dropbear: fix CVE-2021-36369

author Lee Chee Yang <chee.yang.lee@intel.com>

Thu, 8 Dec 2022 05:00:37 +0000 (13:00 +0800)

committer Steve Sakoman <steve@sakoman.com>

Thu, 8 Dec 2022 16:31:58 +0000 (06:31 -1000)
author Lee Chee Yang <chee.yang.lee@intel.com>
Thu, 8 Dec 2022 05:00:37 +0000 (13:00 +0800)
committer Steve Sakoman <steve@sakoman.com>
Thu, 8 Dec 2022 16:31:58 +0000 (06:31 -1000)
diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc

index 026292230ca51b4d163498bee5e4b03c6743ea4f..0f5e9ba4ac49c9b22bcf9fc526f4f112be68ec2b 100644 (file)
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -29,6 +29,7 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
             ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
             ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
             file://CVE-2020-36254.patch \
+           file://CVE-2021-36369.patch \
             "
  
  PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch

new file mode 100644 (file)

index 0000000..5cabe83
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
@@ -0,0 +1,145 @@
+From e10dec82930863e487b22978d3df107274f366b2 Mon Sep 17 00:00:00 2001
+From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com>
+Date: Thu, 19 Aug 2021 17:37:14 +0200
+Subject: [PATCH] added option to disable trivial auth methods (#128)
+
+* added option to disable trivial auth methods
+
+* rename argument to match with other ssh clients
+
+* fixed trivial auth detection for pubkeys
+
+[https://github.com/mkj/dropbear/pull/128]
+Upstream-Status: Backport
+CVE: CVE-2021-36369
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ cli-auth.c         | 3 +++
+ cli-authinteract.c | 1 +
+ cli-authpasswd.c   | 2 +-
+ cli-authpubkey.c   | 1 +
+ cli-runopts.c      | 7 +++++++
+ cli-session.c      | 1 +
+ runopts.h          | 1 +
+ session.h          | 1 +
+ 8 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/cli-auth.c b/cli-auth.c
+index 2e509e5..6f04495 100644
+--- a/cli-auth.c
++++ b/cli-auth.c
+@@ -267,6 +267,9 @@ void recv_msg_userauth_success() {
+       if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
+ 
+       TRACE(("received msg_userauth_success"))
++      if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
++              dropbear_exit("trivial authentication not allowed");
++      }
+       /* Note: in delayed-zlib mode, setting authdone here 
+        * will enable compression in the transport layer */
+       ses.authstate.authdone = 1;
+diff --git a/cli-authinteract.c b/cli-authinteract.c
+index e1cc9a1..f7128ee 100644
+--- a/cli-authinteract.c
++++ b/cli-authinteract.c
+@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
+       m_free(instruction);
+ 
+       for (i = 0; i < num_prompts; i++) {
++              cli_ses.is_trivial_auth = 0;
+               unsigned int response_len = 0;
+               prompt = buf_getstring(ses.payload, NULL);
+               cleantext(prompt);
+diff --git a/cli-authpasswd.c b/cli-authpasswd.c
+index 00fdd8b..a24d43e 100644
+--- a/cli-authpasswd.c
++++ b/cli-authpasswd.c
+@@ -155,7 +155,7 @@ void cli_auth_password() {
+ 
+       encrypt_packet();
+       m_burn(password, strlen(password));
+-
++      cli_ses.is_trivial_auth = 0;
+       TRACE(("leave cli_auth_password"))
+ }
+ #endif        /* DROPBEAR_CLI_PASSWORD_AUTH */
+diff --git a/cli-authpubkey.c b/cli-authpubkey.c
+index 7cee164..7da1a04 100644
+--- a/cli-authpubkey.c
++++ b/cli-authpubkey.c
+@@ -174,6 +174,7 @@ static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign) {
+               buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
+               cli_buf_put_sign(ses.writepayload, key, type, sigbuf);
+               buf_free(sigbuf); /* Nothing confidential in the buffer */
++              cli_ses.is_trivial_auth = 0;
+       }
+ 
+       encrypt_packet();
+diff --git a/cli-runopts.c b/cli-runopts.c
+index 7d1fffe..6bf8b8e 100644
+--- a/cli-runopts.c
++++ b/cli-runopts.c
+@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+       cli_opts.exit_on_fwd_failure = 0;
+ #endif
++      cli_opts.disable_trivial_auth = 0;
+ #if DROPBEAR_CLI_LOCALTCPFWD
+       cli_opts.localfwds = list_new();
+       opts.listen_fwd_all = 0;
+@@ -888,6 +889,7 @@ static void add_extendedopt(const char* origstr) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+                       "\tExitOnForwardFailure\n"
+ #endif
++                      "\tDisableTrivialAuth\n"
+ #ifndef DISABLE_SYSLOG
+                       "\tUseSyslog\n"
+ #endif
+@@ -915,5 +917,10 @@ static void add_extendedopt(const char* origstr) {
+               return;
+       }
+ 
++      if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) {
++              cli_opts.disable_trivial_auth = parse_flag_value(optstr);
++              return;
++      }
++
+       dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
+ }
+diff --git a/cli-session.c b/cli-session.c
+index 56dd4af..73ef0db 100644
+--- a/cli-session.c
++++ b/cli-session.c
+@@ -164,6 +164,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
+       /* Auth */
+       cli_ses.lastprivkey = NULL;
+       cli_ses.lastauthtype = 0;
++      cli_ses.is_trivial_auth = 1;
+ 
+       /* For printing "remote host closed" for the user */
+       ses.remoteclosed = cli_remoteclosed;
+diff --git a/runopts.h b/runopts.h
+index 31eae1f..8519626 100644
+--- a/runopts.h
++++ b/runopts.h
+@@ -154,6 +154,7 @@ typedef struct cli_runopts {
+ #if DROPBEAR_CLI_ANYTCPFWD
+       int exit_on_fwd_failure;
+ #endif
++      int disable_trivial_auth;
+ #if DROPBEAR_CLI_REMOTETCPFWD
+       m_list * remotefwds;
+ #endif
+diff --git a/session.h b/session.h
+index 0f77055..8676054 100644
+--- a/session.h
++++ b/session.h
+@@ -287,6 +287,7 @@ struct clientsession {
+ 
+       int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
+                                                for the last type of auth we tried */
++      int is_trivial_auth;
+       int ignore_next_auth_response;
+ #if DROPBEAR_CLI_INTERACT_AUTH
+       int auth_interact_failed; /* flag whether interactive auth can still
author	Lee Chee Yang <chee.yang.lee@intel.com>
	Thu, 8 Dec 2022 05:00:37 +0000 (13:00 +0800)
committer	Steve Sakoman <steve@sakoman.com>
	Thu, 8 Dec 2022 16:31:58 +0000 (06:31 -1000)
meta/recipes-core/dropbear/dropbear.inc		patch \| blob \| blame \| history
meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch	[new file with mode: 0644]	patch \| blob