the terminal will be reset */
+        session_cleanup();
+        /* Avoid printing onwards from terminal cruft */
+        fprintf(stderr, "\n");
+ 
+-       dropbear_log(LOG_INFO, "%s", exitmsg);;
+       dropbear_log(LOG_INFO, "%s", fullmsg);
+        exit(exitcode);
+ }
+ 
+diff -ruN a/svr-session.c b/svr-session.c
+--- a/svr-session.c     2016-03-09 15:54:54.000000000 +0100
+++ b/svr-session.c     2016-10-20 13:27:20.629628336 +0200
+@@ -145,30 +145,33 @@
+ /* failure exit - format must be <= 100 chars */
+ void svr_dropbear_exit(int exitcode, const char* format, va_list param) {
+ 
+-       char fmtbuf[300];
+       char exitmsg[150];
+       char fullmsg[300];
+        int i;
+ 
+       /* Render the formatted exit message */
+       vsnprintf(exitmsg, sizeof(exitmsg), format, param);
+
+       /* Add the prefix depending on session/auth state */
+        if (!sessinitdone) {
+                /* before session init */
+-               snprintf(fmtbuf, sizeof(fmtbuf), 
+-                               "Early exit: %s", format);
+                snprintf(fullmsg, sizeof(fullmsg), "Early exit: %s", exitmsg);
+        } else if (ses.authstate.authdone) {
+                /* user has authenticated */
+-               snprintf(fmtbuf, sizeof(fmtbuf),
+               snprintf(fullmsg, sizeof(fullmsg),
+                                "Exit (%s): %s", 
+-                               ses.authstate.pw_name, format);
+                               ses.authstate.pw_name, exitmsg);
+        } else if (ses.authstate.pw_name) {
+                /* we have a potential user */
+-               snprintf(fmtbuf, sizeof(fmtbuf), 
+               snprintf(fullmsg, sizeof(fullmsg),
+                                "Exit before auth (user '%s', %d fails): %s",
+-                               ses.authstate.pw_name, ses.authstate.failcount, format);
+                               ses.authstate.pw_name, ses.authstate.failcount, exitmsg);
+        } else {
+                /* before userauth */
+-               snprintf(fmtbuf, sizeof(fmtbuf), 
+-                               "Exit before auth: %s", format);
+               snprintf(fullmsg, sizeof(fullmsg), "Exit before auth: %s", exitmsg);
+        }
+ 
+-       _dropbear_log(LOG_INFO, fmtbuf, param);
+       dropbear_log(LOG_INFO, "%s", fullmsg);
+ 
+ #ifdef USE_VFORK
+        /* For uclinux only the main server process should cleanup - we don't want

diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch b/meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch new file mode 100644 index 0000000000..a582d0ff81 --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch
@@ -0,0 +1,102 @@
	1	From 8fd720c3e319da773b48c0b191f049dbd1e3c7f0 Mon Sep 17 00:00:00 2001
	2	From: Matt Johnston <matt@ucc.asn.au>
	3	Date: Mon, 11 Jul 2016 23:09:33 +0800
	4	Subject: [PATCH] Improve exit message formatting
	5
	6	CVE: CVE-2016-7406
	7	Upstream-Status: Backport [backported from:
	8	https://secure.ucc.asn.au/hg/dropbear/rev/b66a483f3dcb]
	9
	10	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	11
	12	diff -ruN a/cli-main.c b/cli-main.c
	13	--- a/cli-main.c 2016-03-09 15:54:53.000000000 +0100
