1 files changed, 101 insertions, 0 deletions
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2016-7408.patch b/meta/recipes-core/dropbear/dropbear/CVE-2016-7408.patch
new file mode 100644
index 0000000000..38ad8c3481
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2016-7408.patch
@@ -0,0 +1,101 @@
+# HG changeset patch
+# User Matt Johnston <matt@ucc.asn.au>
+# Date 1468248038 -28800
+# Node ID eed9376a4ad68e3ae7f17d154dbf126ee66c54bc
+# Parent  6a14b1f6dc04e70933c49ea335184e68c1deeb94
+improve algorithm list parsing
+CVE: CVE-2016-7408
+Upstream-Status: Backport [backported from:
+https://secure.ucc.asn.au/hg/dropbear/rev/eed9376a4ad6]
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+diff -r 6a14b1f6dc04 -r eed9376a4ad6 common-algo.c
+--- a/common-algo.c     Mon Jul 11 21:51:25 2016 +0800
+++ b/common-algo.c     Mon Jul 11 22:40:38 2016 +0800
+@@ -531,21 +531,6 @@
+        return NULL;
+ }
+ 
+-static void
+-try_add_algo(const char *algo_name, algo_type *algos, 
+-               const char *algo_desc, algo_type * new_algos, int *num_ret)
+-{
+-       algo_type *match_algo = check_algo(algo_name, algos);
+-       if (!match_algo)
+-       {
+-               dropbear_log(LOG_WARNING, "This Dropbear program does not support '%s' %s algorithm", algo_name, algo_desc);
+-               return;
+-       }
+-
+-       new_algos[*num_ret] = *match_algo;
+-       (*num_ret)++;
+-}
+-
+ /* Checks a user provided comma-separated algorithm list for available
+  * options. Any that are not acceptable are removed in-place. Returns the
+  * number of valid algorithms. */
+@@ -553,30 +538,43 @@
+ check_user_algos(const char* user_algo_list, algo_type * algos, 
+                const char *algo_desc)
+ {
+-       algo_type new_algos[MAX_PROPOSED_ALGO];
+-       /* this has two passes. first we sweep through the given list of
+-        * algorithms and mark them as usable=2 in the algo_type[] array... */
+-       int num_ret = 0;
+       algo_type new_algos[MAX_PROPOSED_ALGO+1];
+        char *work_list = m_strdup(user_algo_list);
+-       char *last_name = work_list;
+       char *start = work_list;
+        char *c;
+-       for (c = work_list; *c; c++)
+       int n;
+       /* So we can iterate and look for null terminator */
+       memset(new_algos, 0x0, sizeof(new_algos));
+       for (c = work_list, n = 0; ; c++)
+        {
+-               if (*c == ',')
+-               {
+               char oc = *c;
+               if (n >= MAX_PROPOSED_ALGO) {
+                       dropbear_exit("Too many algorithms '%s'", user_algo_list);
+               }
+               if (*c == ',' || *c == '\0') {
+                       algo_type *match_algo = NULL;
+                        *c = '\0';
+-                       try_add_algo(last_name, algos, algo_desc, new_algos, &num_ret);
+                       match_algo = check_algo(start, algos);
+                       if (match_algo) {
+                               if (check_algo(start, new_algos)) {
+                                       TRACE(("Skip repeated algorithm '%s'", start))
+                               } else {
+                                       new_algos[n] = *match_algo;
+                                       n++;
+                               }
+                       } else {
+                               dropbear_log(LOG_WARNING, "This Dropbear program does not support '%s' %s algorithm", start, algo_desc);
+                       }
+                        c++;
+-                       last_name = c;
+                       start = c;
+               }
+               if (oc == '\0') {
+                       break;
+                }
+        }
+-       try_add_algo(last_name, algos, algo_desc, new_algos, &num_ret);
+        m_free(work_list);
+-
+-       new_algos[num_ret].name = NULL;
