projects / openwrt / openwrt.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0bfc66e)
dropbear: bump to 2025.89 (CVE-2025-14282, CVE-2019-6111) main master
authorPetr Štetiar <[email protected]>
Tue, 16 Dec 2025 16:42:19 +0000 (16:42 +0000)
committerPetr Štetiar <[email protected]>
Wed, 17 Dec 2025 03:57:50 +0000 (03:57 +0000)
- Security: Avoid privilege escalation via unix stream forwarding in Dropbear
  server. Other programs on a system may authenticate unix sockets via
  SO_PEERCRED, which would be root user for Dropbear forwarded connections,
  allowing root privilege escalation.
  Reported by Turistu, and thanks for advice on the fix.
  This is tracked as CVE-2025-14282, and affects 2024.84 to 2025.88.

  It is fixed by dropping privileges of the dropbear process after
  authentication. Unix stream sockets are now disallowed when a
  forced command is used, either with authorized_key restrictions or
  "dropbear -c command".

  In previous affected releases running with "dropbear -j" (will also disable
  TCP fowarding) or building with localoptions.h/distrooptions.h
  "#define DROPBEAR_SVR_LOCALSTREAMFWD 0" is a mitigation.

- Security: Include scp fix for CVE-2019-6111. This allowed
  a malicious server to overwrite arbitrary local files.
  The missing fix was reported by Ashish Kunwar.

- Server dropping privileges post-auth is enabled by default. This requires
  setresgid() support, so some platforms such as netbsd or macos will have to
  disable DROPBEAR_SVR_DROP_PRIVS in localoptions.h. Unix stream forwarding is
  not available if DROPBEAR_SVR_DROP_PRIVS is disabled.

  Remote server TCP socket forwarding will now use OS privileged port
  restrictions rather than having a fixed "allow >=1024 for non-root" rule.

  A future release may implement privilege dropping for netbsd/macos.

- Fix a regression in 2025.87 when RSA and DSS are not built. This would lead
  to a crash at startup with bad_bufptr().
  Reported by Dani Schmitt and Sebastian Priebe.

- Don't limit channel window to 500MB. That is could cause stuck connections
  if peers advise a large window and don't send an increment within 500MB.
  Affects SSH.NET https://github.com/sshnet/SSH.NET/issues/1671
  Reported by Rob Hague.

- Ignore -g -s when passwords arent enabled. Patch from Norbert Lange.
  Ignore -m (disable MOTD), -j/-k (tcp forwarding) when not enabled.

- Report SIGBUS and SIGTRAP signals. Patch from Loïc Mangeonjean.

- Fix incorrect server auth delay. Was meant to be 250-350ms, it was actually
  150-350ms or possibly negative (zero). Reported by pickaxprograms.

- Fix building without public key options. Thanks to Konstantin Demin

- Fix building with proxycmd but without netcat. Thanks to Konstantin Demin

- Fix incorrect path documentation for distrooptions, thanks to Todd Zullinger

- Fix SO_REUSEADDR for TCP tests, reported by vt-alt.

Dropped:

 * 050-dropbear-multihop-fix.patch as its included in the release 5cc0127000db5f
 * 051-fix-pubkey-options.patch as its included in the release 1d4c4a542cd5df
 * 052-fix-missing-depends-for-sntrup761x25519-sha512.patch as its included
   in the release 1a2c1e649a1824
 * 053-Don-t-limit-channel-window-to-500MB.patch as its included in the release a8610f7b98ad

Manually rebased:

