@@ -1,15 +1,18 @@
-Subject: [PATCH 1/6] urandom-xauth-changes-to-options.h
+From 6a25b4c281eb28bc9b38a7f2b98e2bd74c7c3546 Mon Sep 17 00:00:00 2001
+From: Richard Purdie <richard@openedhand.com>
+Date: Wed, 31 Aug 2005 10:45:47 +0000
+Subject: [PATCH] urandom-xauth-changes-to-options.h
Upstream-Status: Inappropriate [configuration]
---
- default_options.h | 2 +-
+ src/default_options.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/default_options.h b/default_options.h
-index 349338c..5ffac25 100644
---- a/default_options.h
-+++ b/default_options.h
-@@ -289,7 +289,7 @@ group1 in Dropbear server too */
+diff --git a/src/default_options.h b/src/default_options.h
+index 6e970bb..ccc8b47 100644
+--- a/src/default_options.h
++++ b/src/default_options.h
+@@ -311,7 +311,7 @@ group1 in Dropbear server too */
/* The command to invoke for xauth when using X11 forwarding.
* "-q" for quiet */
@@ -18,6 +21,3 @@ index 349338c..5ffac25 100644
/* If you want to enable running an sftp server (such as the one included with
-2.25.1
-
@@ -1,7 +1,7 @@
-From b8cece92ba19aa77ac013ea161bfe4c7147747c9 Mon Sep 17 00:00:00 2001
+From 2a9d43b628a7b14d45f371ec3f2fc56896d9b396 Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jussi.kukkonen@intel.com>
Date: Wed, 2 Dec 2015 11:36:02 +0200
-Subject: Enable pam
+Subject: [PATCH] Enable pam
We need modify file default_options.h besides enabling pam in
configure if we want dropbear to support pam.
@@ -11,14 +11,14 @@ Upstream-Status: Pending
Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com>
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
---
- default_options.h | 4 ++--
+ src/default_options.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/default_options.h b/default_options.h
-index 0e3d027..349338c 100644
---- a/default_options.h
-+++ b/default_options.h
-@@ -210,7 +210,7 @@ group1 in Dropbear server too */
+diff --git a/src/default_options.h b/src/default_options.h
+index ccc8b47..12768d1 100644
+--- a/src/default_options.h
++++ b/src/default_options.h
+@@ -228,7 +228,7 @@ group1 in Dropbear server too */
/* Authentication Types - at least one required.
RFC Draft requires pubkey auth, and recommends password */
@@ -27,7 +27,7 @@ index 0e3d027..349338c 100644
/* Note: PAM auth is quite simple and only works for PAM modules which just do
* a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
-@@ -218,7 +218,7 @@ group1 in Dropbear server too */
+@@ -236,7 +236,7 @@ group1 in Dropbear server too */
* but there's an interface via a PAM module. It won't work for more complex
* PAM challenge/response.
* You can't enable both PASSWORD and PAM. */
@@ -36,6 +36,3 @@ index 0e3d027..349338c 100644
/* ~/.ssh/authorized_keys authentication.
* You must define DROPBEAR_SVR_PUBKEY_AUTH in order to use plugins. */
-2.25.1
-
@@ -1,4 +1,4 @@
-From e3a5db1b6d3f6382a15b2266458c26c645a10f18 Mon Sep 17 00:00:00 2001
+From fffdda0c2e53b98862a3e9abc2e62b66f41beda7 Mon Sep 17 00:00:00 2001
From: Mingli Yu <Mingli.Yu@windriver.com>
Date: Thu, 6 Sep 2018 15:54:00 +0800
Subject: [PATCH] dropbear configuration file
@@ -12,14 +12,14 @@ Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com>
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
---
- svr-authpam.c | 2 +-
+ src/svr-authpam.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/svr-authpam.c b/svr-authpam.c
-index d201bc9..165ec5c 100644
---- a/svr-authpam.c
-+++ b/svr-authpam.c
-@@ -223,7 +223,7 @@ void svr_auth_pam(int valid_user) {
+diff --git a/src/svr-authpam.c b/src/svr-authpam.c
+index ec14632..026102f 100644
+--- a/src/svr-authpam.c
++++ b/src/svr-authpam.c
+@@ -224,7 +224,7 @@ void svr_auth_pam(int valid_user) {
}
/* Init pam */
@@ -28,6 +28,3 @@ index d201bc9..165ec5c 100644
dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s",
rc, pam_strerror(pamHandlep, rc));
goto cleanup;
-2.7.4
-
deleted file mode 100644
@@ -1,144 +0,0 @@
