From patchwork Sun May 2 21:48:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hauke Mehrtens X-Patchwork-Id: 1472923 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=N2PNws9r; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=hauke-m.de header.i=@hauke-m.de header.a=rsa-sha256 header.s=MBO0001 header.b=KrdJWmRp; dkim-atps=neutral Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FYKXp5Chgz9sTD for ; Mon, 3 May 2021 07:50:34 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=NpM3YR1MLhJTtgT383J4McC5DzDjpT0Sg/mvIDAKYzs=; b=N2PNws9rl9KUi1v3bNbgCO0fpV TPE6yP9qpyk87q+qdi65INp+vkCoBFEJaAaTUg7yYzg0yo2v8c9jxidxBGMg9bp3SUMCU4Zgi8ti7 HeD+YuuN3YEylEmOnJlnEA2N9QlZrER/l/6VlOdLpT1DnH6uMwhsCslTpQ9hY29InO+NhKZodchSV sBvGNlxi3eu+8Q87gKHS5h08zc9BNuOFYSjZoI1JfUEyGeXTQalDT2zYvPK6gReVaNOXm8gygzoYo eUHf9vR/0RgOsxG/opjkjQfRMhH6AmzdEd/rgcMxMhUh50vi7W+K2QPJ/ezr2CjUslcayzcI7zcm4 lPGlgqxg==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1ldJxI-00CZcG-9w; Sun, 02 May 2021 21:48:48 +0000 Received: from mout-p-202.mailbox.org ([80.241.56.172]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1ldJx7-00CZav-5e for openwrt-devel@lists.openwrt.org; Sun, 02 May 2021 21:48:45 +0000 Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:105:465:1:2:0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4FYKVW07mlzQjZh; Sun, 2 May 2021 23:48:35 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hauke-m.de; s=MBO0001; t=1619992113; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=IcMlMsbjodTPVu7lq3GLg2cEaPW2OLTwnOi38Vwznkw=; b=KrdJWmRpt2TzSQSwpXA8X1eJCbY8YKTpfbuCH8XzbDghpiBqCoMiPv3X7EnB5AEArjftVS khtYCXx4MpD725Vrt8DJ1+kJt2ETPEl8XuJhLvGVcccrqbO7jFrJK82I8fslbPgiKUAkiM +x/Mz+mNdz184Z4hlQCgyFqIbt56Cthhqez+HqVLVvokcPKHrAfHbxTpXYsCNds1j2BPWh at4/PwAW/bhDCEn+Ij/GCGoHS/cwXYBN+T9zWP/9JDZtyaxFUmyZG65RkvCmG9aa8wMkTJ gkatQdnEONvAzi6/HiYlRtODZzsAECJ7uc7fXYbot0+BmHfXqC2yobSCuL61hg== Received: from smtp2.mailbox.org ([80.241.60.241]) by spamfilter01.heinlein-hosting.de (spamfilter01.heinlein-hosting.de [80.241.56.115]) (amavisd-new, port 10030) with ESMTP id ZfnFC3xPQWoS; Sun, 2 May 2021 23:48:32 +0200 (CEST) From: Hauke Mehrtens To: openwrt-devel@lists.openwrt.org Cc: Hauke Mehrtens Subject: [PATCH 19.07] dropbear: Fix CVE-2020-36254 Date: Sun, 2 May 2021 23:48:27 +0200 Message-Id: <20210502214827.164174-1-hauke@hauke-m.de> MIME-Version: 1.0 X-MBO-SPAM-Probability: X-Rspamd-Score: -6.88 / 15.00 / 15.00 X-Rspamd-Queue-Id: 2553817DF X-Rspamd-UID: 6c31bb X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210502_224843_370245_F67D6375 X-CRM114-Status: GOOD ( 11.62 ) X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "desiato.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This backports a fix from dropbear 2020.81. CVE-2020-36254 description: scp.c in Dropbear before 2020.79 mishandles the filename of . or an empty filename, a related issue to CVE-2018-20685. Signed-off-by: Hauke Mehrtens --- .../patches/001-fix-CVE-2020-36254.patch | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 package/network/services/drop [...] Content analysis details: (-0.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.172 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This backports a fix from dropbear 2020.81. CVE-2020-36254 description: scp.c in Dropbear before 2020.79 mishandles the filename of . or an empty filename, a related issue to CVE-2018-20685. Signed-off-by: Hauke Mehrtens --- .../patches/001-fix-CVE-2020-36254.patch | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 package/network/services/dropbear/patches/001-fix-CVE-2020-36254.patch diff --git a/package/network/services/dropbear/patches/001-fix-CVE-2020-36254.patch b/package/network/services/dropbear/patches/001-fix-CVE-2020-36254.patch new file mode 100644 index 0000000000..03f8bf9a81 --- /dev/null +++ b/package/network/services/dropbear/patches/001-fix-CVE-2020-36254.patch @@ -0,0 +1,21 @@ +From 8f8a3dff705fad774a10864a2e3dbcfa9779ceff Mon Sep 17 00:00:00 2001 +From: Haelwenn Monnier +Date: Mon, 25 May 2020 14:54:29 +0200 +Subject: [PATCH] scp.c: Port OpenSSH CVE-2018-20685 fix (#80) + +--- + scp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/scp.c ++++ b/scp.c +@@ -935,7 +935,8 @@ sink(int argc, char **argv) + size = size * 10 + (*cp++ - '0'); + if (*cp++ != ' ') + SCREWUP("size not delimited"); +- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) { ++ if (*cp == '\0' || strchr(cp, '/') != NULL || ++ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) { + run_err("error: unexpected filename: %s", cp); + exit(1); + }