[OE-core] [kirkstone][patch] dropbear: fix CVE-2021-36369

Lee Chee Yang Tue, 29 Nov 2022 20:45:17 -0800

From: Chee Yang Lee <chee.yang....@intel.com>

Signed-off-by: Chee Yang Lee <chee.yang....@intel.com>
---
 meta/recipes-core/dropbear/dropbear.inc       |   4 +-
 .../dropbear/dropbear/CVE-2021-36369.patch    | 145 ++++++++++++++++++
 2 files changed, 148 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch


diff --git a/meta/recipes-core/dropbear/dropbear.inc 
b/meta/recipes-core/dropbear/dropbear.inc
index 2d6e64cf8d..f3f085b616 100644
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -27,7 +27,9 @@ SRC_URI = 
"http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
            file://dropbear.socket \
            file://dropbear.default \
            ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', 
'', d)} \
-           ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 
'file://dropbear-disable-weak-ciphers.patch', '', d)} "
+           ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 
'file://dropbear-disable-weak-ciphers.patch', '', d)} \
+          file://CVE-2021-36369.patch \
+          "
 
 PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
                file://0006-dropbear-configuration-file.patch \
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch 
b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
new file mode 100644
index 0000000000..5ff11abdd6
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
@@ -0,0 +1,145 @@
+From e9b15a8b1035b62413b2b881315c6bffd02205d4 Mon Sep 17 00:00:00 2001
+From: Manfred Kaiser <37737811+manfred-kai...@users.noreply.github.com>
+Date: Thu, 19 Aug 2021 17:37:14 +0200
+Subject: [PATCH] added option to disable trivial auth methods (#128)
+
+* added option to disable trivial auth methods
+
+* rename argument to match with other ssh clients
+
+* fixed trivial auth detection for pubkeys
+
+[https://github.com/mkj/dropbear/pull/128]
+Upstream-Status: Backport
+CVE: CVE-2021-36369
+Signed-off-by: Chee Yang Lee <chee.yang....@intel.com>
+
+---
+ cli-auth.c         | 3 +++
+ cli-authinteract.c | 1 +
+ cli-authpasswd.c   | 2 +-
+ cli-authpubkey.c   | 1 +
+ cli-runopts.c      | 7 +++++++
+ cli-session.c      | 1 +
+ runopts.h          | 1 +
+ session.h          | 1 +
+ 8 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/cli-auth.c b/cli-auth.c
+index 2e509e5..6f04495 100644
+--- a/cli-auth.c
++++ b/cli-auth.c
+@@ -267,6 +267,9 @@ void recv_msg_userauth_success() {
+       if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
+ 
+       TRACE(("received msg_userauth_success"))
++      if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
++              dropbear_exit("trivial authentication not allowed");
++      }
+       /* Note: in delayed-zlib mode, setting authdone here 
+        * will enable compression in the transport layer */
+       ses.authstate.authdone = 1;
+diff --git a/cli-authinteract.c b/cli-authinteract.c
+index e1cc9a1..f7128ee 100644
+--- a/cli-authinteract.c
++++ b/cli-authinteract.c
+@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
+       m_free(instruction);
+ 
+       for (i = 0; i < num_prompts; i++) {
++              cli_ses.is_trivial_auth = 0;
+               unsigned int response_len = 0;
+               prompt = buf_getstring(ses.payload, NULL);
+               cleantext(prompt);
+diff --git a/cli-authpasswd.c b/cli-authpasswd.c
+index 00fdd8b..a24d43e 100644
+--- a/cli-authpasswd.c
++++ b/cli-authpasswd.c
+@@ -155,7 +155,7 @@ void cli_auth_password() {
+ 
+       encrypt_packet();
+       m_burn(password, strlen(password));
+-
++      cli_ses.is_trivial_auth = 0;
+       TRACE(("leave cli_auth_password"))
+ }
+ #endif        /* DROPBEAR_CLI_PASSWORD_AUTH */
+diff --git a/cli-authpubkey.c b/cli-authpubkey.c
+index 42c4e3f..fa01807 100644
+--- a/cli-authpubkey.c
++++ b/cli-authpubkey.c
+@@ -176,6 +176,7 @@ static void send_msg_userauth_pubkey(sign_key *key, enum 
signature_type sigtype,
+               buf_putbytes(sigbuf, ses.writepayload->data, 
ses.writepayload->len);
+               cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf);
+               buf_free(sigbuf); /* Nothing confidential in the buffer */
++              cli_ses.is_trivial_auth = 0;
+       }
+ 
+       encrypt_packet();
+diff --git a/cli-runopts.c b/cli-runopts.c
+index 3654b9a..255b47e 100644
+--- a/cli-runopts.c
++++ b/cli-runopts.c
+@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+       cli_opts.exit_on_fwd_failure = 0;
+ #endif
++      cli_opts.disable_trivial_auth = 0;
+ #if DROPBEAR_CLI_LOCALTCPFWD
+       cli_opts.localfwds = list_new();
+       opts.listen_fwd_all = 0;
+@@ -889,6 +890,7 @@ static void add_extendedopt(const char* origstr) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+                       "\tExitOnForwardFailure\n"
+ #endif
++                      "\tDisableTrivialAuth\n"
+ #ifndef DISABLE_SYSLOG
+                       "\tUseSyslog\n"
+ #endif
+@@ -916,5 +918,10 @@ static void add_extendedopt(const char* origstr) {
+               return;
+       }
+ 
++      if (match_extendedopt(&optstr, "DisableTrivialAuth") == 
DROPBEAR_SUCCESS) {
++              cli_opts.disable_trivial_auth = parse_flag_value(optstr);
++              return;
++      }
++
+       dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", 
origstr);
+ }
+diff --git a/cli-session.c b/cli-session.c
+index 5e5af22..afb54a1 100644
+--- a/cli-session.c
++++ b/cli-session.c
+@@ -165,6 +165,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
+       /* Auth */
+       cli_ses.lastprivkey = NULL;
+       cli_ses.lastauthtype = 0;
++      cli_ses.is_trivial_auth = 1;
+ 
+       /* For printing "remote host closed" for the user */
+       ses.remoteclosed = cli_remoteclosed;
+diff --git a/runopts.h b/runopts.h
+index 6a4a94c..01201d2 100644
+--- a/runopts.h
++++ b/runopts.h
+@@ -159,6 +159,7 @@ typedef struct cli_runopts {
+ #if DROPBEAR_CLI_ANYTCPFWD
+       int exit_on_fwd_failure;
+ #endif
++      int disable_trivial_auth;
+ #if DROPBEAR_CLI_REMOTETCPFWD
+       m_list * remotefwds;
+ #endif
+diff --git a/session.h b/session.h
+index fb5b8cb..6706592 100644
+--- a/session.h
++++ b/session.h
+@@ -316,6 +316,7 @@ struct clientsession {
+ 
+       int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
+                                                for the last type of auth we 
tried */
++      int is_trivial_auth;
+       int ignore_next_auth_response;
+ #if DROPBEAR_CLI_INTERACT_AUTH
+       int auth_interact_failed; /* flag whether interactive auth can still
-- 
2.25.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#173990): 
https://lists.openembedded.org/g/openembedded-core/message/173990
Mute This Topic: https://lists.openembedded.org/mt/95352405/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [kirkstone][patch] dropbear: fix CVE-2021-36369

Reply via email to