1 files changed, 145 insertions, 0 deletions
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
new file mode 100644
index 0000000000..5cabe8339d
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
@@ -0,0 +1,145 @@
+From e10dec82930863e487b22978d3df107274f366b2 Mon Sep 17 00:00:00 2001
+From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com>
+Date: Thu, 19 Aug 2021 17:37:14 +0200
+Subject: [PATCH] added option to disable trivial auth methods (#128)
+* added option to disable trivial auth methods
+* rename argument to match with other ssh clients
+* fixed trivial auth detection for pubkeys
+[https://github.com/mkj/dropbear/pull/128]
+Upstream-Status: Backport
+CVE: CVE-2021-36369
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ cli-auth.c         | 3 +++
+ cli-authinteract.c | 1 +
+ cli-authpasswd.c   | 2 +-
+ cli-authpubkey.c   | 1 +
+ cli-runopts.c      | 7 +++++++
+ cli-session.c      | 1 +
+ runopts.h          | 1 +
+ session.h          | 1 +
+ 8 files changed, 16 insertions(+), 1 deletion(-)
+diff --git a/cli-auth.c b/cli-auth.c
+index 2e509e5..6f04495 100644
+--- a/cli-auth.c
+++ b/cli-auth.c
+@@ -267,6 +267,9 @@ void recv_msg_userauth_success() {
+        if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
+ 
+        TRACE(("received msg_userauth_success"))
+       if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
+               dropbear_exit("trivial authentication not allowed");
+       }
+        /* Note: in delayed-zlib mode, setting authdone here 
+         * will enable compression in the transport layer */
+        ses.authstate.authdone = 1;
+diff --git a/cli-authinteract.c b/cli-authinteract.c
+index e1cc9a1..f7128ee 100644
+--- a/cli-authinteract.c
+++ b/cli-authinteract.c
+@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
+        m_free(instruction);
+ 
+        for (i = 0; i < num_prompts; i++) {
+               cli_ses.is_trivial_auth = 0;
+                unsigned int response_len = 0;
+                prompt = buf_getstring(ses.payload, NULL);
+                cleantext(prompt);
+diff --git a/cli-authpasswd.c b/cli-authpasswd.c
+index 00fdd8b..a24d43e 100644
+--- a/cli-authpasswd.c
+++ b/cli-authpasswd.c
+@@ -155,7 +155,7 @@ void cli_auth_password() {
+ 
+        encrypt_packet();
+        m_burn(password, strlen(password));
+-
+       cli_ses.is_trivial_auth = 0;
+        TRACE(("leave cli_auth_password"))
+ }
+ #endif /* DROPBEAR_CLI_PASSWORD_AUTH */
+diff --git a/cli-authpubkey.c b/cli-authpubkey.c
+index 7cee164..7da1a04 100644
+--- a/cli-authpubkey.c
+++ b/cli-authpubkey.c
+@@ -174,6 +174,7 @@ static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign) {
+                buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
+                cli_buf_put_sign(ses.writepayload, key, type, sigbuf);
+                buf_free(sigbuf); /* Nothing confidential in the buffer */
+               cli_ses.is_trivial_auth = 0;
+        }
+ 
+        encrypt_packet();
+diff --git a/cli-runopts.c b/cli-runopts.c
+index 7d1fffe..6bf8b8e 100644
+--- a/cli-runopts.c
+++ b/cli-runopts.c
+@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+        cli_opts.exit_on_fwd_failure = 0;
+ #endif
+       cli_opts.disable_trivial_auth = 0;
+ #if DROPBEAR_CLI_LOCALTCPFWD
+        cli_opts.localfwds = list_new();
+        opts.listen_fwd_all = 0;
+@@ -888,6 +889,7 @@ static void add_extendedopt(const char* origstr) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+                        "\tExitOnForwardFailure\n"
