openembedded-core.git/meta/recipes-core/dropbear, branch thud Mirror of openembedded-core dropbear: remove localoptions.h in source searching 2018-09-20T19:24:04+00:00 Andrej Valek andrej.valek@siemens.com 2018-09-19T13:02:52+00:00 40fe89027e1b9ed63c65ff026bc6cce5de1b814a - localoptions.h is automatically searched in build directory Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
- localoptions.h is automatically searched in build directory

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
dropbear: Fix CVE-2018-15599 2018-09-06T22:43:34+00:00 Mingli Yu Mingli.Yu@windriver.com 2018-09-06T08:06:33+00:00 f017715120b67ff02f56ed5db131436ee62aeffb Wait to fail invalid usernames to fix CVE-2018-15599 Rework 0006-dropbear-configuration-file.patch to fix fuzz warnings Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Wait to fail invalid usernames to fix
CVE-2018-15599

Rework 0006-dropbear-configuration-file.patch
to fix fuzz warnings

Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dropbear.inc: add dependency on virtual/crypt to fix build with glibc-2.28 2018-08-14T15:32:50+00:00 Martin Jansa martin.jansa@gmail.com 2018-08-09T12:16:59+00:00 d04703aef55e01c59329fc54660724e053f3f66c configure tests crypt() existence with: dnl We test for crypt() specially. On Linux (and others?) it resides in libcrypt dnl but we don't want link all binaries to -lcrypt, just dropbear server. dnl OS X doesn't need -lcrypt AC_CHECK_FUNC(crypt, found_crypt_func=here) AC_CHECK_LIB(crypt, crypt, [ CRYPTLIB="-lcrypt" found_crypt_func=here ]) AC_SUBST(CRYPTLIB) if test "t$found_crypt_func" = there; then AC_DEFINE(HAVE_CRYPT, 1, [crypt() function]) fi but that silently fails with glibc-2.28 and a bit later do_compile fails with; http://errors.yoctoproject.org/Errors/Details/185895/ ../dropbear-2018.76/sysoptions.h:237:3: error: #error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'." #error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'." ^~~~~ Add dependency on virtual/crypt so that do_configure detects it correctly. Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
configure tests crypt() existence with:

dnl We test for crypt() specially. On Linux (and others?) it resides in libcrypt
dnl but we don't want link all binaries to -lcrypt, just dropbear server.
dnl OS X doesn't need -lcrypt
AC_CHECK_FUNC(crypt, found_crypt_func=here)
AC_CHECK_LIB(crypt, crypt,
        [
        CRYPTLIB="-lcrypt"
        found_crypt_func=here
        ])
AC_SUBST(CRYPTLIB)
if test "t$found_crypt_func" = there; then
AC_DEFINE(HAVE_CRYPT, 1, [crypt() function])
fi

but that silently fails with glibc-2.28 and a bit later do_compile fails with;
http://errors.yoctoproject.org/Errors/Details/185895/

../dropbear-2018.76/sysoptions.h:237:3: error: #error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'."
  #error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'."
   ^~~~~

Add dependency on virtual/crypt so that do_configure detects it correctly.

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dropbear: add default config file to disable root login 2018-07-07T09:59:16+00:00 Jackie Huang jackie.huang@windriver.com 2017-06-29T03:31:47+00:00 d3e69fa2fef83015658aa5fa1442bab5a8c3edaa root login is disabled by default for openssh and we can enable it through IMAGE_FEATURES 'debug-tweaks' or 'allow-empty-password', so change to the same default behavior for dropbear. Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
root login is disabled by default for openssh and we can
enable it through IMAGE_FEATURES 'debug-tweaks' or
'allow-empty-password', so change to the same default
behavior for dropbear.

