diff options
author | Yogita Urade <yogita.urade@windriver.com> | 2023-09-08 14:01:15 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-09-09 22:13:24 +0100 |
commit | aa392840d625f5c45832e7ddf60c4dfaba3c4287 (patch) | |
tree | 724b1235b2e603e8b4657c90cbf6ec6eb1d02268 /meta/recipes-core/dropbear | |
parent | 1a209ef31165049c450018c7722013aa4d983fd8 (diff) | |
download | openembedded-core-aa392840d625f5c45832e7ddf60c4dfaba3c4287.tar.gz |
dropbear: fix CVE-2023-36328
Integer Overflow vulnerability in mp_grow in libtom libtommath before
commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to
execute arbitrary code and cause a denial of service (DoS).
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-36328
https://github.com/libtom/libtommath/pull/546
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/dropbear')
-rw-r--r-- | meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch | 144 | ||||
-rw-r--r-- | meta/recipes-core/dropbear/dropbear_2022.83.bb | 1 |
2 files changed, 145 insertions, 0 deletions
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch b/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch new file mode 100644 index 0000000000..ec50d69816 --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch @@ -0,0 +1,144 @@ +From beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 Mon Sep 17 00:00:00 2001 +From: czurnieden <czurnieden@gmx.de> +Date: Fri, 8 Sep 2023 10:07:32 +0000 +Subject: [PATCH] Fix possible integer overflow + +CVE: CVE-2023-36328 + +Upstream-Status: Backport [https://github.com/libtom/libtommath/commit/beba892bc0d4e4ded4d667ab1d2a94f4d75109a9] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + libtommath/bn_mp_2expt.c | 4 ++++ + libtommath/bn_mp_grow.c | 4 ++++ + libtommath/bn_mp_init_size.c | 5 +++++ + libtommath/bn_mp_mul_2d.c | 4 ++++ + libtommath/bn_s_mp_mul_digs.c | 4 ++++ + libtommath/bn_s_mp_mul_digs_fast.c | 4 ++++ + libtommath/bn_s_mp_mul_high_digs.c | 4 ++++ + libtommath/bn_s_mp_mul_high_digs_fast.c | 4 ++++ + 8 files changed, 33 insertions(+) + +diff --git a/libtommath/bn_mp_2expt.c b/libtommath/bn_mp_2expt.c +index 0ae3df1..ca6fbc3 100644 +--- a/libtommath/bn_mp_2expt.c ++++ b/libtommath/bn_mp_2expt.c +@@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b) + { + mp_err err; + ++ if (b < 0) { ++ return MP_VAL; ++ } ++ + /* zero a as per default */ + mp_zero(a); + +diff --git a/libtommath/bn_mp_grow.c b/libtommath/bn_mp_grow.c +index 9e904c5..2b16826 100644 +--- a/libtommath/bn_mp_grow.c ++++ b/libtommath/bn_mp_grow.c +@@ -9,6 +9,10 @@ mp_err mp_grow(mp_int *a, int size) + int i; + mp_digit *tmp; + ++ if (size < 0) { ++ return MP_VAL; ++ } ++ + /* if the alloc size is smaller alloc more ram */ + if (a->alloc < size) { + /* reallocate the array a->dp +diff --git a/libtommath/bn_mp_init_size.c b/libtommath/bn_mp_init_size.c +index d622687..5fefa96 100644 +--- a/libtommath/bn_mp_init_size.c ++++ b/libtommath/bn_mp_init_size.c +@@ -6,6 +6,11 @@ + /* init an mp_init for a given size */ + mp_err mp_init_size(mp_int *a, int size) + { ++ ++ if (size < 0) { ++ return MP_VAL; ++ } ++ + size = MP_MAX(MP_MIN_PREC, size); + + /* alloc mem */ +diff --git a/libtommath/bn_mp_mul_2d.c b/libtommath/bn_mp_mul_2d.c +index 87354de..2744163 100644 +--- a/libtommath/bn_mp_mul_2d.c ++++ b/libtommath/bn_mp_mul_2d.c +@@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int *a, int b, mp_int *c) + mp_digit d; + mp_err err; + ++ if (b < 0) { ++ return MP_VAL; ++ } ++ + /* copy */ + if (a != c) { + if ((err = mp_copy(a, c)) != MP_OKAY) { +diff --git a/libtommath/bn_s_mp_mul_digs.c b/libtommath/bn_s_mp_mul_digs.c +index 64509d4..2d2f5b0 100644 +--- a/libtommath/bn_s_mp_mul_digs.c ++++ b/libtommath/bn_s_mp_mul_digs.c +@@ -16,6 +16,10 @@ mp_err s_mp_mul_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs) + mp_word r; + mp_digit tmpx, *tmpt, *tmpy; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* can we use the fast multiplier? */ + if ((digs < MP_WARRAY) && + (MP_MIN(a->used, b->used) < MP_MAXFAST)) { +diff --git a/libtommath/bn_s_mp_mul_digs_fast.c b/libtommath/bn_s_mp_mul_digs_fast.c +index b2a287b..d6dd3cc 100644 +--- a/libtommath/bn_s_mp_mul_digs_fast.c ++++ b/libtommath/bn_s_mp_mul_digs_fast.c +@@ -26,6 +26,10 @@ mp_err s_mp_mul_digs_fast(const mp_int *a, const mp_int *b, mp_int *c, int digs) + mp_digit W[MP_WARRAY]; + mp_word _W; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* grow the destination as required */ + if (c->alloc < digs) { + if ((err = mp_grow(c, digs)) != MP_OKAY) { +diff --git a/libtommath/bn_s_mp_mul_high_digs.c b/libtommath/bn_s_mp_mul_high_digs.c +index 2bb2a50..c9dd355 100644 +--- a/libtommath/bn_s_mp_mul_high_digs.c ++++ b/libtommath/bn_s_mp_mul_high_digs.c +@@ -15,6 +15,10 @@ mp_err s_mp_mul_high_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs) + mp_word r; + mp_digit tmpx, *tmpt, *tmpy; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* can we use the fast multiplier? */ + if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST) + && ((a->used + b->used + 1) < MP_WARRAY) +diff --git a/libtommath/bn_s_mp_mul_high_digs_fast.c b/libtommath/bn_s_mp_mul_high_digs_fast.c +index a2c4fb6..afe3e4b 100644 +--- a/libtommath/bn_s_mp_mul_high_digs_fast.c ++++ b/libtommath/bn_s_mp_mul_high_digs_fast.c +@@ -19,6 +19,10 @@ mp_err s_mp_mul_high_digs_fast(const mp_int *a, const mp_int *b, mp_int *c, int + mp_digit W[MP_WARRAY]; + mp_word _W; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* grow the destination as required */ + pa = a->used + b->used; + if (c->alloc < pa) { +-- +2.35.5 diff --git a/meta/recipes-core/dropbear/dropbear_2022.83.bb b/meta/recipes-core/dropbear/dropbear_2022.83.bb index 0c7a8f4caa..12ac732f58 100644 --- a/meta/recipes-core/dropbear/dropbear_2022.83.bb +++ b/meta/recipes-core/dropbear/dropbear_2022.83.bb @@ -21,6 +21,7 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \ file://dropbear.default \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \ + file://CVE-2023-36328.patch \ " SRC_URI[sha256sum] = "bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b" |