From 70a4da1cebc87fc7b3cfa3f634b5bdf3db12ccd5 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Petr=20=C5=A0tetiar?= Date: Tue, 16 Dec 2025 16:42:19 +0000 Subject: [PATCH] dropbear: bump to 2025.89 (CVE-2025-14282, CVE-2019-6111) MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit - Security: Avoid privilege escalation via unix stream forwarding in Dropbear server. Other programs on a system may authenticate unix sockets via SO_PEERCRED, which would be root user for Dropbear forwarded connections, allowing root privilege escalation. Reported by Turistu, and thanks for advice on the fix. This is tracked as CVE-2025-14282, and affects 2024.84 to 2025.88. It is fixed by dropping privileges of the dropbear process after authentication. Unix stream sockets are now disallowed when a forced command is used, either with authorized_key restrictions or "dropbear -c command". In previous affected releases running with "dropbear -j" (will also disable TCP fowarding) or building with localoptions.h/distrooptions.h "#define DROPBEAR_SVR_LOCALSTREAMFWD 0" is a mitigation. - Security: Include scp fix for CVE-2019-6111. This allowed a malicious server to overwrite arbitrary local files. The missing fix was reported by Ashish Kunwar. - Server dropping privileges post-auth is enabled by default. This requires setresgid() support, so some platforms such as netbsd or macos will have to disable DROPBEAR_SVR_DROP_PRIVS in localoptions.h. Unix stream forwarding is not available if DROPBEAR_SVR_DROP_PRIVS is disabled. Remote server TCP socket forwarding will now use OS privileged port restrictions rather than having a fixed "allow >=1024 for non-root" rule. A future release may implement privilege dropping for netbsd/macos. - Fix a regression in 2025.87 when RSA and DSS are not built. This would lead to a crash at startup with bad_bufptr(). Reported by Dani Schmitt and Sebastian Priebe. - Don't limit channel window to 500MB. That is could cause stuck connections if peers advise a large window and don't send an increment within 500MB. Affects SSH.NET https://github.com/sshnet/SSH.NET/issues/1671 Reported by Rob Hague. - Ignore -g -s when passwords arent enabled. Patch from Norbert Lange. Ignore -m (disable MOTD), -j/-k (tcp forwarding) when not enabled. - Report SIGBUS and SIGTRAP signals. Patch from Loïc Mangeonjean. - Fix incorrect server auth delay. Was meant to be 250-350ms, it was actually 150-350ms or possibly negative (zero). Reported by pickaxprograms. - Fix building without public key options. Thanks to Konstantin Demin - Fix building with proxycmd but without netcat. Thanks to Konstantin Demin - Fix incorrect path documentation for distrooptions, thanks to Todd Zullinger - Fix SO_REUSEADDR for TCP tests, reported by vt-alt. Dropped: * 050-dropbear-multihop-fix.patch as its included in the release 5cc0127000db5f * 051-fix-pubkey-options.patch as its included in the release 1d4c4a542cd5df * 052-fix-missing-depends-for-sntrup761x25519-sha512.patch as its included in the release 1a2c1e649a1824 * 053-Don-t-limit-channel-window-to-500MB.patch as its included in the release a8610f7b98ad Manually rebased: * 110-change_user.patch Fixes: CVE-2025-14282, CVE-2019-6111 Reviewed-by: Hauke Mehrtens Reviewed-by: Konstantin Demin Tested-by: Konstantin Demin [mediatek/filogic (GL.iNet GL-MT6000)] Link: https://github.com/openwrt/openwrt/pull/21186 Signed-off-by: Petr Štetiar --- package/network/services/dropbear/Makefile | 6 +- .../patches/050-dropbear-multihop-fix.patch | 70 ------------------- .../patches/051-fix-pubkey-options.patch | 47 ------------- ...g-depends-for-sntrup761x25519-sha512.patch | 24 ------- ...