openwrt-mirror/openwrt
1
0
Fork 0
mirror of https://github.com/openwrt/openwrt.git synced 2025-12-21 17:04:28 +04:00
Code Issues Packages Projects Releases Wiki Activity
Files
70a4da1cebc87fc7b3cfa3f634b5bdf3db12ccd5
openwrt/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch
Petr Štetiar 70a4da1ceb dropbear: bump to 2025.89 (CVE-2025-14282, CVE-2019-6111) 
- Security: Avoid privilege escalation via unix stream forwarding in Dropbear
  server. Other programs on a system may authenticate unix sockets via
  SO_PEERCRED, which would be root user for Dropbear forwarded connections,
  allowing root privilege escalation.
  Reported by Turistu, and thanks for advice on the fix.
  This is tracked as CVE-2025-14282, and affects 2024.84 to 2025.88.

  It is fixed by dropping privileges of the dropbear process after
  authentication. Unix stream sockets are now disallowed when a
  forced command is used, either with authorized_key restrictions or
  "dropbear -c command".

  In previous affected releases running with "dropbear -j" (will also disable
  TCP fowarding) or building with localoptions.h/distrooptions.h
  "#define DROPBEAR_SVR_LOCALSTREAMFWD 0" is a mitigation.

- Security: Include scp fix for CVE-2019-6111. This allowed
  a malicious server to overwrite arbitrary local files.
  The missing fix was reported by Ashish Kunwar.

- Server dropping privileges post-auth is enabled by default. This requires
  setresgid() support, so some platforms such as netbsd or macos will have to
  disable DROPBEAR_SVR_DROP_PRIVS in localoptions.h. Unix stream forwarding is
  not available if DROPBEAR_SVR_DROP_PRIVS is disabled.

  Remote server TCP socket forwarding will now use OS privileged port
  restrictions rather than having a fixed "allow >=1024 for non-root" rule.

  A future release may implement privilege dropping for netbsd/macos.

- Fix a regression in 2025.87 when RSA and DSS are not built. This would lead
  to a crash at startup with bad_bufptr().
  Reported by Dani Schmitt and Sebastian Priebe.

- Don't limit channel window to 500MB. That is could cause stuck connections
  if peers advise a large window and don't send an increment within 500MB.
  Affects SSH.NET https://github.com/sshnet/SSH.NET/issues/1671
  Reported by Rob Hague.

- Ignore -g -s when passwords arent enabled. Patch from Norbert Lange.
  Ignore -m (disable MOTD), -j/-k (tcp forwarding) when not enabled.

- Report SIGBUS and SIGTRAP signals. Patch from Loïc Mangeonjean.

- Fix incorrect server auth delay. Was meant to be 250-350ms, it was actually
  150-350ms or possibly negative (zero). Reported by pickaxprograms.

- Fix building without public key options. Thanks to Konstantin Demin

- Fix building with proxycmd but without netcat. Thanks to Konstantin Demin

- Fix incorrect path documentation for distrooptions, thanks to Todd Zullinger

- Fix SO_REUSEADDR for TCP tests, reported by vt-alt.

Dropped:

 * 050-dropbear-multihop-fix.patch as its included in the release 5cc0127000db5f
 * 051-fix-pubkey-options.patch as its included in the release 1d4c4a542cd5df
 * 052-fix-missing-depends-for-sntrup761x25519-sha512.patch as its included
   in the release 1a2c1e649a1824
 * 053-Don-t-limit-channel-window-to-500MB.patch as its included in the release a8610f7b98ad

Manually rebased:

 * 110-change_user.patch

Fixes: CVE-2025-14282, CVE-2019-6111
Reviewed-by: Hauke Mehrtens <hauke@hauke-m.de>
Reviewed-by: Konstantin Demin <rockdrilla@gmail.com>
Tested-by: Konstantin Demin <rockdrilla@gmail.com> [mediatek/filogic (GL.iNet GL-MT6000)]
Link: https://github.com/openwrt/openwrt/pull/21186
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2025-12-17 03:57:50 +00:00

30 lines
1.0 KiB
Diff
Raw Blame History

--- a/configure.ac
+++ b/configure.ac
@@ -38,11 +38,8 @@ fi
# LTM_CFLAGS is given to ./configure by the user,
# DROPBEAR_LTM_CFLAGS is substituted in the LTM Makefile.in
DROPBEAR_LTM_CFLAGS="$LTM_CFLAGS"
-if test -z "$DROPBEAR_LTM_CFLAGS"; then
- DROPBEAR_LTM_CFLAGS="-O3 -funroll-loops -fomit-frame-pointer"
-fi
-AC_MSG_NOTICE(Setting LTM_CFLAGS to $DROPBEAR_LTM_CFLAGS)
-AC_ARG_VAR(LTM_CFLAGS, CFLAGS for bundled libtommath. Default -O3 -funroll-loops -fomit-frame-pointer)
+AC_MSG_NOTICE(Setting LTM_CFLAGS to '$DROPBEAR_LTM_CFLAGS')
+AC_ARG_VAR(LTM_CFLAGS, CFLAGS for bundled libtommath. Defaults to empty string)
AC_SUBST(DROPBEAR_LTM_CFLAGS)
AC_MSG_NOTICE([Checking if compiler '$CC' supports -Wno-pointer-sign])
--- a/libtomcrypt/src/headers/tomcrypt_dropbear.h
+++ b/libtomcrypt/src/headers/tomcrypt_dropbear.h
@@ -7,8 +7,10 @@
/* Use small code where possible */
#if DROPBEAR_SMALL_CODE
+#ifndef LTC_SMALL_CODE
#define LTC_SMALL_CODE
#endif
+#endif
/* Fewer entries needed */
#define TAB_SIZE 5
Reference in New Issue View Git Blame Copy Permalink