3 files changed, 184 insertions, 1 deletions
diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
index 7269888a4e..0f5e9ba4ac 100644
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -1,5 +1,6 @@
 SUMMARY = "A lightweight SSH and SCP implementation"
 HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"
+DESCRIPTION = "Dropbear is a relatively small SSH server and client. It runs on a variety of POSIX-based platforms. Dropbear is open source software, distributed under a MIT-style license. Dropbear is particularly useful for "embedded"-type Linux (or other Unix) systems, such as wireless routers."
 SECTION = "console/network"
 # some files are from other projects and have others license terms:
@@ -11,6 +12,11 @@ DEPENDS = "zlib virtual/crypt"
 RPROVIDES_${PN} = "ssh sshd"
 RCONFLICTS_${PN} = "openssh-sshd openssh"
+# break dependency on base package for -dev package
+# otherwise SDK fails to build as the main openssh and dropbear packages
+# conflict with each other
+RDEPENDS:${PN}-dev = ""
 DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
@@ -21,7 +27,10 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
           file://dropbear.socket \
           file://dropbear.default \
           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
-           ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} "
+           ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
+           file://CVE-2020-36254.patch \
+           file://CVE-2021-36369.patch \
+           "
 PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
               file://0006-dropbear-configuration-file.patch \
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2020-36254.patch b/meta/recipes-core/dropbear/dropbear/CVE-2020-36254.patch
new file mode 100644
index 0000000000..64d0d96486
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2020-36254.patch
@@ -0,0 +1,29 @@
+From c96c48d62aefc372f2105293ddf8cff2d116dc3a Mon Sep 17 00:00:00 2001
+From: Haelwenn Monnier <contact+github.com@hacktivis.me>
+Date: Mon, 25 May 2020 14:54:29 +0200
+Subject: [PATCH] scp.c: Port OpenSSH CVE-2018-20685 fix (#80)
+Reference:
+https://github.com/mkj/dropbear/commit/8f8a3dff705fad774a10864a2e3dbcfa9779ceff
+CVE: CVE-2020-36254
+Upstream-Status: Backport
+---
+ scp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/scp.c b/scp.c
+index 742ae00..7b8e7d2 100644
+--- a/scp.c
+++ b/scp.c
+@@ -935,7 +935,8 @@ sink(int argc, char **argv)
+                        size = size * 10 + (*cp++ - '0');
+                if (*cp++ != ' ')
+                        SCREWUP("size not delimited");
+-               if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
+               if (*cp == '\0' || strchr(cp, '/') != NULL ||
+                   strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
+                        run_err("error: unexpected filename: %s", cp);
+                        exit(1);
+                }
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
new file mode 100644
index 0000000000..5cabe8339d
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
@@ -0,0 +1,145 @@
+From e10dec82930863e487b22978d3df107274f366b2 Mon Sep 17 00:00:00 2001
+From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com>
+Date: Thu, 19 Aug 2021 17:37:14 +0200
+Subject: [PATCH] added option to disable trivial auth methods (#128)
+* added option to disable trivial auth methods
+* rename argument to match with other ssh clients
+* fixed trivial auth detection for pubkeys
+[https://github.com/mkj/dropbear/pull/128]
+Upstream-Status: Backport
+CVE: CVE-2021-36369
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ cli-auth.c         | 3 +++
+ cli-authinteract.c | 1 +
+ cli-authpasswd.c   | 2 +-
+ cli-authpubkey.c   | 1 +
+ cli-runopts.c      | 7 +++++++
+ cli-session.c      | 1 +
+ runopts.h          | 1 +
+ session.h          | 1 +
+ 8 files changed, 16 insertions(+), 1 deletion(-)
+diff --git a/cli-auth.c b/cli-auth.c
+index 2e509e5..6f04495 100644
+--- a/cli-auth.c
+++ b/cli-auth.c
+@@ -267,6 +267,9 @@ void recv_msg_userauth_success() {
+        if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
+ 
+        TRACE(("received msg_userauth_success"))
+       if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
+               dropbear_exit("trivial authentication not allowed");
+       }
+        /* Note: in delayed-zlib mode, setting authdone here 
+         * will enable compression in the transport layer */