 * 110-change_user.patch

Fixes: CVE-2025-14282, CVE-2019-6111
Reviewed-by: Hauke Mehrtens <[email protected]>
Reviewed-by: Konstantin Demin <[email protected]>
Tested-by: Konstantin Demin <[email protected]> [mediatek/filogic (GL.iNet GL-MT6000)]
Link: https://github.com/openwrt/openwrt/pull/21186
Signed-off-by: Petr Štetiar <[email protected]>
package/network/services/dropbear/Makefile patch | blob | history
package/network/services/dropbear/patches/050-dropbear-multihop-fix.patch [deleted file] patch | blob | history
package/network/services/dropbear/patches/051-fix-pubkey-options.patch [deleted file] patch | blob | history
package/network/services/dropbear/patches/052-fix-missing-depends-for-sntrup761x25519-sha512.patch [deleted file] patch | blob | history
package/network/services/dropbear/patches/053-Don-t-limit-channel-window-to-500MB.patch [deleted file] patch | blob | history
package/network/services/dropbear/patches/110-change_user.patch patch | blob | history
package/network/services/dropbear/patches/900-configure-hardening.patch patch | blob | history
package/network/services/dropbear/patches/901-bundled-libs-cflags.patch patch | blob | history

diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index 59aff2f7cfe0c6e81bb15592eca6d608578e5aa9..457f099fdda02f2561c53766e6c3d0d39cc54dfd 100644 (file)
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
-PKG_VERSION:=2025.88
-PKG_RELEASE:=4
+PKG_VERSION:=2025.89
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
        https://matt.ucc.asn.au/dropbear/releases/ \
        https://dropbear.nl/mirror/releases/
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
        https://matt.ucc.asn.au/dropbear/releases/ \
        https://dropbear.nl/mirror/releases/
-PKG_HASH:=783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4
+PKG_HASH:=0d1f7ca711cfc336dc8a85e672cab9cfd8223a02fe2da0a4a7aeb58c9e113634
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
diff --git a/package/network/services/dropbear/patches/050-dropbear-multihop-fix.patch b/package/network/services/dropbear/patches/050-dropbear-multihop-fix.patch
deleted file mode 100644 (file)
index d8d6ff1..0000000
--- a/package/network/services/dropbear/patches/050-dropbear-multihop-fix.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 5cc0127000db5f7567b54d0495fb91a8e452fe09 Mon Sep 17 00:00:00 2001
-From: Konstantin Demin <[email protected]>
-Date: Fri, 9 May 2025 22:39:35 +0300
-Subject: Fix proxycmd without netcat
-
-fixes e5a0ef27c2 "Execute multihop commands directly, no shell"
-
-Signed-off-by: Konstantin Demin <[email protected]>
-Forwarded: https://github.com/mkj/dropbear/pull/363
----
- src/cli-main.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
---- a/src/cli-main.c
-+++ b/src/cli-main.c
-@@ -77,7 +77,11 @@ int main(int argc, char ** argv) {
-       }
- #if DROPBEAR_CLI_PROXYCMD
--      if (cli_opts.proxycmd || cli_opts.proxyexec) {
-+      if (cli_opts.proxycmd
-+#if DROPBEAR_CLI_MULTIHOP
-+              || cli_opts.proxyexec
-+#endif
-+      ) {
-               cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid);
-               if (signal(SIGINT, kill_proxy_sighandler) == SIG_ERR ||
-                       signal(SIGTERM, kill_proxy_sighandler) == SIG_ERR ||
-@@ -110,11 +114,13 @@ static void shell_proxy_cmd(const void *
-       dropbear_exit("Failed to run '%s'\n", cmd);
- }
-+#if DROPBEAR_CLI_MULTIHOP
- static void exec_proxy_cmd(const void *unused) {
-       (void)unused;
-       run_command(cli_opts.proxyexec[0], cli_opts.proxyexec, ses.maxfd);
-       dropbear_exit("Failed to run '%s'\n", cli_opts.proxyexec[0]);
- }
-+#endif
- static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
-       char * cmd_arg = NULL;
-@@ -145,9 +151,11 @@ static void cli_proxy_cmd(int *sock_in,
-               cmd_arg = m_malloc(shell_cmdlen);
-               snprintf(cmd_arg, shell_cmdlen, "exec %s", cli_opts.proxycmd);
