From patchwork Tue Apr 16 06:13:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: auh@yoctoproject.org X-Patchwork-Id: 42469 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E9EF5C3065C for ; Tue, 16 Apr 2024 06:14:12 +0000 (UTC) Received: from a27-31.smtp-out.us-west-2.amazonses.com (a27-31.smtp-out.us-west-2.amazonses.com [54.240.27.31]) by mx.groups.io with SMTP id smtpd.web11.13428.1713248038241196778 for ; Mon, 15 Apr 2024 23:13:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@yoctoproject.org header.s=lvjh2tk576v2ro5mi6k4dt3mc6wpqbky header.b=Gi/oQGMp; dkim=pass header.i=@amazonses.com header.s=7v7vs6w47njt4pimodk5mmttbegzsi6n header.b=slVFp35R; spf=pass (domain: us-west-2.amazonses.com, ip: 54.240.27.31, mailfrom: 0101018ee58a6a12-e82a6a18-f90c-43f1-9fcf-9bca73fcba97-000000@us-west-2.amazonses.com) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=lvjh2tk576v2ro5mi6k4dt3mc6wpqbky; d=yoctoproject.org; t=1713248037; h=Content-Type:MIME-Version:From:To:Cc:Subject:Message-Id:Date; bh=2ibNM12wjp/u0HNkpbdwNunyg9CIKkQ911apfeYfB9Y=; b=Gi/oQGMpcitWU7mjUtdGwLPHr95QQD8VbwQ5rtzrmst9tyblpJNihLJW/Fvpvv8l Q+6ka53P49TlSIrhNEWh2jLg6WYyAtr8T95A6RU38V2ipLNgOSqdUsahD/v6ZLsDxpy qK1TlLOqbMgiMgOVAVET6J/2Vu2n9gH/cNHrOn50= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=7v7vs6w47njt4pimodk5mmttbegzsi6n; d=amazonses.com; t=1713248037; h=Content-Type:MIME-Version:From:To:Cc:Subject:Message-Id:Date:Feedback-ID; bh=2ibNM12wjp/u0HNkpbdwNunyg9CIKkQ911apfeYfB9Y=; b=slVFp35Rrmxbfs0Sj1iNlNXgMrFV2VHOSYo8XJbzpoEW32sdmNrKoQ9a1g1g/mig oLkHKOcjRXiDl7KEtlheYdjVBwTnYTnozO9oyADdBYLqklcjfx8zpXtMHKuT06Nqr9a vKq7TRKkDtw37IvogGqVks0vvwLJlb+XG1fg+XQk= MIME-Version: 1.0 From: auh@yoctoproject.org To: Yi Zhao Cc: openembedded-core@lists.openembedded.org Subject: [AUH] dropbear: upgrading to 2024.84 SUCCEEDED Message-ID: <0101018ee58a6a12-e82a6a18-f90c-43f1-9fcf-9bca73fcba97-000000@us-west-2.amazonses.com> Date: Tue, 16 Apr 2024 06:13:57 +0000 Feedback-ID: 1.us-west-2.9np3MYPs3fEaOBysGKSlUD4KtcmPijcmS9Az2Hwf7iQ=:AmazonSES X-SES-Outgoing: 2024.04.16-54.240.27.31 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 16 Apr 2024 06:14:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/198264 Hello, this email is a notification from the Auto Upgrade Helper that the automatic attempt to upgrade the recipe *dropbear* to *2024.84* has Succeeded. Next steps: - apply the patch: git am 0001-dropbear-upgrade-2022.83-2024.84.patch - check the changes to upstream patches and summarize them in the commit message, - compile an image that contains the package - perform some basic sanity tests - amend the patch and sign it off: git commit -s --reset-author --amend - send it to the appropriate mailing list Alternatively, if you believe the recipe should not be upgraded at this time, you can fill RECIPE_NO_UPDATE_REASON in respective recipe file so that automatic upgrades would no longer be attempted. Please review the attached files for further information and build/update failures. Any problem please file a bug at https://bugzilla.yoctoproject.org/enter_bug.cgi?product=Automated%20Update%20Handler Regards, The Upgrade Helper -- >8 -- From 63ab32fe34908d098d2f9ca87418f36ec8db5199 Mon Sep 17 00:00:00 2001 From: Upgrade Helper Date: Mon, 15 Apr 2024 17:53:26 +0000 Subject: [PATCH] dropbear: upgrade 2022.83 -> 2024.84 --- ...1-urandom-xauth-changes-to-options.h.patch | 20 +-- .../dropbear/0005-dropbear-enable-pam.patch | 21 ++- .../0006-dropbear-configuration-file.patch | 17 +-- .../dropbear/dropbear/CVE-2023-36328.patch | 144 ------------------ .../dropbear-disable-weak-ciphers.patch | 17 +-- ...ropbear_2022.83.bb => dropbear_2024.84.bb} | 3 +- 6 files changed, 34 insertions(+), 188 deletions(-) delete mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch rename