+-
+-       /* Copy one more as a blank delimiter */
+-       memcpy(algos, new_algos, sizeof(*new_algos) * (num_ret+1));
+-       return num_ret;
+       /* n+1 to include a null terminator */
+       memcpy(algos, new_algos, sizeof(*new_algos) * (n+1));
+       return n;
+ }
+ #endif /* ENABLE_USER_ALGO_LIST */

diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2016-7408.patch b/meta/recipes-core/dropbear/dropbear/CVE-2016-7408.patch new file mode 100644 index 0000000000..38ad8c3481 --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/CVE-2016-7408.patch
@@ -0,0 +1,101 @@
	1
	2	# HG changeset patch
	3	# User Matt Johnston <matt@ucc.asn.au>
	4	# Date 1468248038 -28800
	5	# Node ID eed9376a4ad68e3ae7f17d154dbf126ee66c54bc
	6	# Parent 6a14b1f6dc04e70933c49ea335184e68c1deeb94
	7	improve algorithm list parsing
	8
	9	CVE: CVE-2016-7408
	10	Upstream-Status: Backport [backported from:
	11	https://secure.ucc.asn.au/hg/dropbear/rev/eed9376a4ad6]
	12
	13	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	14
	15	diff -r 6a14b1f6dc04 -r eed9376a4ad6 common-algo.c
	16	--- a/common-algo.c Mon Jul 11 21:51:25 2016 +0800
	17	+++ b/common-algo.c Mon Jul 11 22:40:38 2016 +0800
	18	@@ -531,21 +531,6 @@
	19	return NULL;
	20	}
	21
	22	-static void
	23	-try_add_algo(const char algo_name, algo_type algos,
	24	- const char algo_desc, algo_type new_algos, int *num_ret)
	25	-{
	26	- algo_type *match_algo = check_algo(algo_name, algos);
	27	- if (!match_algo)
	28	- {
	29	- dropbear_log(LOG_WARNING, "This Dropbear program does not support '%s' %s algorithm", algo_name, algo_desc);
	30	- return;
	31	- }
	32	-
	33	- new_algos[num_ret] = match_algo;
	34	- (*num_ret)++;
	35	-}
	36	-
	37	/* Checks a user provided comma-separated algorithm list for available
	38	* options. Any that are not acceptable are removed in-place. Returns the
	39	* number of valid algorithms. */
	40	@@ -553,30 +538,43 @@
	41	check_user_algos(const char* user_algo_list, algo_type * algos,
	42	const char *algo_desc)
	43	{
	44	- algo_type new_algos[MAX_PROPOSED_ALGO];
	45	- /* this has two passes. first we sweep through the given list of
	46	- * algorithms and mark them as usable=2 in the algo_type[] array... */
	47	- int num_ret = 0;
	48	+ algo_type new_algos[MAX_PROPOSED_ALGO+1];
	49	char *work_list = m_strdup(user_algo_list);
	50	- char *last_name = work_list;
	51	+ char *start = work_list;
	52	char *c;
	53	- for (c = work_list; *c; c++)
	54	+ int n;
	55	+ /* So we can iterate and look for null terminator */
	56	+ memset(new_algos, 0x0, sizeof(new_algos));
	57	+ for (c = work_list, n = 0; ; c++)
	58	{
	59	- if (*c == ',')
	60	- {
	61	+ char oc = *c;
	62	+ if (n >= MAX_PROPOSED_ALGO) {
	63	+ dropbear_exit("Too many algorithms '%s'", user_algo_list);
	64	+ }
	65	+ if (c == ',' \|\| c == '\0') {
	66	+ algo_type *match_algo = NULL;
	67	*c = '\0';
	68	- try_add_algo(last_name, algos, algo_desc, new_algos, &num_ret);
	69	+ match_algo = check_algo(start, algos);
	70	+ if (match_algo) {
	71	+ if (check_algo(start, new_algos)) {
	72	+ TRACE(("Skip repeated algorithm '%s'", start))
	73	+ } else {
	74	+ new_algos[n] = *match_algo;
	75	+ n++;
	76	+ }
	77	+ } else {
	78	+ dropbear_log(LOG_WARNING, "This Dropbear program does not support '%s' %s algorithm", start, algo_desc);
	79	+ }
	80	c++;
	81	- last_name = c;
	82	+ start = c;
	83	+ }
	84	+ if (oc == '\0') {
	85	+ break;
	86	}
	87	}
	88	- try_add_algo(last_name, algos, algo_desc, new_algos, &num_ret);
	89	m_free(work_list);
	90	-
	91	- new_algos[num_ret].name = NULL;
	92	-
	93	- /* Copy one more as a blank delimiter */
	94	- memcpy(algos, new_algos, sizeof(new_algos) (num_ret+1));
	95	- return num_ret;
	96	+ /* n+1 to include a null terminator */
	97	+ memcpy(algos, new_algos, sizeof(new_algos) (n+1));
	98	+ return n;
	99	}
	100	#endif /* ENABLE_USER_ALGO_LIST */
	101