-               exec_fn = shell_proxy_cmd;
-+#if DROPBEAR_CLI_MULTIHOP
-       } else {
-               /* No shell */
-               exec_fn = exec_proxy_cmd;
-+#endif
-       }
-       ret = spawn_command(exec_fn, cmd_arg, sock_out, sock_in, NULL, pid_out);
-@@ -159,6 +167,7 @@ static void cli_proxy_cmd(int *sock_in,
- cleanup:
-       m_free(cli_opts.proxycmd);
-       m_free(cmd_arg);
-+#if DROPBEAR_CLI_MULTIHOP
-       if (cli_opts.proxyexec) {
-               char **a = NULL;
-               for (a = cli_opts.proxyexec; *a; a++) {
-@@ -166,6 +175,7 @@ cleanup:
-               }
-               m_free(cli_opts.proxyexec);
-       }
-+#endif
- }
- static void kill_proxy_sighandler(int UNUSED(signo)) {
diff --git a/package/network/services/dropbear/patches/051-fix-pubkey-options.patch b/package/network/services/dropbear/patches/051-fix-pubkey-options.patch
deleted file mode 100644 (file)
index ce0a524..0000000
--- a/package/network/services/dropbear/patches/051-fix-pubkey-options.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 91877a0337f432fd29bb1041be5599ea706e5de6 Mon Sep 17 00:00:00 2001
-From: Konstantin Demin <[email protected]>
-Date: Thu, 31 Jul 2025 14:13:35 +0300
-Subject: fix build without pubkey options
-
-fixes:
-- 98ef42a856 "Don't set pubkey_info directly in checkpubkey_line"
-- 62ea53c1e5 "Implement no-touch-required and verify-requred for authorized_keys file"
-
-Signed-off-by: Konstantin Demin <[email protected]>
-Forwarded: https://github.com/mkj/dropbear/pull/374
----
- src/svr-authpubkey.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
---- a/src/svr-authpubkey.c
-+++ b/src/svr-authpubkey.c
-@@ -186,12 +186,14 @@ void svr_auth_pubkey(int valid_user) {
- #if DROPBEAR_SK_ECDSA || DROPBEAR_SK_ED25519
-       key->sk_flags_mask = SSH_SK_USER_PRESENCE_REQD;
-+#if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT
-       if (ses.authstate.pubkey_options && ses.authstate.pubkey_options->no_touch_required_flag) {
-               key->sk_flags_mask &= ~SSH_SK_USER_PRESENCE_REQD;
-       }
-       if (ses.authstate.pubkey_options && ses.authstate.pubkey_options->verify_required_flag) {
-               key->sk_flags_mask |= SSH_SK_USER_VERIFICATION_REQD;
-       }
-+#endif /* DROPBEAR_SVR_PUBKEY_OPTIONS */
- #endif
-       /* create the data which has been signed - this a string containing
-@@ -513,7 +515,13 @@ static int checkpubkey(const char* keyal
-               line_num++;
-               ret = checkpubkey_line(line, line_num, filename, keyalgo, keyalgolen,
--                      keyblob, keybloblen, &ses.authstate.pubkey_info);
-+                      keyblob, keybloblen,
-+#if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT
-+                      &ses.authstate.pubkey_info
-+#else
-+                      NULL
-+#endif
-+              );
-               if (ret == DROPBEAR_SUCCESS) {
-                       break;
-               }
diff --git a/package/network/services/dropbear/patches/052-fix-missing-depends-for-sntrup761x25519-sha512.patch b/package/network/services/dropbear/patches/052-fix-missing-depends-for-sntrup761x25519-sha512.patch
deleted file mode 100644 (file)
index 82edb7c..0000000
--- a/package/network/services/dropbear/patches/052-fix-missing-depends-for-sntrup761x25519-sha512.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From 4bc1e18948d0918bcb1338a5f1e7856478abf985 Mon Sep 17 00:00:00 2001
-From: Konstantin Demin <[email protected]>
-Date: Fri, 8 Aug 2025 10:02:44 +0300
-Subject: fix missing depends for sntrup761x25519-sha512
-
-fixes 440b7b5c4f "Add sntrup761x25519-sha512 post-quantum key exchange"
-
-Signed-off-by: Konstantin Demin <[email protected]>
-Forwarded: https://github.com/mkj/dropbear/pull/375
----
- src/sysoptions.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/src/sysoptions.h
-+++ b/src/sysoptions.h
-@@ -207,7 +207,7 @@
- /* LTC SHA384 depends on SHA512 */
- #define DROPBEAR_SHA512 ((DROPBEAR_SHA2_512_HMAC) || (DROPBEAR_ECC_521) \