meta/recipes-core/dropbear/{dropbear_2022.83.bb => dropbear_2024.84.bb} (97%) diff --git a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch index 99adcfd770..05607864c6 100644 --- a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch +++ b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch @@ -1,15 +1,18 @@ -Subject: [PATCH 1/6] urandom-xauth-changes-to-options.h +From 6a25b4c281eb28bc9b38a7f2b98e2bd74c7c3546 Mon Sep 17 00:00:00 2001 +From: Richard Purdie +Date: Wed, 31 Aug 2005 10:45:47 +0000 +Subject: [PATCH] urandom-xauth-changes-to-options.h Upstream-Status: Inappropriate [configuration] --- - default_options.h | 2 +- + src/default_options.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/default_options.h b/default_options.h -index 349338c..5ffac25 100644 ---- a/default_options.h -+++ b/default_options.h -@@ -289,7 +289,7 @@ group1 in Dropbear server too */ +diff --git a/src/default_options.h b/src/default_options.h +index 6e970bb..ccc8b47 100644 +--- a/src/default_options.h ++++ b/src/default_options.h +@@ -311,7 +311,7 @@ group1 in Dropbear server too */ /* The command to invoke for xauth when using X11 forwarding. * "-q" for quiet */ @@ -18,6 +21,3 @@ index 349338c..5ffac25 100644 /* If you want to enable running an sftp server (such as the one included with --- -2.25.1 - diff --git a/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch b/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch index 32c3ea5f08..ff9a9bb76a 100644 --- a/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch +++ b/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch @@ -1,7 +1,7 @@ -From b8cece92ba19aa77ac013ea161bfe4c7147747c9 Mon Sep 17 00:00:00 2001 +From 2a9d43b628a7b14d45f371ec3f2fc56896d9b396 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Wed, 2 Dec 2015 11:36:02 +0200 -Subject: Enable pam +Subject: [PATCH] Enable pam We need modify file default_options.h besides enabling pam in configure if we want dropbear to support pam. @@ -11,14 +11,14 @@ Upstream-Status: Pending Signed-off-by: Xiaofeng Yan Signed-off-by: Jussi Kukkonen --- - default_options.h | 4 ++-- + src/default_options.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -diff --git a/default_options.h b/default_options.h -index 0e3d027..349338c 100644 ---- a/default_options.h -+++ b/default_options.h -@@ -210,7 +210,7 @@ group1 in Dropbear server too */ +diff --git a/src/default_options.h b/src/default_options.h +index ccc8b47..12768d1 100644 +--- a/src/default_options.h ++++ b/src/default_options.h +@@ -228,7 +228,7 @@ group1 in Dropbear server too */ /* Authentication Types - at least one required. RFC Draft requires pubkey auth, and recommends password */ @@ -27,7 +27,7 @@ index 0e3d027..349338c 100644 /* Note: PAM auth is quite simple and only works for PAM modules which just do * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). -@@ -218,7 +218,7 @@ group1 in Dropbear server too */ +@@ -236,7 +236,7 @@ group1 in Dropbear server too */ * but there's an interface via a PAM module. It won't work for more complex * PAM challenge/response. * You can't enable both PASSWORD and PAM. */ @@ -36,6 +36,3 @@ index 0e3d027..349338c 100644 /* ~/.ssh/authorized_keys authentication. * You must define DROPBEAR_SVR_PUBKEY_AUTH in order to use plugins. */ --- -2.25.1 - diff --git a/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch b/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch index deed78ffb9..cae877d6cf 100644 --- a/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch +++ b/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch @@ -1,4 +1,4 @@ -From e3a5db1b6d3f6382a15b2266458c26c645a10f18 Mon Sep 17 00:00:00 2001 +From fffdda0c2e53b98862a3e9abc2e62b66f41beda7 Mon Sep 17 00:00:00 2001 From: Mingli Yu Date: Thu, 6 Sep 2018 15:54:00 +0800 Subject: [PATCH] dropbear configuration file @@ -12,14 +12,14 @@ Signed-off-by: Maxin B. John Signed-off-by: Xiaofeng Yan Signed-off-by: Mingli Yu --- - svr-authpam.c | 2 +- + src/svr-authpam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/svr-authpam.c b/svr-authpam.c -index d201bc9..165ec5c 100644 ---- a/svr-authpam.c -+++ b/svr-authpam.c -@@ -223,7 +223,7 @@ void svr_auth_pam(int valid_user) { +diff --git a/src/svr-authpam.c b/src/svr-authpam.c +index ec14632..026102f 100644 +--- a/src/svr-authpam.c ++++ b/src/svr-authpam.c +@@ -224,7 +224,7 @@ void svr_auth_pam(int valid_user) { } /* Init pam */ @@ -28,6 +28,3 @@ index d201bc9..165ec5c 100644 dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s", rc, pam_strerror(pamHandlep, rc)); goto cleanup; --- -2.7.4 - diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch b/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch deleted file mode 100644 index ec50d69816..0000000000 --- a/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch +++ /dev/null @@ -1,144 +0,0 @@ -From beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 Mon Sep 17 00:00:00 2001 -From: czurnieden -Date: Fri, 8 Sep 2023 10:07:32 +0000 -Subject: [PATCH] Fix possible integer overflow - -CVE: CVE-2023-36328 - -Upstream-Status: Backport [https://github.com/libtom/libtommath/commit/beba892bc0d4e4ded4d667ab1d2a94f4d75109a9] - -Signed-off-by: Yogita Urade ---- - libtommath/bn_mp_2expt.c | 4 ++++ - libtommath/bn_mp_grow.c | 4 ++++ - libtommath/bn_mp_init_size.c | 5 +++++ - libtommath/bn_mp_mul_2d.c | 4 ++++ - libtommath/bn_s_mp_mul_digs.c | 4 ++++ - libtommath/bn_s_mp_mul_digs_fast.c | 4 ++++ - libtommath/bn_s_mp_mul_high_digs.c | 4 ++++ - libtommath/bn_s_mp_mul_high_digs_fast.c | 4 ++++ - 8 files changed, 33 insertions(+) - -diff --git a/libtommath/bn_mp_2expt.c b/libtommath/bn_mp_2expt.c -index 0ae3df1..ca6fbc3 100644 ---- a/libtommath/bn_mp_2expt.c -+++ b/libtommath/bn_mp_2expt.c -@@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b) - { - mp_err err; - -+ if (b < 0) { -+ return MP_VAL; -+ } -+ - /* zero a as per default */ - mp_zero(a); - -diff --git a/libtommath/bn_mp_grow.c b/libtommath/bn_mp_grow.c -index 9e904c5..2b16826 100644 ---- a/libtommath/bn_mp_grow.c -+++ b/libtommath/bn_mp_grow.c -@@ -9,6 +9,10 @@ mp_err mp_grow(mp_int *a, int size) - int i; - mp_digit *tmp; - -+ if (size < 0) { -+ return MP_VAL; -+ } -+ - /* if the alloc size is smaller alloc more ram */ - if (a->alloc < size) { - /* reallocate the array a->dp -diff --git a/libtommath/bn_mp_init_size.c b/libtommath/bn_mp_init_size.c -index d622687..5fefa96 100644 ---- a/libtommath/bn_mp_init_size.c -+++ b/libtommath/bn_mp_init_size.c -@@ -6,6 +6,11 @@ - /* init an mp_init for a given size */ - mp_err mp_init_size(mp_int *a, int size) - { -+ -+ if (size < 0) { -+ return MP_VAL; -+ } -+ - size = MP_MAX(MP_MIN_PREC, size); - - /* alloc mem */ -diff --git a/libtommath/bn_mp_mul_2d.c b/libtommath/bn_mp_mul_2d.c -index 87354de..2744163 100644 ---- a/libtommath/bn_mp_mul_2d.c -+++ b/libtommath/bn_mp_mul_2d.c -@@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int *a, int b, mp_int *c) - mp_digit d; - mp_err err; - -+ if (b < 0) { -+ return MP_VAL; -+ } -+ - /* copy */ - if (a != c) { - if ((err = mp_copy(a, c)) != MP_OKAY) { -diff --git a/libtommath/bn_s_mp_mul_digs.c b/libtommath/bn_s_mp_mul_digs.c -index 64509d4..2d2f5b0 100644 ---- a/libtommath/bn_s_mp_mul_digs.c -+++ b/libtommath/bn_s_mp_mul_digs.c -@@ -16,6 +16,10 @@ mp_err s_mp_mul_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs) - mp_word r; - mp_digit tmpx, *tmpt, *tmpy; - -+ if (digs < 0) { -+ return MP_VAL; -+ } -+ - /* can we use the fast multiplier? */ - if ((digs < MP_WARRAY) && - (MP_MIN(a->used, b->used) < MP_MAXFAST)) { -diff --git a/libtommath/bn_s_mp_mul_digs_fast.c