-From beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 Mon Sep 17 00:00:00 2001
-From: czurnieden <czurnieden@gmx.de>
-Date: Fri, 8 Sep 2023 10:07:32 +0000
-Subject: [PATCH] Fix possible integer overflow
-
-CVE: CVE-2023-36328
-
-Upstream-Status: Backport [https://github.com/libtom/libtommath/commit/beba892bc0d4e4ded4d667ab1d2a94f4d75109a9]
-
-Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
----
- libtommath/bn_mp_2expt.c | 4 ++++
- libtommath/bn_mp_grow.c | 4 ++++
- libtommath/bn_mp_init_size.c | 5 +++++
- libtommath/bn_mp_mul_2d.c | 4 ++++
- libtommath/bn_s_mp_mul_digs.c | 4 ++++
- libtommath/bn_s_mp_mul_digs_fast.c | 4 ++++
- libtommath/bn_s_mp_mul_high_digs.c | 4 ++++
- libtommath/bn_s_mp_mul_high_digs_fast.c | 4 ++++
- 8 files changed, 33 insertions(+)
-
-diff --git a/libtommath/bn_mp_2expt.c b/libtommath/bn_mp_2expt.c
-index 0ae3df1..ca6fbc3 100644
---- a/libtommath/bn_mp_2expt.c
-+++ b/libtommath/bn_mp_2expt.c
-@@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b)
- {
- mp_err err;
-
-+ if (b < 0) {
-+ return MP_VAL;
-+ }
-+
- /* zero a as per default */
- mp_zero(a);
-
-diff --git a/libtommath/bn_mp_grow.c b/libtommath/bn_mp_grow.c
-index 9e904c5..2b16826 100644
---- a/libtommath/bn_mp_grow.c
-+++ b/libtommath/bn_mp_grow.c
-@@ -9,6 +9,10 @@ mp_err mp_grow(mp_int *a, int size)
- int i;
- mp_digit *tmp;
-
-+ if (size < 0) {
-+ return MP_VAL;
-+ }
-+
- /* if the alloc size is smaller alloc more ram */
- if (a->alloc < size) {
- /* reallocate the array a->dp
-diff --git a/libtommath/bn_mp_init_size.c b/libtommath/bn_mp_init_size.c
-index d622687..5fefa96 100644
---- a/libtommath/bn_mp_init_size.c
-+++ b/libtommath/bn_mp_init_size.c
-@@ -6,6 +6,11 @@
- /* init an mp_init for a given size */
- mp_err mp_init_size(mp_int *a, int size)
- {
-+
-+ if (size < 0) {
-+ return MP_VAL;
-+ }
-+
- size = MP_MAX(MP_MIN_PREC, size);
-
- /* alloc mem */
-diff --git a/libtommath/bn_mp_mul_2d.c b/libtommath/bn_mp_mul_2d.c
-index 87354de..2744163 100644
---- a/libtommath/bn_mp_mul_2d.c
-+++ b/libtommath/bn_mp_mul_2d.c
-@@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int *a, int b, mp_int *c)
- mp_digit d;
- mp_err err;
-
-+ if (b < 0) {
-+ return MP_VAL;
-+ }
-+
- /* copy */
- if (a != c) {
- if ((err = mp_copy(a, c)) != MP_OKAY) {
-diff --git a/libtommath/bn_s_mp_mul_digs.c b/libtommath/bn_s_mp_mul_digs.c
-index 64509d4..2d2f5b0 100644
---- a/libtommath/bn_s_mp_mul_digs.c
-+++ b/libtommath/bn_s_mp_mul_digs.c
-@@ -16,6 +16,10 @@ mp_err s_mp_mul_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs)
- mp_word r;
- mp_digit tmpx, *tmpt, *tmpy;
-
-+ if (digs < 0) {
-+ return MP_VAL;
-+ }
-+
- /* can we use the fast multiplier? */
- if ((digs < MP_WARRAY) &&
- (MP_MIN(a->used, b->used) < MP_MAXFAST)) {
-diff --git a/libtommath/bn_s_mp_mul_digs_fast.c b/libtommath/bn_s_mp_mul_digs_fast.c
-index b2a287b..d6dd3cc 100644
---- a/libtommath/bn_s_mp_mul_digs_fast.c
-+++ b/libtommath/bn_s_mp_mul_digs_fast.c
-@@ -26,6 +26,10 @@ mp_err s_mp_mul_digs_fast(const mp_int *a, const mp_int *b, mp_int *c, int digs)
- mp_digit W[MP_WARRAY];
- mp_word _W;
-
-+ if (digs < 0) {
-+ return MP_VAL;
-+ }
-+
- /* grow the destination as required */
- if (c->alloc < digs) {
- if ((err = mp_grow(c, digs)) != MP_OKAY) {
-diff --git a/libtommath/bn_s_mp_mul_high_digs.c b/libtommath/bn_s_mp_mul_high_digs.c
-index 2bb2a50..c9dd355 100644
---- a/libtommath/bn_s_mp_mul_high_digs.c
-+++ b/libtommath/bn_s_mp_mul_high_digs.c
-@@ -15,6 +15,10 @@ mp_err s_mp_mul_high_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs)
- mp_word r;
- mp_digit tmpx, *tmpt, *tmpy;
-
-+ if (digs < 0) {
-+ return MP_VAL;
-+ }
-+
- /* can we use the fast multiplier? */
- if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST)
- && ((a->used + b->used + 1) < MP_WARRAY)
-diff --git a/libtommath/bn_s_mp_mul_high_digs_fast.c b/libtommath/bn_s_mp_mul_high_digs_fast.c
-index a2c4fb6..afe3e4b 100644
