* [dunfell][patch] dropbear: fix CVE-2021-36369
@ 2022-12-06 7:55 chee.yang.lee
2022-12-07 19:15 ` [OE-core] " Steve Sakoman
0 siblings, 1 reply; 2+ messages in thread
From: chee.yang.lee @ 2022-12-06 7:55 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
meta/recipes-core/dropbear/dropbear.inc | 1 +
.../dropbear/dropbear/CVE-2021-36369.patch | 145 ++++++++++++++++++
2 files changed, 146 insertions(+)
create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
index 026292230c..0f5e9ba4ac 100644
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -29,6 +29,7 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
file://CVE-2020-36254.patch \
+ file://CVE-2021-36369.patch \
"
PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
new file mode 100644
index 0000000000..5ff11abdd6
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
@@ -0,0 +1,145 @@
+From e9b15a8b1035b62413b2b881315c6bffd02205d4 Mon Sep 17 00:00:00 2001
+From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com>
+Date: Thu, 19 Aug 2021 17:37:14 +0200
+Subject: [PATCH] added option to disable trivial auth methods (#128)
+
+* added option to disable trivial auth methods
+
+* rename argument to match with other ssh clients
+
+* fixed trivial auth detection for pubkeys
+
+[https://github.com/mkj/dropbear/pull/128]
+Upstream-Status: Backport
+CVE: CVE-2021-36369
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ cli-auth.c | 3 +++
+ cli-authinteract.c | 1 +
+ cli-authpasswd.c | 2 +-
+ cli-authpubkey.c | 1 +
+ cli-runopts.c | 7 +++++++
+ cli-session.c | 1 +
+ runopts.h | 1 +
+ session.h | 1 +
+ 8 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/cli-auth.c b/cli-auth.c
+index 2e509e5..6f04495 100644
+--- a/cli-auth.c
++++ b/cli-auth.c
+@@ -267,6 +267,9 @@ void recv_msg_userauth_success() {
+ if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
+
+ TRACE(("received msg_userauth_success"))
++ if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
++ dropbear_exit("trivial authentication not allowed");
++ }
+ /* Note: in delayed-zlib mode, setting authdone here
+ * will enable compression in the transport layer */
+ ses.authstate.authdone = 1;
+diff --git a/cli-authinteract.c b/cli-authinteract.c
+index e1cc9a1..f7128ee 100644
+--- a/cli-authinteract.c
++++ b/cli-authinteract.c
+@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
+ m_free(instruction);
+
+ for (i = 0; i < num_prompts; i++) {
++ cli_ses.is_trivial_auth = 0;
+ unsigned int response_len = 0;
+ prompt = buf_getstring(ses.payload, NULL);
+ cleantext(prompt);
+diff --git a/cli-authpasswd.c b/cli-authpasswd.c
+index 00fdd8b..a24d43e 100644
+--- a/cli-authpasswd.c
++++ b/cli-authpasswd.c
+@@ -155,7 +155,7 @@ void cli_auth_password() {
+
+ encrypt_packet();
+ m_burn(password, strlen(password));
+-
++ cli_ses.is_trivial_auth = 0;
+ TRACE(("leave cli_auth_password"))
+ }
+ #endif /* DROPBEAR_CLI_PASSWORD_AUTH */
+diff --git a/cli-authpubkey.c b/cli-authpubkey.c
+index 42c4e3f..fa01807 100644
+--- a/cli-authpubkey.c
++++ b/cli-authpubkey.c
+@@ -176,6 +176,7 @@ static void send_msg_userauth_pubkey(sign_key *key, enum signature_type sigtype,
+ buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
+ cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf);
+ buf_free(sigbuf); /* Nothing confidential in the buffer */
++ cli_ses.is_trivial_auth = 0;
+ }
+
+ encrypt_packet();
+diff --git a/cli-runopts.c b/cli-runopts.c
+index 3654b9a..255b47e 100644
+--- a/cli-runopts.c
++++ b/cli-runopts.c
+@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+ cli_opts.exit_on_fwd_failure = 0;
+ #endif
++ cli_opts.disable_trivial_auth = 0;
+ #if DROPBEAR_CLI_LOCALTCPFWD
+ cli_opts.localfwds = list_new();
+ opts.listen_fwd_all = 0;
+@@ -889,6 +890,7 @@ static void add_extendedopt(const char* origstr) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+ "\tExitOnForwardFailure\n"
+ #endif
++ "\tDisableTrivialAuth\n"
+ #ifndef DISABLE_SYSLOG
+ "\tUseSyslog\n"
+ #endif
+@@ -916,5 +918,10 @@ static void add_extendedopt(const char* origstr) {
+ return;
+ }
+
++ if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) {