b/libtommath/bn_s_mp_mul_digs_fast.c -index b2a287b..d6dd3cc 100644 ---- a/libtommath/bn_s_mp_mul_digs_fast.c -+++ b/libtommath/bn_s_mp_mul_digs_fast.c -@@ -26,6 +26,10 @@ mp_err s_mp_mul_digs_fast(const mp_int *a, const mp_int *b, mp_int *c, int digs) - mp_digit W[MP_WARRAY]; - mp_word _W; - -+ if (digs < 0) { -+ return MP_VAL; -+ } -+ - /* grow the destination as required */ - if (c->alloc < digs) { - if ((err = mp_grow(c, digs)) != MP_OKAY) { -diff --git a/libtommath/bn_s_mp_mul_high_digs.c b/libtommath/bn_s_mp_mul_high_digs.c -index 2bb2a50..c9dd355 100644 ---- a/libtommath/bn_s_mp_mul_high_digs.c -+++ b/libtommath/bn_s_mp_mul_high_digs.c -@@ -15,6 +15,10 @@ mp_err s_mp_mul_high_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs) - mp_word r; - mp_digit tmpx, *tmpt, *tmpy; - -+ if (digs < 0) { -+ return MP_VAL; -+ } -+ - /* can we use the fast multiplier? */ - if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST) - && ((a->used + b->used + 1) < MP_WARRAY) -diff --git a/libtommath/bn_s_mp_mul_high_digs_fast.c b/libtommath/bn_s_mp_mul_high_digs_fast.c -index a2c4fb6..afe3e4b 100644 ---- a/libtommath/bn_s_mp_mul_high_digs_fast.c -+++ b/libtommath/bn_s_mp_mul_high_digs_fast.c -@@ -19,6 +19,10 @@ mp_err s_mp_mul_high_digs_fast(const mp_int *a, const mp_int *b, mp_int *c, int - mp_digit W[MP_WARRAY]; - mp_word _W; - -+ if (digs < 0) { -+ return MP_VAL; -+ } -+ - /* grow the destination as required */ - pa = a->used + b->used; - if (c->alloc < pa) { --- -2.35.5 diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch index 5c60868ed8..de490e77cb 100644 --- a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch +++ b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch @@ -1,4 +1,4 @@ -From c347ece05a7fdbf50d76cb136b9ed45caed333f6 Mon Sep 17 00:00:00 2001 +From b302e2702fea06785e492d83c76320c44d9f50a4 Mon Sep 17 00:00:00 2001 From: Joseph Reynolds Date: Thu, 20 Jun 2019 16:29:15 -0500 Subject: [PATCH] dropbear: new feature: disable-weak-ciphers @@ -10,14 +10,14 @@ and we want to support the stong algorithms. Upstream-Status: Inappropriate [configuration] Signed-off-by: Joseph Reynolds --- - default_options.h | 2 +- + src/default_options.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/default_options.h b/default_options.h -index d417588..bc5200f 100644 ---- a/default_options.h -+++ b/default_options.h -@@ -180,7 +180,7 @@ IMPORTANT: Some options will require "make clean" after changes */ +diff --git a/src/default_options.h b/src/default_options.h +index 12768d1..2b07497 100644 +--- a/src/default_options.h ++++ b/src/default_options.h +@@ -197,7 +197,7 @@ IMPORTANT: Some options will require "make clean" after changes */ * Small systems should generally include either curve25519 or ecdh for performance. * curve25519 is less widely supported but is faster */ @@ -26,6 +26,3 @@ index d417588..bc5200f 100644 #define DROPBEAR_DH_GROUP14_SHA256 1 #define DROPBEAR_DH_GROUP16 0 #define DROPBEAR_CURVE25519 1 --- -2.25.1 - diff --git a/meta/recipes-core/dropbear/dropbear_2022.83.bb b/meta/recipes-core/dropbear/dropbear_2024.84.bb similarity index 97% rename from meta/recipes-core/dropbear/dropbear_2022.83.bb rename to meta/recipes-core/dropbear/dropbear_2024.84.bb index 528eff1a10..69c7b04c55 100644 --- a/meta/recipes-core/dropbear/dropbear_2022.83.bb +++ b/meta/recipes-core/dropbear/dropbear_2024.84.bb @@ -21,10 +21,9 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \ file://dropbear.default \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \ - file://CVE-2023-36328.patch \ " -SRC_URI[sha256sum] = "bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b" +SRC_URI[sha256sum] = "16e22b66b333d6b7e504c43679d04ed6ca30f2838db40a21f935c850dfc01009" PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \ file://0006-dropbear-configuration-file.patch \