+ #endif
+                       "\tDisableTrivialAuth\n"
+ #ifndef DISABLE_SYSLOG
+                        "\tUseSyslog\n"
+ #endif
+@@ -915,5 +917,10 @@ static void add_extendedopt(const char* origstr) {
+                return;
+        }
+ 
+       if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) {
+               cli_opts.disable_trivial_auth = parse_flag_value(optstr);
+               return;
+       }
+
+        dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
+ }
+diff --git a/cli-session.c b/cli-session.c
+index 56dd4af..73ef0db 100644
+--- a/cli-session.c
+++ b/cli-session.c
+@@ -164,6 +164,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
+        /* Auth */
+        cli_ses.lastprivkey = NULL;
+        cli_ses.lastauthtype = 0;
+       cli_ses.is_trivial_auth = 1;
+ 
+        /* For printing "remote host closed" for the user */
+        ses.remoteclosed = cli_remoteclosed;
+diff --git a/runopts.h b/runopts.h
+index 31eae1f..8519626 100644
+--- a/runopts.h
+++ b/runopts.h
+@@ -154,6 +154,7 @@ typedef struct cli_runopts {
+ #if DROPBEAR_CLI_ANYTCPFWD
+        int exit_on_fwd_failure;
+ #endif
+       int disable_trivial_auth;
+ #if DROPBEAR_CLI_REMOTETCPFWD
+        m_list * remotefwds;
+ #endif
+diff --git a/session.h b/session.h
+index 0f77055..8676054 100644
+--- a/session.h
+++ b/session.h
+@@ -287,6 +287,7 @@ struct clientsession {
+ 
+        int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
+                                                 for the last type of auth we tried */
+       int is_trivial_auth;
+        int ignore_next_auth_response;
+ #if DROPBEAR_CLI_INTERACT_AUTH
+        int auth_interact_failed; /* flag whether interactive auth can still

diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch new file mode 100644 index 0000000000..5cabe8339d --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
@@ -0,0 +1,145 @@
	1	From e10dec82930863e487b22978d3df107274f366b2 Mon Sep 17 00:00:00 2001
	2	From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com>
	3	Date: Thu, 19 Aug 2021 17:37:14 +0200
	4	Subject: [PATCH] added option to disable trivial auth methods (#128)
	5
	6	* added option to disable trivial auth methods
	7
	8	* rename argument to match with other ssh clients
	9
	10	* fixed trivial auth detection for pubkeys
	11
	12	[https://github.com/mkj/dropbear/pull/128]
	13	Upstream-Status: Backport
	14	CVE: CVE-2021-36369
	15	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	16
	17	---
	18	cli-auth.c \| 3 +++
	19	cli-authinteract.c \| 1 +
	20	cli-authpasswd.c \| 2 +-
	21	cli-authpubkey.c \| 1 +
	22	cli-runopts.c \| 7 +++++++
	23	cli-session.c \| 1 +
	24	runopts.h \| 1 +
	25	session.h \| 1 +
	26	8 files changed, 16 insertions(+), 1 deletion(-)
	27
	28	diff --git a/cli-auth.c b/cli-auth.c
	29	index 2e509e5..6f04495 100644
	30	--- a/cli-auth.c
	31	+++ b/cli-auth.c
	32	@@ -267,6 +267,9 @@ void recv_msg_userauth_success() {
	33	if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
	34
	35	TRACE(("received msg_userauth_success"))
	36	+ if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
	37	+ dropbear_exit("trivial authentication not allowed");
	38	+ }
	39	/* Note: in delayed-zlib mode, setting authdone here
	40	* will enable compression in the transport layer */
	41	ses.authstate.authdone = 1;
	42	diff --git a/cli-authinteract.c b/cli-authinteract.c