++ cli_opts.disable_trivial_auth = parse_flag_value(optstr);
++ return;
++ }
++
+ dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
+ }
+diff --git a/cli-session.c b/cli-session.c
+index 5e5af22..afb54a1 100644
+--- a/cli-session.c
++++ b/cli-session.c
+@@ -165,6 +165,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
+ /* Auth */
+ cli_ses.lastprivkey = NULL;
+ cli_ses.lastauthtype = 0;
++ cli_ses.is_trivial_auth = 1;
+
+ /* For printing "remote host closed" for the user */
+ ses.remoteclosed = cli_remoteclosed;
+diff --git a/runopts.h b/runopts.h
+index 6a4a94c..01201d2 100644
+--- a/runopts.h
++++ b/runopts.h
+@@ -159,6 +159,7 @@ typedef struct cli_runopts {
+ #if DROPBEAR_CLI_ANYTCPFWD
+ int exit_on_fwd_failure;
+ #endif
++ int disable_trivial_auth;
+ #if DROPBEAR_CLI_REMOTETCPFWD
+ m_list * remotefwds;
+ #endif
+diff --git a/session.h b/session.h
+index fb5b8cb..6706592 100644
+--- a/session.h
++++ b/session.h
+@@ -316,6 +316,7 @@ struct clientsession {
+
+ int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
+ for the last type of auth we tried */
++ int is_trivial_auth;
+ int ignore_next_auth_response;
+ #if DROPBEAR_CLI_INTERACT_AUTH
+ int auth_interact_failed; /* flag whether interactive auth can still
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [OE-core] [dunfell][patch] dropbear: fix CVE-2021-36369
2022-12-06 7:55 [dunfell][patch] dropbear: fix CVE-2021-36369 chee.yang.lee
@ 2022-12-07 19:15 ` Steve Sakoman
0 siblings, 0 replies; 2+ messages in thread
From: Steve Sakoman @ 2022-12-07 19:15 UTC (permalink / raw)
To: Lee Chee Yang; +Cc: openembedded-core
I'm getting patch fuzz warnings. Could you refresh the patch and submit a v2?
stdio: WARNING: dropbear-2019.78-r0 do_patch: Fuzz detected:
stdio: WARNING: dropbear-2019.78-r0 do_patch: QA Issue: Patch log
indicates that patches do not apply cleanly. [patch-fuzz]
Thanks!
Steve
On Mon, Dec 5, 2022 at 9:55 PM Lee Chee Yang <chee.yang.lee@intel.com> wrote:
>
> From: Lee Chee Yang <chee.yang.lee@intel.com>
>
> Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
> ---
> meta/recipes-core/dropbear/dropbear.inc | 1 +
> .../dropbear/dropbear/CVE-2021-36369.patch | 145 ++++++++++++++++++
> 2 files changed, 146 insertions(+)
> create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
>
> diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
> index 026292230c..0f5e9ba4ac 100644
> --- a/meta/recipes-core/dropbear/dropbear.inc
> +++ b/meta/recipes-core/dropbear/dropbear.inc
> @@ -29,6 +29,7 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
> ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
> ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
> file://CVE-2020-36254.patch \
> + file://CVE-2021-36369.patch \
> "
>
> PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
> diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
> new file mode 100644
> index 0000000000..5ff11abdd6
> --- /dev/null
> +++ b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
> @@ -0,0 +1,145 @@
> +From e9b15a8b1035b62413b2b881315c6bffd02205d4 Mon Sep 17 00:00:00 2001
> +From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com>
> +Date: Thu, 19 Aug 2021 17:37:14 +0200
> +Subject: [PATCH] added option to disable trivial auth methods (#128)
> +
> +* added option to disable trivial auth methods
> +
> +* rename argument to match with other ssh clients
> +
> +* fixed trivial auth detection for pubkeys
> +
> +[https://github.com/mkj/dropbear/pull/128]
> +Upstream-Status: Backport
> +CVE: CVE-2021-36369
> +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
> +
> +---
> + cli-auth.c | 3 +++
> + cli-authinteract.c | 1 +
> + cli-authpasswd.c | 2 +-
> + cli-authpubkey.c | 1 +
> + cli-runopts.c | 7 +++++++
> + cli-session.c | 1 +
> + runopts.h | 1 +
> + session.h | 1 +
> + 8 files changed, 16 insertions(+), 1 deletion(-)
> +
> +diff --git a/cli-auth.c b/cli-auth.c
> +index 2e509e5..6f04495 100644
> +--- a/cli-auth.c
> ++++ b/cli-auth.c
> +@@ -267,6 +267,9 @@ void recv_msg_userauth_success() {
> + if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
> +
> + TRACE(("received msg_userauth_success"))
