dropbear: fix multiple CVEs

CVE-2016-7406 CVE-2016-7407 CVE-2016-7408 CVE-2016-7409 References: https://matt.ucc.asn.au/dropbear/CHANGES http://seclists.org/oss-sec/2016/q3/504 [YOCTO #10443] (From OE-Core rev: cca372506522c1d588f9ebc66c6051089743d2a9) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-03-17 04:39:40 +01:00 · 2016-11-02 10:52:11 +01:00
parent 6962ee3689
commit c4061a0a68
5 changed files with 2720 additions and 0 deletions
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -17,6 +17,10 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
           file://0003-configure.patch \
           file://0004-fix-2kb-keys.patch \
           file://0007-dropbear-fix-for-x32-abi.patch \
+           file://CVE-2016-7406.patch \
+           file://CVE-2016-7407.patch \
+           file://CVE-2016-7408.patch \
+           file://CVE-2016-7409.patch \
           file://init \
           file://dropbearkey.service \
           file://dropbear@.service \
--- a/meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch
@@ -0,0 +1,102 @@
+From 8fd720c3e319da773b48c0b191f049dbd1e3c7f0 Mon Sep 17 00:00:00 2001
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Mon, 11 Jul 2016 23:09:33 +0800
+Subject: [PATCH] Improve exit message formatting
+
+CVE: CVE-2016-7406
+Upstream-Status: Backport [backported from:
+https://secure.ucc.asn.au/hg/dropbear/rev/b66a483f3dcb]
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+
+diff -ruN a/cli-main.c b/cli-main.c
+--- a/cli-main.c	2016-03-09 15:54:53.000000000 +0100
+++ b/cli-main.c	2016-10-20 12:49:00.323501119 +0200
+@@ -85,29 +85,30 @@
+ #endif /* DBMULTI stuff */
+ 
+ static void cli_dropbear_exit(int exitcode, const char* format, va_list param) {
+	char exitmsg[150];
+	char fullmsg[300];
+ 
+-	char fmtbuf[300];
+-	char exitmsg[500];
+	/* Note that exit message must be rendered before session cleanup */
+ 
+	/* Render the formatted exit message */
+	vsnprintf(exitmsg, sizeof(exitmsg), format, param);
+
+	/* Add the prefix depending on session/auth state */
+ 	if (!sessinitdone) {
+-		snprintf(fmtbuf, sizeof(fmtbuf), "Exited: %s",
+-				format);
+		snprintf(fullmsg, sizeof(fullmsg), "Exited: %s", exitmsg);
+ 	} else {
+-		snprintf(fmtbuf, sizeof(fmtbuf), 
+		snprintf(fullmsg, sizeof(fullmsg), 
+ 				"Connection to %s@%s:%s exited: %s", 
+ 				cli_opts.username, cli_opts.remotehost, 
+-				cli_opts.remoteport, format);
+				cli_opts.remoteport, exitmsg);
+ 	}
+ 
+-	/* Arguments to the exit printout may be unsafe to use after session_cleanup() */
+-	vsnprintf(exitmsg, sizeof(exitmsg), fmtbuf, param);
+-
+ 	/* Do the cleanup first, since then the terminal will be reset */
+ 	session_cleanup();
+ 	/* Avoid printing onwards from terminal cruft */
+ 	fprintf(stderr, "\n");
+ 
+-	dropbear_log(LOG_INFO, "%s", exitmsg);;
+	dropbear_log(LOG_INFO, "%s", fullmsg);
+ 	exit(exitcode);
+ }
+ 
+diff -ruN a/svr-session.c b/svr-session.c
+--- a/svr-session.c	2016-03-09 15:54:54.000000000 +0100
+++ b/svr-session.c	2016-10-20 13:27:20.629628336 +0200
+@@ -145,30 +145,33 @@
+ /* failure exit - format must be <= 100 chars */
+ void svr_dropbear_exit(int exitcode, const char* format, va_list param) {
+ 
+-	char fmtbuf[300];
+	char exitmsg[150];
+	char fullmsg[300];
+ 	int i;
+ 
+	/* Render the formatted exit message */
+	vsnprintf(exitmsg, sizeof(exitmsg), format, param);
+
+	/* Add the prefix depending on session/auth state */
+ 	if (!sessinitdone) {
+ 		/* before session init */
+-		snprintf(fmtbuf, sizeof(fmtbuf), 
+-				"Early exit: %s", format);
+                snprintf(fullmsg, sizeof(fullmsg), "Early exit: %s", exitmsg);
+ 	} else if (ses.authstate.authdone) {
+ 		/* user has authenticated */
+-		snprintf(fmtbuf, sizeof(fmtbuf),
+		snprintf(fullmsg, sizeof(fullmsg),
+ 				"Exit (%s): %s", 
+-				ses.authstate.pw_name, format);
+				ses.authstate.pw_name, exitmsg);
+ 	} else if (ses.authstate.pw_name) {
+ 		/* we have a potential user */
+-		snprintf(fmtbuf, sizeof(fmtbuf), 
+		snprintf(fullmsg, sizeof(fullmsg),
+ 				"Exit before auth (user '%s', %d fails): %s",
+-				ses.authstate.pw_name, ses.authstate.failcount, format);
+				ses.authstate.pw_name, ses.authstate.failcount, exitmsg);
+ 	} else {
+ 		/* before userauth */
+-		snprintf(fmtbuf, sizeof(fmtbuf), 
+-				"Exit before auth: %s", format);
+		snprintf(fullmsg, sizeof(fullmsg), "Exit before auth: %s", exitmsg);
+ 	}
+ 
+-	_dropbear_log(LOG_INFO, fmtbuf, param);