+        ses.authstate.authdone = 1;
+diff --git a/cli-authinteract.c b/cli-authinteract.c
+index e1cc9a1..f7128ee 100644
+--- a/cli-authinteract.c
+++ b/cli-authinteract.c
+@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
+        m_free(instruction);
+ 
+        for (i = 0; i < num_prompts; i++) {
+               cli_ses.is_trivial_auth = 0;
+                unsigned int response_len = 0;
+                prompt = buf_getstring(ses.payload, NULL);
+                cleantext(prompt);
+diff --git a/cli-authpasswd.c b/cli-authpasswd.c
+index 00fdd8b..a24d43e 100644
+--- a/cli-authpasswd.c
+++ b/cli-authpasswd.c
+@@ -155,7 +155,7 @@ void cli_auth_password() {
+ 
+        encrypt_packet();
+        m_burn(password, strlen(password));
+-
+       cli_ses.is_trivial_auth = 0;
+        TRACE(("leave cli_auth_password"))
+ }
+ #endif /* DROPBEAR_CLI_PASSWORD_AUTH */
+diff --git a/cli-authpubkey.c b/cli-authpubkey.c
+index 7cee164..7da1a04 100644
+--- a/cli-authpubkey.c
+++ b/cli-authpubkey.c
+@@ -174,6 +174,7 @@ static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign) {
+                buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
+                cli_buf_put_sign(ses.writepayload, key, type, sigbuf);
+                buf_free(sigbuf); /* Nothing confidential in the buffer */
+               cli_ses.is_trivial_auth = 0;
+        }
+ 
+        encrypt_packet();
+diff --git a/cli-runopts.c b/cli-runopts.c
+index 7d1fffe..6bf8b8e 100644
+--- a/cli-runopts.c
+++ b/cli-runopts.c
+@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+        cli_opts.exit_on_fwd_failure = 0;
+ #endif
+       cli_opts.disable_trivial_auth = 0;
+ #if DROPBEAR_CLI_LOCALTCPFWD
+        cli_opts.localfwds = list_new();
+        opts.listen_fwd_all = 0;
+@@ -888,6 +889,7 @@ static void add_extendedopt(const char* origstr) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+                        "\tExitOnForwardFailure\n"
+ #endif
+                       "\tDisableTrivialAuth\n"
+ #ifndef DISABLE_SYSLOG
+                        "\tUseSyslog\n"
+ #endif
+@@ -915,5 +917,10 @@ static void add_extendedopt(const char* origstr) {
+                return;
+        }
+ 
+       if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) {
+               cli_opts.disable_trivial_auth = parse_flag_value(optstr);
+               return;
+       }
+
+        dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
+ }
+diff --git a/cli-session.c b/cli-session.c
+index 56dd4af..73ef0db 100644
+--- a/cli-session.c
+++ b/cli-session.c
+@@ -164,6 +164,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
+        /* Auth */
+        cli_ses.lastprivkey = NULL;
+        cli_ses.lastauthtype = 0;
+       cli_ses.is_trivial_auth = 1;
+ 
+        /* For printing "remote host closed" for the user */
+        ses.remoteclosed = cli_remoteclosed;
+diff --git a/runopts.h b/runopts.h
+index 31eae1f..8519626 100644
+--- a/runopts.h
+++ b/runopts.h
+@@ -154,6 +154,7 @@ typedef struct cli_runopts {
+ #if DROPBEAR_CLI_ANYTCPFWD
+        int exit_on_fwd_failure;
+ #endif
+       int disable_trivial_auth;
+ #if DROPBEAR_CLI_REMOTETCPFWD
+        m_list * remotefwds;
+ #endif
+diff --git a/session.h b/session.h
+index 0f77055..8676054 100644
+--- a/session.h
+++ b/session.h
+@@ -287,6 +287,7 @@ struct clientsession {
+ 
+        int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
+                                                 for the last type of auth we tried */
+       int is_trivial_auth;
+        int ignore_next_auth_response;
+ #if DROPBEAR_CLI_INTERACT_AUTH
+        int auth_interact_failed; /* flag whether interactive auth can still

diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc index 7269888a4e..0f5e9ba4ac 100644 --- a/meta/recipes-core/dropbear/dropbear.inc +++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -1,5 +1,6 @@
1	SUMMARY = "A lightweight SSH and SCP implementation"	1	SUMMARY = "A lightweight SSH and SCP implementation"
2	HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"	2	HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"
		3	DESCRIPTION = "Dropbear is a relatively small SSH server and client. It runs on a variety of POSIX-based platforms. Dropbear is open source software, distributed under a MIT-style license. Dropbear is particularly useful for "embedded"-type Linux (or other Unix) systems, such as wireless routers."