> ++ if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
> ++ dropbear_exit("trivial authentication not allowed");
> ++ }
> + /* Note: in delayed-zlib mode, setting authdone here
> + * will enable compression in the transport layer */
> + ses.authstate.authdone = 1;
> +diff --git a/cli-authinteract.c b/cli-authinteract.c
> +index e1cc9a1..f7128ee 100644
> +--- a/cli-authinteract.c
> ++++ b/cli-authinteract.c
> +@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
> + m_free(instruction);
> +
> + for (i = 0; i < num_prompts; i++) {
> ++ cli_ses.is_trivial_auth = 0;
> + unsigned int response_len = 0;
> + prompt = buf_getstring(ses.payload, NULL);
> + cleantext(prompt);
> +diff --git a/cli-authpasswd.c b/cli-authpasswd.c
> +index 00fdd8b..a24d43e 100644
> +--- a/cli-authpasswd.c
> ++++ b/cli-authpasswd.c
> +@@ -155,7 +155,7 @@ void cli_auth_password() {
> +
> + encrypt_packet();
> + m_burn(password, strlen(password));
> +-
> ++ cli_ses.is_trivial_auth = 0;
> + TRACE(("leave cli_auth_password"))
> + }
> + #endif /* DROPBEAR_CLI_PASSWORD_AUTH */
> +diff --git a/cli-authpubkey.c b/cli-authpubkey.c
> +index 42c4e3f..fa01807 100644
> +--- a/cli-authpubkey.c
> ++++ b/cli-authpubkey.c
> +@@ -176,6 +176,7 @@ static void send_msg_userauth_pubkey(sign_key *key, enum signature_type sigtype,
> + buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
> + cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf);
> + buf_free(sigbuf); /* Nothing confidential in the buffer */
> ++ cli_ses.is_trivial_auth = 0;
> + }
> +
> + encrypt_packet();
> +diff --git a/cli-runopts.c b/cli-runopts.c
> +index 3654b9a..255b47e 100644
> +--- a/cli-runopts.c
> ++++ b/cli-runopts.c
> +@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
> + #if DROPBEAR_CLI_ANYTCPFWD
> + cli_opts.exit_on_fwd_failure = 0;
> + #endif
> ++ cli_opts.disable_trivial_auth = 0;
> + #if DROPBEAR_CLI_LOCALTCPFWD
> + cli_opts.localfwds = list_new();
> + opts.listen_fwd_all = 0;
> +@@ -889,6 +890,7 @@ static void add_extendedopt(const char* origstr) {
> + #if DROPBEAR_CLI_ANYTCPFWD
> + "\tExitOnForwardFailure\n"
> + #endif
> ++ "\tDisableTrivialAuth\n"
> + #ifndef DISABLE_SYSLOG
> + "\tUseSyslog\n"
> + #endif
> +@@ -916,5 +918,10 @@ static void add_extendedopt(const char* origstr) {
> + return;
> + }
> +
> ++ if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) {
> ++ cli_opts.disable_trivial_auth = parse_flag_value(optstr);
> ++ return;
> ++ }
> ++
> + dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
> + }
> +diff --git a/cli-session.c b/cli-session.c
> +index 5e5af22..afb54a1 100644
> +--- a/cli-session.c
> ++++ b/cli-session.c
> +@@ -165,6 +165,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
> + /* Auth */
> + cli_ses.lastprivkey = NULL;
> + cli_ses.lastauthtype = 0;
> ++ cli_ses.is_trivial_auth = 1;
> +
> + /* For printing "remote host closed" for the user */
> + ses.remoteclosed = cli_remoteclosed;
> +diff --git a/runopts.h b/runopts.h
> +index 6a4a94c..01201d2 100644
> +--- a/runopts.h
> ++++ b/runopts.h
> +@@ -159,6 +159,7 @@ typedef struct cli_runopts {
> + #if DROPBEAR_CLI_ANYTCPFWD
> + int exit_on_fwd_failure;
> + #endif
> ++ int disable_trivial_auth;
> + #if DROPBEAR_CLI_REMOTETCPFWD
> + m_list * remotefwds;
> + #endif
> +diff --git a/session.h b/session.h
> +index fb5b8cb..6706592 100644
> +--- a/session.h
> ++++ b/session.h
> +@@ -316,6 +316,7 @@ struct clientsession {
> +
> + int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
> + for the last type of auth we tried */
> ++ int is_trivial_auth;
> + int ignore_next_auth_response;
> + #if DROPBEAR_CLI_INTERACT_AUTH
> + int auth_interact_failed; /* flag whether interactive auth can still
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#174319): https://lists.openembedded.org/g/openembedded-core/message/174319
> Mute This Topic: https://lists.openembedded.org/mt/95489223/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-12-07 19:15 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-06 7:55 [dunfell][patch] dropbear: fix CVE-2021-36369 chee.yang.lee
2022-12-07 19:15 ` [OE-core] " Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.