---- a/libtommath/bn_s_mp_mul_high_digs_fast.c
-+++ b/libtommath/bn_s_mp_mul_high_digs_fast.c
-@@ -19,6 +19,10 @@ mp_err s_mp_mul_high_digs_fast(const mp_int *a, const mp_int *b, mp_int *c, int
- mp_digit W[MP_WARRAY];
- mp_word _W;
-
-+ if (digs < 0) {
-+ return MP_VAL;
-+ }
-+
- /* grow the destination as required */
- pa = a->used + b->used;
- if (c->alloc < pa) {
---
-2.35.5
@@ -1,4 +1,4 @@
-From c347ece05a7fdbf50d76cb136b9ed45caed333f6 Mon Sep 17 00:00:00 2001
+From b302e2702fea06785e492d83c76320c44d9f50a4 Mon Sep 17 00:00:00 2001
From: Joseph Reynolds <joseph.reynolds1@ibm.com>
Date: Thu, 20 Jun 2019 16:29:15 -0500
Subject: [PATCH] dropbear: new feature: disable-weak-ciphers
@@ -10,14 +10,14 @@ and we want to support the stong algorithms.
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
---
- default_options.h | 2 +-
+ src/default_options.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/default_options.h b/default_options.h
-index d417588..bc5200f 100644
---- a/default_options.h
-+++ b/default_options.h
-@@ -180,7 +180,7 @@ IMPORTANT: Some options will require "make clean" after changes */
+diff --git a/src/default_options.h b/src/default_options.h
+index 12768d1..2b07497 100644
+--- a/src/default_options.h
++++ b/src/default_options.h
+@@ -197,7 +197,7 @@ IMPORTANT: Some options will require "make clean" after changes */
* Small systems should generally include either curve25519 or ecdh for performance.
* curve25519 is less widely supported but is faster
*/
@@ -26,6 +26,3 @@ index d417588..bc5200f 100644
#define DROPBEAR_DH_GROUP14_SHA256 1
#define DROPBEAR_DH_GROUP16 0
#define DROPBEAR_CURVE25519 1
-2.25.1
-
similarity index 97%
rename from meta/recipes-core/dropbear/dropbear_2022.83.bb
rename to meta/recipes-core/dropbear/dropbear_2024.84.bb
@@ -21,10 +21,9 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
file://dropbear.default \
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
- file://CVE-2023-36328.patch \
"
-SRC_URI[sha256sum] = "bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b"
+SRC_URI[sha256sum] = "16e22b66b333d6b7e504c43679d04ed6ca30f2838db40a21f935c850dfc01009"
PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
file://0006-dropbear-configuration-file.patch \
Hello, this email is a notification from the Auto Upgrade Helper that the automatic attempt to upgrade the recipe *dropbear* to *2024.84* has Succeeded. Next steps: - apply the patch: git am 0001-dropbear-upgrade-2022.83-2024.84.patch - check the changes to upstream patches and summarize them in the commit message, - compile an image that contains the package - perform some basic sanity tests - amend the patch and sign it off: git commit -s --reset-author --amend - send it to the appropriate mailing list Alternatively, if you believe the recipe should not be upgraded at this time, you can fill RECIPE_NO_UPDATE_REASON in respective recipe file so that automatic upgrades would no longer be attempted. Please review the attached files for further information and build/update failures. Any problem please file a bug at https://bugzilla.yoctoproject.org/enter_bug.cgi?product=Automated%20Update%20Handler Regards, The Upgrade Helper -- >8 -- From 63ab32fe34908d098d2f9ca87418f36ec8db5199 Mon Sep 17 00:00:00 2001 From: Upgrade Helper <auh@yoctoproject.org> Date: Mon, 15 Apr 2024 17:53:26 +0000 Subject: [PATCH] dropbear: upgrade 2022.83 -> 2024.84 --- ...1-urandom-xauth-changes-to-options.h.patch | 20 +-- .../dropbear/0005-dropbear-enable-pam.patch | 21 ++- .../0006-dropbear-configuration-file.patch | 17 +-- .../dropbear/dropbear/CVE-2023-36328.patch | 144 ------------------ .../dropbear-disable-weak-ciphers.patch | 17 +-- ...ropbear_2022.83.bb => dropbear_2024.84.bb} | 3 +- 6 files changed, 34 insertions(+), 188 deletions(-) delete mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch rename meta/recipes-core/dropbear/{dropbear_2022.83.bb => dropbear_2024.84.bb} (97%)