3	SECTION = "console/network"	4	SECTION = "console/network"
4		5
5	# some files are from other projects and have others license terms:	6	# some files are from other projects and have others license terms:
@@ -11,6 +12,11 @@ DEPENDS = "zlib virtual/crypt"
11	RPROVIDES_${PN} = "ssh sshd"	12	RPROVIDES_${PN} = "ssh sshd"
12	RCONFLICTS_${PN} = "openssh-sshd openssh"	13	RCONFLICTS_${PN} = "openssh-sshd openssh"
13		14
		15	# break dependency on base package for -dev package
		16	# otherwise SDK fails to build as the main openssh and dropbear packages
		17	# conflict with each other
		18	RDEPENDS:${PN}-dev = ""
		19
14	DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"	20	DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
15		21
16	SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \	22	SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
@@ -21,7 +27,10 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
21	file://dropbear.socket \	27	file://dropbear.socket \
22	file://dropbear.default \	28	file://dropbear.default \
23	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \	29	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
24	${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} "	30	${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
		31	file://CVE-2020-36254.patch \
		32	file://CVE-2021-36369.patch \
		33	"
25		34
26	PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \	35	PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
27	file://0006-dropbear-configuration-file.patch \	36	file://0006-dropbear-configuration-file.patch \


diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2020-36254.patch b/meta/recipes-core/dropbear/dropbear/CVE-2020-36254.patch new file mode 100644 index 0000000000..64d0d96486 --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/CVE-2020-36254.patch
@@ -0,0 +1,29 @@
		1	From c96c48d62aefc372f2105293ddf8cff2d116dc3a Mon Sep 17 00:00:00 2001
		2	From: Haelwenn Monnier <contact+github.com@hacktivis.me>
		3	Date: Mon, 25 May 2020 14:54:29 +0200
		4	Subject: [PATCH] scp.c: Port OpenSSH CVE-2018-20685 fix (#80)
		5
		6	Reference:
		7	https://github.com/mkj/dropbear/commit/8f8a3dff705fad774a10864a2e3dbcfa9779ceff
		8
		9	CVE: CVE-2020-36254
		10	Upstream-Status: Backport
		11
		12	---
		13	scp.c \| 3 ++-
		14	1 file changed, 2 insertions(+), 1 deletion(-)
		15
		16	diff --git a/scp.c b/scp.c
		17	index 742ae00..7b8e7d2 100644
		18	--- a/scp.c
		19	+++ b/scp.c
		20	@@ -935,7 +935,8 @@ sink(int argc, char **argv)
		21	size = size * 10 + (*cp++ - '0');
		22	if (*cp++ != ' ')
		23	SCREWUP("size not delimited");
		24	- if ((strchr(cp, '/') != NULL) \|\| (strcmp(cp, "..") == 0)) {
		25	+ if (*cp == '\0' \|\| strchr(cp, '/') != NULL \|\|
		26	+ strcmp(cp, ".") == 0 \|\| strcmp(cp, "..") == 0) {
		27	run_err("error: unexpected filename: %s", cp);
		28	exit(1);
		29	}


diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch new file mode 100644 index 0000000000..5cabe8339d --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
@@ -0,0 +1,145 @@
		1	From e10dec82930863e487b22978d3df107274f366b2 Mon Sep 17 00:00:00 2001
		2	From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com>
		3	Date: Thu, 19 Aug 2021 17:37:14 +0200
		4	Subject: [PATCH] added option to disable trivial auth methods (#128)
		5
		6	* added option to disable trivial auth methods
		7
		8	* rename argument to match with other ssh clients
		9
		10	* fixed trivial auth detection for pubkeys
		11
		12	[https://github.com/mkj/dropbear/pull/128]
		13	Upstream-Status: Backport
		14	CVE: CVE-2021-36369
		15	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		16
		17	---
		18	cli-auth.c \| 3 +++
		19	cli-authinteract.c \| 1 +
		20	cli-authpasswd.c \| 2 +-
		21	cli-authpubkey.c \| 1 +
		22	cli-runopts.c \| 7 +++++++
		23	cli-session.c \| 1 +
		24	runopts.h \| 1 +
		25	session.h \| 1 +
		26	8 files changed, 16 insertions(+), 1 deletion(-)
		27
		28	diff --git a/cli-auth.c b/cli-auth.c
		29	index 2e509e5..6f04495 100644
		30	--- a/cli-auth.c
		31	+++ b/cli-auth.c