-                       || (DROPBEAR_SHA384) || (DROPBEAR_DH_GROUP16) \
--                      || (DROPBEAR_ED25519))
-+                      || (DROPBEAR_ED25519) || (DROPBEAR_SNTRUP761))
- #define DROPBEAR_DH_GROUP14 ((DROPBEAR_DH_GROUP14_SHA256) || (DROPBEAR_DH_GROUP14_SHA1))
diff --git a/package/network/services/dropbear/patches/053-Don-t-limit-channel-window-to-500MB.patch b/package/network/services/dropbear/patches/053-Don-t-limit-channel-window-to-500MB.patch
deleted file mode 100644 (file)
index eb9ab1c..0000000
--- a/package/network/services/dropbear/patches/053-Don-t-limit-channel-window-to-500MB.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From a8610f7b98ad4b33ab723602863d60d462fa5af2 Mon Sep 17 00:00:00 2001
-From: Matt Johnston <[email protected]>
-Date: Sun, 10 Aug 2025 19:46:01 +0800
-Subject: Don't limit channel window to 500MB
-
-Previously the channel window and increments were limited to 500MB.
-That is incorrect and causes stuck connections if peers advertise
-a large window, then don't send an increment within the first 500MB.
-
-That's seen with SSH.NET https://github.com/sshnet/SSH.NET/issues/1671
----
- src/common-channel.c | 17 ++++++++++-------
- src/sysoptions.h     |  3 ---
- 2 files changed, 10 insertions(+), 10 deletions(-)
-
---- a/src/common-channel.c
-+++ b/src/common-channel.c
-@@ -858,17 +858,21 @@ void common_recv_msg_channel_data(struct Channel *channel, int fd,
- void recv_msg_channel_window_adjust() {
-       struct Channel * channel;
--      unsigned int incr;
-+      unsigned int incr, newwin;
-       
-       channel = getchannel();
-       
-       incr = buf_getint(ses.payload);
--      TRACE(("received window increment %d", incr))
--      incr = MIN(incr, TRANS_MAX_WIN_INCR);
-+      TRACE(("received window increment %u", incr))
-       
--      channel->transwindow += incr;
--      channel->transwindow = MIN(channel->transwindow, TRANS_MAX_WINDOW);
--
-+      newwin = channel->transwindow + incr;
-+      if (newwin < channel->transwindow) {
-+              /* Integer overflow, clamp it at maximum.
-+               * Behaviour may be unexpected, senders MUST NOT overflow per rfc4254. */
-+              TRACE(("overflow window, prev %u", channel->transwindow));
-+              newwin = 0xffffffff;
-+      }
-+      channel->transwindow = newwin;
- }
- /* Increment the incoming data window for a channel, and let the remote
-@@ -906,7 +910,6 @@ void recv_msg_channel_open() {
-       remotechan = buf_getint(ses.payload);
-       transwindow = buf_getint(ses.payload);
--      transwindow = MIN(transwindow, TRANS_MAX_WINDOW);
-       transmaxpacket = buf_getint(ses.payload);
-       transmaxpacket = MIN(transmaxpacket, TRANS_MAX_PAYLOAD_LEN);
---- a/src/sysoptions.h
-+++ b/src/sysoptions.h
-@@ -243,9 +243,6 @@
- #define RECV_MAX_PACKET_LEN (MAX(35000, ((RECV_MAX_PAYLOAD_LEN)+100)))
- /* for channel code */
--#define TRANS_MAX_WINDOW 500000000 /* 500MB is sufficient, stopping overflow */
--#define TRANS_MAX_WIN_INCR 500000000 /* overflow prevention */
--
- #define RECV_WINDOWEXTEND (opts.recv_window / 3) /* We send a "window extend" every
-                                                               RECV_WINDOWEXTEND bytes */
- #define MAX_RECV_WINDOW (10*1024*1024) /* 10 MB should be enough */
diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch
index 9ef8f0cfbc49814b1b6b5cb287d9cfba8f4a7e74..3e8c736a67aa1970bd1937b9e2da7b2aa4891ddc 100644 (file)
--- a/package/network/services/dropbear/patches/110-change_user.patch
+++ b/package/network/services/dropbear/patches/110-change_user.patch
@@ -1,6 +1,6 @@
---- a/src/svr-chansession.c
-+++ b/src/svr-chansession.c
-@@ -984,12 +984,12 @@ static void execchild(const void *user_d
+--- a/src/svr-auth.c
++++ b/src/svr-auth.c
+@@ -510,9 +510,9 @@ void svr_switch_user(void) {
        /* We can only change uid/gid as root ... */
        if (getuid() == 0) {
  