	43	index e1cc9a1..f7128ee 100644
	44	--- a/cli-authinteract.c
	45	+++ b/cli-authinteract.c
	46	@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
	47	m_free(instruction);
	48
	49	for (i = 0; i < num_prompts; i++) {
	50	+ cli_ses.is_trivial_auth = 0;
	51	unsigned int response_len = 0;
	52	prompt = buf_getstring(ses.payload, NULL);
	53	cleantext(prompt);
	54	diff --git a/cli-authpasswd.c b/cli-authpasswd.c
	55	index 00fdd8b..a24d43e 100644
	56	--- a/cli-authpasswd.c
	57	+++ b/cli-authpasswd.c
	58	@@ -155,7 +155,7 @@ void cli_auth_password() {
	59
	60	encrypt_packet();
	61	m_burn(password, strlen(password));
	62	-
	63	+ cli_ses.is_trivial_auth = 0;
	64	TRACE(("leave cli_auth_password"))
	65	}
	66	#endif /* DROPBEAR_CLI_PASSWORD_AUTH */
	67	diff --git a/cli-authpubkey.c b/cli-authpubkey.c
	68	index 7cee164..7da1a04 100644
	69	--- a/cli-authpubkey.c
	70	+++ b/cli-authpubkey.c
	71	@@ -174,6 +174,7 @@ static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign) {
	72	buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
	73	cli_buf_put_sign(ses.writepayload, key, type, sigbuf);
	74	buf_free(sigbuf); /* Nothing confidential in the buffer */
	75	+ cli_ses.is_trivial_auth = 0;
	76	}
	77
	78	encrypt_packet();
	79	diff --git a/cli-runopts.c b/cli-runopts.c
	80	index 7d1fffe..6bf8b8e 100644
	81	--- a/cli-runopts.c
	82	+++ b/cli-runopts.c
	83	@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
	84	#if DROPBEAR_CLI_ANYTCPFWD
	85	cli_opts.exit_on_fwd_failure = 0;
	86	#endif
	87	+ cli_opts.disable_trivial_auth = 0;
	88	#if DROPBEAR_CLI_LOCALTCPFWD
	89	cli_opts.localfwds = list_new();
	90	opts.listen_fwd_all = 0;
	91	@@ -888,6 +889,7 @@ static void add_extendedopt(const char* origstr) {
	92	#if DROPBEAR_CLI_ANYTCPFWD
	93	"\tExitOnForwardFailure\n"
	94	#endif
	95	+ "\tDisableTrivialAuth\n"
	96	#ifndef DISABLE_SYSLOG
	97	"\tUseSyslog\n"
	98	#endif
	99	@@ -915,5 +917,10 @@ static void add_extendedopt(const char* origstr) {
	100	return;
	101	}
	102
	103	+ if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) {
	104	+ cli_opts.disable_trivial_auth = parse_flag_value(optstr);
	105	+ return;
	106	+ }
	107	+
	108	dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
	109	}
	110	diff --git a/cli-session.c b/cli-session.c
	111	index 56dd4af..73ef0db 100644
	112	--- a/cli-session.c
	113	+++ b/cli-session.c
	114	@@ -164,6 +164,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
	115	/* Auth */
	116	cli_ses.lastprivkey = NULL;
	117	cli_ses.lastauthtype = 0;
	118	+ cli_ses.is_trivial_auth = 1;
	119
	120	/* For printing "remote host closed" for the user */
	121	ses.remoteclosed = cli_remoteclosed;
	122	diff --git a/runopts.h b/runopts.h
	123	index 31eae1f..8519626 100644
	124	--- a/runopts.h
	125	+++ b/runopts.h
	126	@@ -154,6 +154,7 @@ typedef struct cli_runopts {
	127	#if DROPBEAR_CLI_ANYTCPFWD
	128	int exit_on_fwd_failure;
	129	#endif
	130	+ int disable_trivial_auth;
	131	#if DROPBEAR_CLI_REMOTETCPFWD
	132	m_list * remotefwds;
	133	#endif
	134	diff --git a/session.h b/session.h
	135	index 0f77055..8676054 100644
	136	--- a/session.h
	137	+++ b/session.h
	138	@@ -287,6 +287,7 @@ struct clientsession {
	139
	140	int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
	141	for the last type of auth we tried */
	142	+ int is_trivial_auth;
	143	int ignore_next_auth_response;
	144	#if DROPBEAR_CLI_INTERACT_AUTH
	145	int auth_interact_failed; /* flag whether interactive auth can still