		32	@@ -267,6 +267,9 @@ void recv_msg_userauth_success() {
		33	if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
		34
		35	TRACE(("received msg_userauth_success"))
		36	+ if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
		37	+ dropbear_exit("trivial authentication not allowed");
		38	+ }
		39	/* Note: in delayed-zlib mode, setting authdone here
		40	* will enable compression in the transport layer */
		41	ses.authstate.authdone = 1;
		42	diff --git a/cli-authinteract.c b/cli-authinteract.c
		43	index e1cc9a1..f7128ee 100644
		44	--- a/cli-authinteract.c
		45	+++ b/cli-authinteract.c
		46	@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
		47	m_free(instruction);
		48
		49	for (i = 0; i < num_prompts; i++) {
		50	+ cli_ses.is_trivial_auth = 0;
		51	unsigned int response_len = 0;
		52	prompt = buf_getstring(ses.payload, NULL);
		53	cleantext(prompt);
		54	diff --git a/cli-authpasswd.c b/cli-authpasswd.c
		55	index 00fdd8b..a24d43e 100644
		56	--- a/cli-authpasswd.c
		57	+++ b/cli-authpasswd.c
		58	@@ -155,7 +155,7 @@ void cli_auth_password() {
		59
		60	encrypt_packet();
		61	m_burn(password, strlen(password));
		62	-
		63	+ cli_ses.is_trivial_auth = 0;
		64	TRACE(("leave cli_auth_password"))
		65	}
		66	#endif /* DROPBEAR_CLI_PASSWORD_AUTH */
		67	diff --git a/cli-authpubkey.c b/cli-authpubkey.c
		68	index 7cee164..7da1a04 100644
		69	--- a/cli-authpubkey.c
		70	+++ b/cli-authpubkey.c
		71	@@ -174,6 +174,7 @@ static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign) {
		72	buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
		73	cli_buf_put_sign(ses.writepayload, key, type, sigbuf);
		74	buf_free(sigbuf); /* Nothing confidential in the buffer */
		75	+ cli_ses.is_trivial_auth = 0;
		76	}
		77
		78	encrypt_packet();
		79	diff --git a/cli-runopts.c b/cli-runopts.c
		80	index 7d1fffe..6bf8b8e 100644
		81	--- a/cli-runopts.c
		82	+++ b/cli-runopts.c
		83	@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
		84	#if DROPBEAR_CLI_ANYTCPFWD
		85	cli_opts.exit_on_fwd_failure = 0;
		86	#endif
		87	+ cli_opts.disable_trivial_auth = 0;
		88	#if DROPBEAR_CLI_LOCALTCPFWD
		89	cli_opts.localfwds = list_new();
		90	opts.listen_fwd_all = 0;
		91	@@ -888,6 +889,7 @@ static void add_extendedopt(const char* origstr) {
		92	#if DROPBEAR_CLI_ANYTCPFWD
		93	"\tExitOnForwardFailure\n"
		94	#endif
		95	+ "\tDisableTrivialAuth\n"
		96	#ifndef DISABLE_SYSLOG
		97	"\tUseSyslog\n"
		98	#endif
		99	@@ -915,5 +917,10 @@ static void add_extendedopt(const char* origstr) {
		100	return;
		101	}
		102
		103	+ if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) {
		104	+ cli_opts.disable_trivial_auth = parse_flag_value(optstr);
		105	+ return;
		106	+ }
		107	+
		108	dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
		109	}
		110	diff --git a/cli-session.c b/cli-session.c
		111	index 56dd4af..73ef0db 100644
		112	--- a/cli-session.c
		113	+++ b/cli-session.c
		114	@@ -164,6 +164,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
		115	/* Auth */
		116	cli_ses.lastprivkey = NULL;
		117	cli_ses.lastauthtype = 0;
		118	+ cli_ses.is_trivial_auth = 1;
		119
		120	/* For printing "remote host closed" for the user */
		121	ses.remoteclosed = cli_remoteclosed;
		122	diff --git a/runopts.h b/runopts.h
		123	index 31eae1f..8519626 100644
		124	--- a/runopts.h
		125	+++ b/runopts.h
		126	@@ -154,6 +154,7 @@ typedef struct cli_runopts {
		127	#if DROPBEAR_CLI_ANYTCPFWD
		128	int exit_on_fwd_failure;
		129	#endif
		130	+ int disable_trivial_auth;
		131	#if DROPBEAR_CLI_REMOTETCPFWD
		132	m_list * remotefwds;
		133	#endif
		134	diff --git a/session.h b/session.h
		135	index 0f77055..8676054 100644
		136	--- a/session.h
		137	+++ b/session.h
		138	@@ -287,6 +287,7 @@ struct clientsession {
		139
		140	int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
		141	for the last type of auth we tried */
		142	+ int is_trivial_auth;
		143	int ignore_next_auth_response;
		144	#if DROPBEAR_CLI_INTERACT_AUTH
		145	int auth_interact_failed; /* flag whether interactive auth can still