diff options
Diffstat (limited to 'meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch')
-rw-r--r-- | meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch | 102 |
1 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch b/meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch new file mode 100644 index 0000000000..a582d0ff81 --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/CVE-2016-7406.patch @@ -0,0 +1,102 @@ +From 8fd720c3e319da773b48c0b191f049dbd1e3c7f0 Mon Sep 17 00:00:00 2001 +From: Matt Johnston <matt@ucc.asn.au> +Date: Mon, 11 Jul 2016 23:09:33 +0800 +Subject: [PATCH] Improve exit message formatting + +CVE: CVE-2016-7406 +Upstream-Status: Backport [backported from: +https://secure.ucc.asn.au/hg/dropbear/rev/b66a483f3dcb] + +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> + +diff -ruN a/cli-main.c b/cli-main.c +--- a/cli-main.c 2016-03-09 15:54:53.000000000 +0100 ++++ b/cli-main.c 2016-10-20 12:49:00.323501119 +0200 +@@ -85,29 +85,30 @@ + #endif /* DBMULTI stuff */ + + static void cli_dropbear_exit(int exitcode, const char* format, va_list param) { ++ char exitmsg[150]; ++ char fullmsg[300]; + +- char fmtbuf[300]; +- char exitmsg[500]; ++ /* Note that exit message must be rendered before session cleanup */ + ++ /* Render the formatted exit message */ ++ vsnprintf(exitmsg, sizeof(exitmsg), format, param); ++ ++ /* Add the prefix depending on session/auth state */ + if (!sessinitdone) { +- snprintf(fmtbuf, sizeof(fmtbuf), "Exited: %s", +- format); ++ snprintf(fullmsg, sizeof(fullmsg), "Exited: %s", exitmsg); + } else { +- snprintf(fmtbuf, sizeof(fmtbuf), ++ snprintf(fullmsg, sizeof(fullmsg), + "Connection to %s@%s:%s exited: %s", + cli_opts.username, cli_opts.remotehost, +- cli_opts.remoteport, format); ++ cli_opts.remoteport, exitmsg); + } + +- /* Arguments to the exit printout may be unsafe to use after session_cleanup() */ +- vsnprintf(exitmsg, sizeof(exitmsg), fmtbuf, param); +- + /* Do the cleanup first, since then the terminal will be reset */ + session_cleanup(); + /* Avoid printing onwards from terminal cruft */ + fprintf(stderr, "\n"); + +- dropbear_log(LOG_INFO, "%s", exitmsg);; ++ dropbear_log(LOG_INFO, "%s", fullmsg); + exit(exitcode); + } + +diff -ruN a/svr-session.c b/svr-session.c +--- a/svr-session.c 2016-03-09 15:54:54.000000000 +0100 ++++ b/svr-session.c 2016-10-20 13:27:20.629628336 +0200 +@@ -145,30 +145,33 @@ + /* failure exit - format must be <= 100 chars */ + void svr_dropbear_exit(int exitcode, const char* format, va_list param) { + +- char fmtbuf[300]; ++ char exitmsg[150]; ++ char fullmsg[300]; + int i; + ++ /* Render the formatted exit message */ ++ vsnprintf(exitmsg, sizeof(exitmsg), format, param); ++ ++ /* Add the prefix depending on session/auth state */ + if (!sessinitdone) { + /* before session init */ +- snprintf(fmtbuf, sizeof(fmtbuf), +- "Early exit: %s", format); ++ snprintf(fullmsg, sizeof(fullmsg), "Early exit: %s", exitmsg); + } else if (ses.authstate.authdone) { + /* user has authenticated */ +- snprintf(fmtbuf, sizeof(fmtbuf), ++ snprintf(fullmsg, sizeof(fullmsg), + "Exit (%s): %s", +- ses.authstate.pw_name, format); ++ ses.authstate.pw_name, exitmsg); + } else if (ses.authstate.pw_name) { + /* we have a potential user */ +- snprintf(fmtbuf, sizeof(fmtbuf), ++ snprintf(fullmsg, sizeof(fullmsg), + "Exit before auth (user '%s', %d fails): %s", +- ses.authstate.pw_name, ses.authstate.failcount, format); ++ ses.authstate.pw_name, ses.authstate.failcount, exitmsg); + } else { + /* before userauth */ +- snprintf(fmtbuf, sizeof(fmtbuf), +- "Exit before auth: %s", format); ++ snprintf(fullmsg, sizeof(fullmsg), "Exit before auth: %s", exitmsg); + } + +- _dropbear_log(LOG_INFO, fmtbuf, param); ++ dropbear_log(LOG_INFO, "%s", fullmsg); + + #ifdef USE_VFORK + /* For uclinux only the main server process should cleanup - we don't want |