diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-core/dropbear/files/CVE-2021-36369.patch')
| -rw-r--r-- | meta-openbmc-mods/meta-common/recipes-core/dropbear/files/CVE-2021-36369.patch | 235 |
1 files changed, 235 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-core/dropbear/files/CVE-2021-36369.patch b/meta-openbmc-mods/meta-common/recipes-core/dropbear/files/CVE-2021-36369.patch new file mode 100644 index 000000000..f641374f0 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/dropbear/files/CVE-2021-36369.patch @@ -0,0 +1,235 @@ +From 7c2e8fcd0d162d2ba9fac116f96a5e82ac77f11c Mon Sep 17 00:00:00 2001 +From: Manfred Kaiser <manfred.kaiser@bmlv.gv.at> +Date: Thu, 17 Jun 2021 11:11:03 +0200 +Subject: [PATCH 1/3] added option to disable trivial auth methods + +--- + cli-auth.c | 3 +++ + cli-authinteract.c | 1 + + cli-authpasswd.c | 2 +- + cli-authpubkey.c | 1 + + cli-runopts.c | 7 +++++++ + cli-session.c | 1 + + runopts.h | 1 + + session.h | 1 + + 8 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/cli-auth.c b/cli-auth.c +index 5fcacc3a7..20cb34857 100644 +--- a/cli-auth.c ++++ b/cli-auth.c +@@ -261,6 +261,9 @@ void recv_msg_userauth_success() { + if DROPBEAR_CLI_IMMEDIATE_AUTH is set */ + + TRACE(("received msg_userauth_success")) ++ if (cli_opts.exit_on_trivial_auth && cli_ses.is_trivial_auth) { ++ dropbear_exit("trivial authentication not allowed"); ++ } + /* Note: in delayed-zlib mode, setting authdone here + * will enable compression in the transport layer */ + ses.authstate.authdone = 1; +diff --git a/cli-authinteract.c b/cli-authinteract.c +index e1cc9a161..f7128ee59 100644 +--- a/cli-authinteract.c ++++ b/cli-authinteract.c +@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() { + m_free(instruction); + + for (i = 0; i < num_prompts; i++) { ++ cli_ses.is_trivial_auth = 0; + unsigned int response_len = 0; + prompt = buf_getstring(ses.payload, NULL); + cleantext(prompt); +diff --git a/cli-authpasswd.c b/cli-authpasswd.c +index 00fdd8bc4..a24d43efa 100644 +--- a/cli-authpasswd.c ++++ b/cli-authpasswd.c +@@ -155,7 +155,7 @@ void cli_auth_password() { + + encrypt_packet(); + m_burn(password, strlen(password)); +- ++ cli_ses.is_trivial_auth = 0; + TRACE(("leave cli_auth_password")) + } + #endif /* DROPBEAR_CLI_PASSWORD_AUTH */ +diff --git a/cli-authpubkey.c b/cli-authpubkey.c +index 28c54fa9b..bdb855880 100644 +--- a/cli-authpubkey.c ++++ b/cli-authpubkey.c +@@ -266,6 +266,7 @@ int cli_auth_pubkey() { + /* Send a trial request */ + send_msg_userauth_pubkey(key, sigtype, 0); + cli_ses.lastprivkey = key; ++ cli_ses.is_trivial_auth = 0; + TRACE(("leave cli_auth_pubkey-success")) + return 1; + } else { +diff --git a/cli-runopts.c b/cli-runopts.c +index 3654b9a32..da3ad3d3e 100644 +--- a/cli-runopts.c ++++ b/cli-runopts.c +@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) { + #if DROPBEAR_CLI_ANYTCPFWD + cli_opts.exit_on_fwd_failure = 0; + #endif ++ cli_opts.exit_on_trivial_auth = 0; + #if DROPBEAR_CLI_LOCALTCPFWD + cli_opts.localfwds = list_new(); + opts.listen_fwd_all = 0; +@@ -889,6 +890,7 @@ static void add_extendedopt(const char* origstr) { + #if DROPBEAR_CLI_ANYTCPFWD + "\tExitOnForwardFailure\n" + #endif ++ "\tExitOnTrivialAuth\n" + #ifndef DISABLE_SYSLOG + "\tUseSyslog\n" + #endif +@@ -916,5 +918,10 @@ static void add_extendedopt(const char* origstr) { + return; + } + ++ if (match_extendedopt(&optstr, "ExitOnTrivialAuth") == DROPBEAR_SUCCESS) { ++ cli_opts.exit_on_trivial_auth = parse_flag_value(optstr); ++ return; ++ } ++ + dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr); + } +diff --git a/cli-session.c b/cli-session.c +index 699286db1..eee760e74 100644 +--- a/cli-session.c ++++ b/cli-session.c +@@ -165,6 +165,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) { + /* Auth */ + cli_ses.lastprivkey = NULL; + cli_ses.lastauthtype = 0; ++ cli_ses.is_trivial_auth = 1; + + /* For printing "remote host closed" for the user */ + ses.remoteclosed = cli_remoteclosed; +diff --git a/runopts.h b/runopts.h +index 6a4a94ccd..c626b0e7a 100644 +--- a/runopts.h ++++ b/runopts.h +@@ -159,6 +159,7 @@ typedef struct cli_runopts { + #if DROPBEAR_CLI_ANYTCPFWD + int exit_on_fwd_failure; + #endif ++ int exit_on_trivial_auth; + #if DROPBEAR_CLI_REMOTETCPFWD + m_list * remotefwds; + #endif +diff --git a/session.h b/session.h +index fb5b8cbb6..6706592a8 100644 +--- a/session.h ++++ b/session.h +@@ -316,6 +316,7 @@ struct clientsession { + + int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD, + for the last type of auth we tried */ ++ int is_trivial_auth; + int ignore_next_auth_response; + #if DROPBEAR_CLI_INTERACT_AUTH + int auth_interact_failed; /* flag whether interactive auth can still + +From adbdb213eb0fe3e982cc57d7ae882c1915bef818 Mon Sep 17 00:00:00 2001 +From: Manfred Kaiser <manfred.kaiser@bmlv.gv.at> +Date: Fri, 18 Jun 2021 07:48:47 +0200 +Subject: [PATCH 2/3] rename argument to match with other ssh clients + +--- + cli-auth.c | 2 +- + cli-runopts.c | 8 ++++---- + runopts.h | 2 +- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/cli-auth.c b/cli-auth.c +index 20cb34857..517923052 100644 +--- a/cli-auth.c ++++ b/cli-auth.c +@@ -261,7 +261,7 @@ void recv_msg_userauth_success() { + if DROPBEAR_CLI_IMMEDIATE_AUTH is set */ + + TRACE(("received msg_userauth_success")) +- if (cli_opts.exit_on_trivial_auth && cli_ses.is_trivial_auth) { ++ if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) { + dropbear_exit("trivial authentication not allowed"); + } + /* Note: in delayed-zlib mode, setting authdone here +diff --git a/cli-runopts.c b/cli-runopts.c +index da3ad3d3e..255b47e8a 100644 +--- a/cli-runopts.c ++++ b/cli-runopts.c +@@ -152,7 +152,7 @@ void cli_getopts(int argc, char ** argv) { + #if DROPBEAR_CLI_ANYTCPFWD + cli_opts.exit_on_fwd_failure = 0; + #endif +- cli_opts.exit_on_trivial_auth = 0; ++ cli_opts.disable_trivial_auth = 0; + #if DROPBEAR_CLI_LOCALTCPFWD + cli_opts.localfwds = list_new(); + opts.listen_fwd_all = 0; +@@ -890,7 +890,7 @@ static void add_extendedopt(const char* origstr) { + #if DROPBEAR_CLI_ANYTCPFWD + "\tExitOnForwardFailure\n" + #endif +- "\tExitOnTrivialAuth\n" ++ "\tDisableTrivialAuth\n" + #ifndef DISABLE_SYSLOG + "\tUseSyslog\n" + #endif +@@ -918,8 +918,8 @@ static void add_extendedopt(const char* origstr) { + return; + } + +- if (match_extendedopt(&optstr, "ExitOnTrivialAuth") == DROPBEAR_SUCCESS) { +- cli_opts.exit_on_trivial_auth = parse_flag_value(optstr); ++ if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) { ++ cli_opts.disable_trivial_auth = parse_flag_value(optstr); + return; + } + +diff --git a/runopts.h b/runopts.h +index c626b0e7a..01201d2dc 100644 +--- a/runopts.h ++++ b/runopts.h +@@ -159,7 +159,7 @@ typedef struct cli_runopts { + #if DROPBEAR_CLI_ANYTCPFWD + int exit_on_fwd_failure; + #endif +- int exit_on_trivial_auth; ++ int disable_trivial_auth; + #if DROPBEAR_CLI_REMOTETCPFWD + m_list * remotefwds; + #endif + +From 318109125e747f0bc256a6d94d5756030ea2f5a0 Mon Sep 17 00:00:00 2001 +From: Manfred Kaiser <manfred.kaiser@logfile.at> +Date: Thu, 1 Jul 2021 18:50:18 +0200 +Subject: [PATCH 3/3] fixed trivial auth detection for pubkeys + +--- + cli-authpubkey.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cli-authpubkey.c b/cli-authpubkey.c +index bdb855880..c0da77f1e 100644 +--- a/cli-authpubkey.c ++++ b/cli-authpubkey.c +@@ -176,6 +176,7 @@ static void send_msg_userauth_pubkey(sign_key *key, enum signature_type sigtype, + buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len); + cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf); + buf_free(sigbuf); /* Nothing confidential in the buffer */ ++ cli_ses.is_trivial_auth = 0; + } + + encrypt_packet(); +@@ -266,7 +267,6 @@ int cli_auth_pubkey() { + /* Send a trial request */ + send_msg_userauth_pubkey(key, sigtype, 0); + cli_ses.lastprivkey = key; +- cli_ses.is_trivial_auth = 0; + TRACE(("leave cli_auth_pubkey-success")) + return 1; + } else { |