	14	+++ b/cli-main.c 2016-10-20 12:49:00.323501119 +0200
	15	@@ -85,29 +85,30 @@
	16	#endif /* DBMULTI stuff */
	17
	18	static void cli_dropbear_exit(int exitcode, const char* format, va_list param) {
	19	+ char exitmsg[150];
	20	+ char fullmsg[300];
	21
	22	- char fmtbuf[300];
	23	- char exitmsg[500];
	24	+ /* Note that exit message must be rendered before session cleanup */
	25
	26	+ /* Render the formatted exit message */
	27	+ vsnprintf(exitmsg, sizeof(exitmsg), format, param);
	28	+
	29	+ /* Add the prefix depending on session/auth state */
	30	if (!sessinitdone) {
	31	- snprintf(fmtbuf, sizeof(fmtbuf), "Exited: %s",
	32	- format);
	33	+ snprintf(fullmsg, sizeof(fullmsg), "Exited: %s", exitmsg);
	34	} else {
	35	- snprintf(fmtbuf, sizeof(fmtbuf),
	36	+ snprintf(fullmsg, sizeof(fullmsg),
	37	"Connection to %s@%s:%s exited: %s",
	38	cli_opts.username, cli_opts.remotehost,
	39	- cli_opts.remoteport, format);
	40	+ cli_opts.remoteport, exitmsg);
	41	}
	42
	43	- /* Arguments to the exit printout may be unsafe to use after session_cleanup() */
	44	- vsnprintf(exitmsg, sizeof(exitmsg), fmtbuf, param);
	45	-
	46	/* Do the cleanup first, since then the terminal will be reset */
	47	session_cleanup();
	48	/* Avoid printing onwards from terminal cruft */
	49	fprintf(stderr, "\n");
	50
	51	- dropbear_log(LOG_INFO, "%s", exitmsg);;
	52	+ dropbear_log(LOG_INFO, "%s", fullmsg);
	53	exit(exitcode);
	54	}
	55
	56	diff -ruN a/svr-session.c b/svr-session.c
	57	--- a/svr-session.c 2016-03-09 15:54:54.000000000 +0100
	58	+++ b/svr-session.c 2016-10-20 13:27:20.629628336 +0200
	59	@@ -145,30 +145,33 @@
	60	/* failure exit - format must be <= 100 chars */
	61	void svr_dropbear_exit(int exitcode, const char* format, va_list param) {
	62
	63	- char fmtbuf[300];
	64	+ char exitmsg[150];
	65	+ char fullmsg[300];
	66	int i;
	67
	68	+ /* Render the formatted exit message */
	69	+ vsnprintf(exitmsg, sizeof(exitmsg), format, param);
	70	+
	71	+ /* Add the prefix depending on session/auth state */
	72	if (!sessinitdone) {
	73	/* before session init */
	74	- snprintf(fmtbuf, sizeof(fmtbuf),
	75	- "Early exit: %s", format);
	76	+ snprintf(fullmsg, sizeof(fullmsg), "Early exit: %s", exitmsg);
	77	} else if (ses.authstate.authdone) {
	78	/* user has authenticated */
	79	- snprintf(fmtbuf, sizeof(fmtbuf),
	80	+ snprintf(fullmsg, sizeof(fullmsg),
	81	"Exit (%s): %s",
	82	- ses.authstate.pw_name, format);
	83	+ ses.authstate.pw_name, exitmsg);
	84	} else if (ses.authstate.pw_name) {
	85	/* we have a potential user */
	86	- snprintf(fmtbuf, sizeof(fmtbuf),
	87	+ snprintf(fullmsg, sizeof(fullmsg),
	88	"Exit before auth (user '%s', %d fails): %s",
	89	- ses.authstate.pw_name, ses.authstate.failcount, format);
	90	+ ses.authstate.pw_name, ses.authstate.failcount, exitmsg);
	91	} else {
	92	/* before userauth */
	93	- snprintf(fmtbuf, sizeof(fmtbuf),
	94	- "Exit before auth: %s", format);
	95	+ snprintf(fullmsg, sizeof(fullmsg), "Exit before auth: %s", exitmsg);
	96	}
	97
	98	- _dropbear_log(LOG_INFO, fmtbuf, param);
	99	+ dropbear_log(LOG_INFO, "%s", fullmsg);
	100
	101	#ifdef USE_VFORK
	102	/* For uclinux only the main server process should cleanup - we don't want