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dropbear: drop obsolete patch 0004-fix-2kb-keys.patch 2018-06-07T07:52:13+00:00 Andre McCurdy armccurdy@gmail.com 2018-05-29T20:58:55+00:00 17072ffc1e765edd45bc1174378fb666185e5643 The origins of the patch date back to early 2005 (prior to the start of git history in oe-core) to fix a hardcoded limit on the maximum size of remote host keys: http://familiar.handhelds.narkive.com/b1VGg2bI/problem-w-dropbear-ssh The hardcoded limit was fixed upstream in dropbear 0.47: https://github.com/mkj/dropbear/commit/736f370dce614b717193f45d084e9e009de723ce The patch has therefore been obsolete since then. It went unnoticed until now as the patch has continued to apply - it modifies a value which is not used. Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
The origins of the patch date back to early 2005 (prior to the start
of git history in oe-core) to fix a hardcoded limit on the maximum
size of remote host keys:

  http://familiar.handhelds.narkive.com/b1VGg2bI/problem-w-dropbear-ssh

The hardcoded limit was fixed upstream in dropbear 0.47:

  https://github.com/mkj/dropbear/commit/736f370dce614b717193f45d084e9e009de723ce

The patch has therefore been obsolete since then. It went unnoticed
until now as the patch has continued to apply - it modifies a value
which is not used.

Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dropbear: drop run time detection of read-only rootfs 2018-06-04T14:14:43+00:00 Andre McCurdy armccurdy@gmail.com 2018-05-31T00:16:47+00:00 4990f87b2f6a8b30c8d1c767636e7f5527f595ba Previously, when dropbear was started via its init script, relocation of DROPBEAR_RSAKEY_DIR to support read-only rootfs was handled at run time from within the init script. Update the init script to take advantage of the read-only rootfs config setup by read_only_rootfs_hook() and therefore be consistent with startup under systemd (where relocation of DROPBEAR_RSAKEY_DIR is handled by the read_only_rootfs_hook() at build time). Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Previously, when dropbear was started via its init script, relocation
of DROPBEAR_RSAKEY_DIR to support read-only rootfs was handled at
run time from within the init script.

Update the init script to take advantage of the read-only rootfs
config setup by read_only_rootfs_hook() and therefore be consistent
with startup under systemd (where relocation of DROPBEAR_RSAKEY_DIR
is handled by the read_only_rootfs_hook() at build time).

Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dropbear: update to 2018.76 2018-05-04T08:54:57+00:00 Andrej Valek andrej.valek@siemens.com 2018-04-12T07:08:57+00:00 ec050b666ec3684918fd9dc564d2dce9a8d6a8ef - update dropbear to version 2018.76 - refresh and drop obsolete patches - add option to use localoptions.h header file - do not use harden stuff, which leads to QA warning Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
- update dropbear to version 2018.76
- refresh and drop obsolete patches
- add option to use localoptions.h header file
- do not use harden stuff, which leads to QA warning

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
dropbear: refresh patches 2018-03-07T14:33:55+00:00 Ross Burton ross.burton@intel.com 2017-11-15T16:47:41+00:00 18300f8faa5050178efcd22f2db843f9b3f3bb0f The patch tool will apply patches by default with "fuzz", which is where if the hunk context isn't present but what is there is close enough, it will force the patch in. Whilst this is useful when there's just whitespace changes, when applied to source it is possible for a patch applied with fuzz to produce broken code which still compiles (see #10450). This is obviously bad. We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For that to be realistic the existing patches with fuzz need to be rebased and reviewed. Signed-off-by: Ross Burton <ross.burton@intel.com> 
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.

Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450).  This is obviously bad.

We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.

Signed-off-by: Ross Burton <ross.burton@intel.com>
dropbear: reduce local pending patches 2017-07-17T12:49:03+00:00 Dengke Du dengke.du@windriver.com 2017-07-13T02:19:17+00:00 9b2e3b8235ee545b0eb666266c5db2ec7cb9e21f Signed-off-by: Dengke Du <dengke.du@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
dropbear: upgrade 2016.74 -> 2017.75 2017-06-03T22:45:52+00:00 Dengke Du dengke.du@windriver.com 2017-06-01T09:38:42+00:00 2fd0757ae7fd63bc93a4ce8579c6ba0cdbb4c1cd Drop patch support-out-of-tree-builds.patch: Because the upstream has already contain it. Signed-off-by: Dengke Du <dengke.du@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Drop patch support-out-of-tree-builds.patch:

    Because the upstream has already contain it.

Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>