+	dropbear_log(LOG_INFO, "%s", fullmsg);
+ 
+ #ifdef USE_VFORK
+ 	/* For uclinux only the main server process should cleanup - we don't want
--- a/meta/recipes-core/dropbear/dropbear/CVE-2016-7407.patch
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2016-7407.patch
--- a/meta/recipes-core/dropbear/dropbear/CVE-2016-7408.patch
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2016-7408.patch
@@ -0,0 +1,101 @@
+
+# HG changeset patch
+# User Matt Johnston <matt@ucc.asn.au>
+# Date 1468248038 -28800
+# Node ID eed9376a4ad68e3ae7f17d154dbf126ee66c54bc
+# Parent  6a14b1f6dc04e70933c49ea335184e68c1deeb94
+improve algorithm list parsing
+
+CVE: CVE-2016-7408
+Upstream-Status: Backport [backported from:
+https://secure.ucc.asn.au/hg/dropbear/rev/eed9376a4ad6]
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+
+diff -r 6a14b1f6dc04 -r eed9376a4ad6 common-algo.c
+--- a/common-algo.c	Mon Jul 11 21:51:25 2016 +0800
+++ b/common-algo.c	Mon Jul 11 22:40:38 2016 +0800
+@@ -531,21 +531,6 @@
+ 	return NULL;
+ }
+ 
+-static void
+-try_add_algo(const char *algo_name, algo_type *algos, 
+-		const char *algo_desc, algo_type * new_algos, int *num_ret)
+-{
+-	algo_type *match_algo = check_algo(algo_name, algos);
+-	if (!match_algo)
+-	{
+-		dropbear_log(LOG_WARNING, "This Dropbear program does not support '%s' %s algorithm", algo_name, algo_desc);
+-		return;
+-	}
+-
+-	new_algos[*num_ret] = *match_algo;
+-	(*num_ret)++;
+-}
+-
+ /* Checks a user provided comma-separated algorithm list for available
+  * options. Any that are not acceptable are removed in-place. Returns the
+  * number of valid algorithms. */
+@@ -553,30 +538,43 @@
+ check_user_algos(const char* user_algo_list, algo_type * algos, 
+ 		const char *algo_desc)
+ {
+-	algo_type new_algos[MAX_PROPOSED_ALGO];
+-	/* this has two passes. first we sweep through the given list of
+-	 * algorithms and mark them as usable=2 in the algo_type[] array... */
+-	int num_ret = 0;
+	algo_type new_algos[MAX_PROPOSED_ALGO+1];
+ 	char *work_list = m_strdup(user_algo_list);
+-	char *last_name = work_list;
+	char *start = work_list;
+ 	char *c;
+-	for (c = work_list; *c; c++)
+	int n;
+	/* So we can iterate and look for null terminator */
+	memset(new_algos, 0x0, sizeof(new_algos));
+	for (c = work_list, n = 0; ; c++)
+ 	{
+-		if (*c == ',')
+-		{
+		char oc = *c;
+		if (n >= MAX_PROPOSED_ALGO) {
+			dropbear_exit("Too many algorithms '%s'", user_algo_list);
+		}
+		if (*c == ',' || *c == '\0') {
+			algo_type *match_algo = NULL;
+ 			*c = '\0';
+-			try_add_algo(last_name, algos, algo_desc, new_algos, &num_ret);
+			match_algo = check_algo(start, algos);
+			if (match_algo) {
+				if (check_algo(start, new_algos)) {
+					TRACE(("Skip repeated algorithm '%s'", start))
+				} else {
+					new_algos[n] = *match_algo;
+					n++;
+				}
+			} else {
+				dropbear_log(LOG_WARNING, "This Dropbear program does not support '%s' %s algorithm", start, algo_desc);
+			}
+ 			c++;
+-			last_name = c;
+			start = c;
+		}
+		if (oc == '\0') {
+			break;
+ 		}
+ 	}
+-	try_add_algo(last_name, algos, algo_desc, new_algos, &num_ret);
+ 	m_free(work_list);
+-
+-	new_algos[num_ret].name = NULL;
+-
+-	/* Copy one more as a blank delimiter */
+-	memcpy(algos, new_algos, sizeof(*new_algos) * (num_ret+1));
+-	return num_ret;
+	/* n+1 to include a null terminator */
+	memcpy(algos, new_algos, sizeof(*new_algos) * (n+1));
+	return n;
+ }
+ #endif /* ENABLE_USER_ALGO_LIST */
+
--- a/meta/recipes-core/dropbear/dropbear/CVE-2016-7409.patch
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2016-7409.patch
@@ -0,0 +1,27 @@
+
+# HG changeset patch
+# User Matt Johnston <matt@ucc.asn.au>
+# Date 1468245085 -28800
+# Node ID 6a14b1f6dc04e70933c49ea335184e68c1deeb94
+# Parent  309e1c4a87682b6ca7d80b8555a1db416c3cb7ac
+better TRACE of failed remote ident
+
+CVE: CVE-2016-7409
+Upstream-Status: Backport [backported from:
+https://secure.ucc.asn.au/hg/dropbear/raw-rev/6a14b1f6dc04]
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+
+diff -r 309e1c4a8768 -r 6a14b1f6dc04 common-session.c
+--- a/common-session.c	Fri Mar 18 22:44:36 2016 +0800
+++ b/common-session.c	Mon Jul 11 21:51:25 2016 +0800
+@@ -361,7 +361,7 @@
+ 	}
+ 
+ 	if (!done) {
+-		TRACE(("err: %s for '%s'\n", strerror(errno), linebuf))
+		TRACE(("error reading remote ident: %s\n", strerror(errno)))
+ 		ses.remoteclosed();
+ 	} else {
+ 		/* linebuf is already null terminated */
+