        /* We can only change uid/gid as root ... */
        if (getuid() == 0) {
  
@@ -11,6 +11,11 @@
 +                                              ses.authstate.pw_gid) < 0))) {
                        dropbear_exit("Error changing user group");
                }
 +                                              ses.authstate.pw_gid) < 0))) {
                        dropbear_exit("Error changing user group");
                }
+@@ -534,7 +534,7 @@ void svr_switch_user(void) {
+               }
+ #endif
 -              if (setuid(ses.authstate.pw_uid) < 0) {
 +              if ((ses.authstate.pw_uid != 0) && (setuid(ses.authstate.pw_uid) < 0)) {
                        dropbear_exit("Error changing user");
 -              if (setuid(ses.authstate.pw_uid) < 0) {
 +              if ((ses.authstate.pw_uid != 0) && (setuid(ses.authstate.pw_uid) < 0)) {
                        dropbear_exit("Error changing user");
diff --git a/package/network/services/dropbear/patches/900-configure-hardening.patch b/package/network/services/dropbear/patches/900-configure-hardening.patch
index 746694f48dcf635646a74b53e7d46a410a41987c..74cf2ba05d150d287281bc962bac8d43d87597ce 100644 (file)
--- a/package/network/services/dropbear/patches/900-configure-hardening.patch
+++ b/package/network/services/dropbear/patches/900-configure-hardening.patch
@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
 --- a/configure.ac
 +++ b/configure.ac
-@@ -86,54 +86,6 @@ AC_ARG_ENABLE(harden,
+@@ -80,54 +80,6 @@ AC_ARG_ENABLE(harden,
  
  if test "$hardenbuild" -eq 1; then
        AC_MSG_NOTICE(Checking for available hardened build flags:)
  
  if test "$hardenbuild" -eq 1; then
        AC_MSG_NOTICE(Checking for available hardened build flags:)
diff --git a/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch b/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch
index 4da01c9edb074e0bd1616d59b7eceb8ca22f860a..2bb35ea5a59a861ed9fbc1ae4dd5ecc8dc091079 100644 (file)
--- a/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch
+++ b/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch
@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
 --- a/configure.ac
 +++ b/configure.ac
-@@ -44,11 +44,8 @@ fi
+@@ -38,11 +38,8 @@ fi
  # LTM_CFLAGS is given to ./configure by the user, 
  # DROPBEAR_LTM_CFLAGS is substituted in the LTM Makefile.in
  DROPBEAR_LTM_CFLAGS="$LTM_CFLAGS"
  # LTM_CFLAGS is given to ./configure by the user, 
  # DROPBEAR_LTM_CFLAGS is substituted in the LTM Makefile.in
  DROPBEAR_LTM_CFLAGS="$LTM_CFLAGS"
OpenWrt Source Repository