-Don-t-limit-channel-window-to-500MB.patch | 65 ----------------- .../dropbear/patches/110-change_user.patch | 11 ++- .../patches/900-configure-hardening.patch | 2 +- .../patches/901-bundled-libs-cflags.patch | 2 +- 8 files changed, 13 insertions(+), 214 deletions(-) delete mode 100644 package/network/services/dropbear/patches/050-dropbear-multihop-fix.patch delete mode 100644 package/network/services/dropbear/patches/051-fix-pubkey-options.patch delete mode 100644 package/network/services/dropbear/patches/052-fix-missing-depends-for-sntrup761x25519-sha512.patch delete mode 100644 package/network/services/dropbear/patches/053-Don-t-limit-channel-window-to-500MB.patch diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 59aff2f7cf..457f099fdd 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dropbear -PKG_VERSION:=2025.88 -PKG_RELEASE:=4 +PKG_VERSION:=2025.89 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:= \ https://matt.ucc.asn.au/dropbear/releases/ \ https://dropbear.nl/mirror/releases/ -PKG_HASH:=783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4 +PKG_HASH:=0d1f7ca711cfc336dc8a85e672cab9cfd8223a02fe2da0a4a7aeb58c9e113634 PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE diff --git a/package/network/services/dropbear/patches/050-dropbear-multihop-fix.patch b/package/network/services/dropbear/patches/050-dropbear-multihop-fix.patch deleted file mode 100644 index d8d6ff18c9..0000000000 --- a/package/network/services/dropbear/patches/050-dropbear-multihop-fix.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 5cc0127000db5f7567b54d0495fb91a8e452fe09 Mon Sep 17 00:00:00 2001 -From: Konstantin Demin -Date: Fri, 9 May 2025 22:39:35 +0300 -Subject: Fix proxycmd without netcat - -fixes e5a0ef27c2 "Execute multihop commands directly, no shell" - -Signed-off-by: Konstantin Demin -Forwarded: https://github.com/mkj/dropbear/pull/363 ---- - src/cli-main.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - ---- a/src/cli-main.c -+++ b/src/cli-main.c -@@ -77,7 +77,11 @@ int main(int argc, char ** argv) { - } - - #if DROPBEAR_CLI_PROXYCMD -- if (cli_opts.proxycmd || cli_opts.proxyexec) { -+ if (cli_opts.proxycmd -+#if DROPBEAR_CLI_MULTIHOP -+ || cli_opts.proxyexec -+#endif -+ ) { - cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid); - if (signal(SIGINT, kill_proxy_sighandler) == SIG_ERR || - signal(SIGTERM, kill_proxy_sighandler) == SIG_ERR || -@@ -110,11 +114,13 @@ static void shell_proxy_cmd(const void * - dropbear_exit("Failed to run '%s'\n", cmd); - } - -+#if DROPBEAR_CLI_MULTIHOP - static void exec_proxy_cmd(const void *unused) { - (void)unused; - run_command(cli_opts.proxyexec[0], cli_opts.proxyexec, ses.maxfd); - dropbear_exit("Failed to run '%s'\n", cli_opts.proxyexec[0]); - } -+#endif - - static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) { - char * cmd_arg = NULL; -@@ -145,9 +151,11 @@ static void cli_proxy_cmd(int *sock_in, - cmd_arg = m_malloc(shell_cmdlen); - snprintf(cmd_arg, shell_cmdlen, "exec %s", cli_opts.proxycmd); - exec_fn = shell_proxy_cmd; -+#if DROPBEAR_CLI_MULTIHOP - } else { - /* No shell */ - exec_fn = exec_proxy_cmd; -+#endif - } - - ret = spawn_command(exec_fn, cmd_arg, sock_out, sock_in, NULL, pid_out); -@@ -159,6 +167,7 @@ static void cli_proxy_cmd(int *sock_in, - cleanup: - m_free(cli_opts.proxycmd); - m_free(cmd_arg); -+#if DROPBEAR_CLI_MULTIHOP - if (cli_opts.proxyexec) { - char **a = NULL; - for (a = cli_opts.proxyexec; *a; a++) { -@@ -166,6 +175,7 @@ cleanup: - } - m_free(cli_opts.proxyexec); - } -+#endif - } - - static void kill_proxy_sighandler(int UNUSED(signo)) { diff --git a/package/network/services/dropbear/patches/051-fix-pubkey-options.patch b/package/network/services/dropbear/patches/051-fix-pubkey-options.patch deleted file mode 100644 index ce0a524657..0000000000 --- a/package/network/services/dropbear/patches/051-fix-pubkey-options.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 91877a0337f432fd29bb1041be5599ea706e5de6 Mon Sep 17 00:00:00 2001 -From: Konstantin Demin -Date: Thu, 31 Jul 2025 14:13:35 +0300 -Subject: fix build without pubkey options - -fixes: -- 98ef42a856 "Don't set pubkey_info directly in checkpubkey_line" -- 62ea53c1e5 "Implement no-touch-required and verify-requred for authorized_keys file" - -Signed-off-by: Konstantin Demin -Forwarded: https://github.com/mkj/dropbear/pull/374 ---- - src/svr-authpubkey.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - ---- a/src/svr-authpubkey.c -+++ b/src/svr-authpubkey.c -@@ -186,12 +186,14 @@ void svr_auth_pubkey(int valid_user) { - - #if DROPBEAR_SK_ECDSA || DROPBEAR_SK_ED25519 - key->sk_flags_mask = SSH_SK_USER_PRESENCE_REQD; -+#if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT - if (ses.authstate.pubkey_options && ses.authstate.pubkey_options->no_touch_required_flag) { - key->sk_flags_mask &= ~SSH_SK_USER_PRESENCE_REQD; - } - if (ses.authstate.pubkey_options && ses.authstate.pubkey_options->verify_required_flag) { - key->sk_flags_mask |= SSH_SK_USER_VERIFICATION_REQD; - } -+#endif /* DROPBEAR_SVR_PUBKEY_OPTIONS */ - #endif - - /* create the data which has been signed - this a string containing -@@ -513,7 +515,13 @@ static int checkpubkey(const char* keyal - line_num++; - - ret = checkpubkey_line(line, line_num, filename, keyalgo, keyalgolen, -- keyblob, keybloblen, &ses.authstate.pubkey_info); -+ keyblob, keybloblen, -+#if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT -+ &ses.authstate.pubkey_info -+#else -+ NULL -+#endif -+ ); - if (ret == DROPBEAR_SUCCESS) { - break; - } diff --git a/package/network/services/dropbear/patches/052-fix-missing-depends-for-sntrup761x25519-sha512.patch b/package/network/services/dropbear/patches/052-fix-missing-depends-for-sntrup761x25519-sha512.patch deleted file mode 100644 index 82edb7cd72..0000000000 --- a/package/network/services/dropbear/patches/052-fix-missing-depends-for-sntrup761x25519-sha512.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 4bc1e18948d0918bcb1338a5f1e7856478abf985 Mon Sep 17 00:00:00 2001 -From: Konstantin Demin -Date: Fri, 8 Aug 2025 10:02:44 +0300 -Subject: fix missing depends for sntrup761x25519-sha512 - -fixes 440b7b5c4f "Add sntrup761x25519-sha512 post-quantum key exchange" - -Signed-off-by: Konstantin Demin -Forwarded: https://github.com/mkj/dropbear/pull/375 ---- - src/sysoptions.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/src/sysoptions.h -+++ b/src/sysoptions.h -@@ -207,7 +207,7 @@ - /* LTC SHA384 depends on SHA512 */ - #define DROPBEAR_SHA512 ((DROPBEAR_SHA2_512_HMAC) || (DROPBEAR_ECC_521) \ - || (DROPBEAR_SHA384) || (DROPBEAR_DH_GROUP16) \ -- || (DROPBEAR_ED25519)) -+ || (DROPBEAR_ED25519) || (DROPBEAR_SNTRUP761)) - - #define DROPBEAR_DH_GROUP14 ((DROPBEAR_DH_GROUP14_SHA256) || (DROPBEAR_DH_GROUP14_SHA1)) - diff --git a/package/network/services/dropbear/patches/053-Don-t-limit-channel-window-to-500MB.patch b/package/network/services/dropbear/patches/053-Don-t-limit-channel-window-to-500MB.patch deleted file mode 100644 index eb9ab1cc21..0000000000 --- a/package/network/services/dropbear/patches/053-Don-t-limit-channel-window-to-500MB.patch +++ /dev/null @@ -1,65 +0,0 @@ -From a8610f7b98ad4b33ab723602863d60d462fa5af2 Mon Sep 17 00:00:00 2001 -From: Matt Johnston -Date: Sun, 10 Aug 2025 19:46:01 +0800 -Subject: Don't limit channel window to 500MB - -Previously the channel window and increments were limited to 500MB. -That is incorrect and causes stuck connections if peers advertise -a large window, then don't send an increment within the first 500MB. - -That's seen with SSH.NET https://github.com/sshnet/SSH.NET/issues/1671 ---- - src/common-channel.c | 17 ++++++++++------- - src/sysoptions.h | 3 --- - 2 files changed, 10 insertions(+), 10 deletions(-) - ---- a/src/common-channel.c -+++ b/src/common-channel.c -@@ -858,17 +858,21 @@ void common_recv_msg_channel_data(struct Channel *channel, int fd, - void recv_msg_channel_window_adjust() { - - struct Channel * channel; -- unsigned int incr; -+ unsigned int incr, newwin; - - channel = getchannel(); - - incr = buf_getint(ses.payload); -- TRACE(("received window increment %d", incr)) -- incr = MIN(incr, TRANS_MAX_WIN_INCR); -+ TRACE(("received window increment %u", incr)) - -- channel->transwindow += incr; -- channel->transwindow = MIN(channel->transwindow, TRANS_MAX_WINDOW); -- -+ newwin = channel->transwindow + incr; -+ if (newwin < channel->transwindow) { -+ /* Integer overflow, clamp it at maximum. -+ * Behaviour may be unexpected, senders MUST NOT overflow per rfc4254. */ -+ TRACE(("overflow window, prev %u", channel->transwindow)); -+ newwin = 0xffffffff; -+ } -+ channel->transwindow = newwin; - } - - /* Increment the incoming data window for a channel, and let the remote -@@ -906,7 +910,6 @@ void recv_msg_channel_open() { - - remotechan = buf_getint(ses.payload); - transwindow = buf_getint(ses.payload); -- transwindow = MIN(transwindow, TRANS_MAX_WINDOW); - transmaxpacket = buf_getint(ses.payload); - transmaxpacket = MIN(transmaxpacket, TRANS_MAX_PAYLOAD_LEN); - ---- a/src/sysoptions.h -+++ b/src/sysoptions.h -@@ -243,9 +243,6 @@ - #define RECV_MAX_PACKET_LEN (MAX(35000, ((RECV_MAX_PAYLOAD_LEN)+100))) - - /* for channel code */ --#define TRANS_MAX_WINDOW 500000000 /* 500MB is sufficient, stopping overflow */ --#define TRANS_MAX_WIN_INCR 500000000 /* overflow prevention */ -- - #define RECV_WINDOWEXTEND (opts.recv_window / 3) /* We send a "window extend" every - RECV_WINDOWEXTEND bytes */ - #define MAX_RECV_WINDOW (10*1024*1024) /* 10 MB should be enough */ diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch index 9ef8f0cfbc..3e8c736a67 100644 --- a/package/network/services/dropbear/patches/110-change_user.patch +++ b/package/network/services/dropbear/patches/110-change_user.patch @@ -1,6 +1,6 @@ ---- a/src/svr-chansession.c -+++ b/src/svr-chansession.c -@@ -984,12 +984,12 @@ static void execchild(const void *user_d +--- a/src/svr-auth.c ++++ b/src/svr-auth.c +@@ -510,9 +510,9 @@ void svr_switch_user(void) { /* We can only change uid/gid as root ... */ if (getuid() == 0) { @@ -11,6 +11,11 @@ + ses.authstate.pw_gid) < 0))) { dropbear_exit("Error changing user group"); } + +@@ -534,7 +534,7 @@ void svr_switch_user(void) { + } + #endif + - if (setuid(ses.authstate.pw_uid) < 0) { + if ((ses.authstate.pw_uid != 0) && (setuid(ses.authstate.pw_uid) < 0)) { dropbear_exit("Error changing user"); diff --git a/package/network/services/dropbear/patches/900-configure-hardening.patch b/package/network/services/dropbear/patches/900-configure-hardening.patch index 746694f48d..74cf2ba05d 100644 --- a/package/network/services/dropbear/patches/900-configure-hardening.patch +++ b/package/network/services/dropbear/patches/900-configure-hardening.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -86,54 +86,6 @@ AC_ARG_ENABLE(harden, +@@ -80,54 +80,6 @@ AC_ARG_ENABLE(harden, if test "$hardenbuild" -eq 1; then AC_MSG_NOTICE(Checking for available hardened build flags:) diff --git a/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch b/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch index 4da01c9edb..2bb35ea5a5 100644 --- a/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch +++ b/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -44,11 +44,8 @@ fi +@@ -38,11 +38,8 @@ fi # LTM_CFLAGS is given to ./configure by the user, # DROPBEAR_LTM_CFLAGS is substituted in the LTM Makefile.in DROPBEAR_LTM_CFLAGS="$LTM_CFLAGS" -- 2.30.2