CVS commit: pkgsrc/security/dropbear

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/security/dropbear
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Mon, 22 Dec 2025 08:41:05 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Mon Dec 22 08:41:05 UTC 2025

Modified Files:
        pkgsrc/security/dropbear: Makefile distinfo
Added Files:
        pkgsrc/security/dropbear/patches: patch-localoptions.h

Log Message:
dropbear: updated to 2025.89

2025.89 - 16 December 2025

- Security: Avoid privilege escalation via unix stream forwarding in Dropbear
  server. Other programs on a system may authenticate unix sockets via
  SO_PEERCRED, which would be root user for Dropbear forwarded connections,
  allowing root privilege escalation.
  Reported by Turistu, and thanks for advice on the fix.
  This is tracked as CVE-2025-14282, and affects 2024.84 to 2025.88.

  It is fixed by dropping privileges of the dropbear process after
  authentication. Unix stream sockets are now disallowed when a
  forced command is used, either with authorized_key restrictions or
  "dropbear -c command".

  In previous affected releases running with "dropbear -j" (will also disable
  TCP fowarding) or building with localoptions.h/distrooptions.h
  "#define DROPBEAR_SVR_LOCALSTREAMFWD 0" is a mitigation.

- Security: Include scp fix for CVE-2019-6111. This allowed
  a malicious server to overwrite arbitrary local files.
  The missing fix was reported by Ashish Kunwar.

- Server dropping privileges post-auth is enabled by default. This requires
  setresgid() support, so some platforms such as netbsd or macos will have to
  disable DROPBEAR_SVR_DROP_PRIVS in localoptions.h. Unix stream forwarding is
  not available if DROPBEAR_SVR_DROP_PRIVS is disabled.

  Remote server TCP socket forwarding will now use OS privileged port
  restrictions rather than having a fixed "allow >=1024 for non-root" rule.

  A future release may implement privilege dropping for netbsd/macos.

- Fix a regression in 2025.87 when RSA and DSS are not built. This would lead
  to a crash at startup with bad_bufptr().
  Reported by Dani Schmitt and Sebastian Priebe.

- Don't limit channel window to 500MB. That is could cause stuck connections
  if peers advise a large window and don't send an increment within 500MB.
  Affects SSH.NET https://github.com/sshnet/SSH.NET/issues/1671
  Reported by Rob Hague.

- Ignore -g -s when passwords arent enabled. Patch from Norbert Lange.
  Ignore -m (disable MOTD), -j/-k (tcp forwarding) when not enabled.

- Report SIGBUS and SIGTRAP signals. Patch from Loïc Mangeonjean.

- Fix incorrect server auth delay. Was meant to be 250-350ms, it was actually
  150-350ms or possibly negative (zero). Reported by pickaxprograms.

- Fix building without public key options. Thanks to Konstantin Demin

- Fix building with proxycmd but without netcat. Thanks to Konstantin Demin

- Fix incorrect path documentation for distrooptions, thanks to Todd Zullinger

- Fix SO_REUSEADDR for TCP tests, reported by vt-alt.


To generate a diff of this commit:
cvs rdiff -u -r1.45 -r1.46 pkgsrc/security/dropbear/Makefile
cvs rdiff -u -r1.37 -r1.38 pkgsrc/security/dropbear/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/security/dropbear/patches/patch-localoptions.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/dropbear/Makefile
diff -u pkgsrc/security/dropbear/Makefile:1.45 pkgsrc/security/dropbear/Makefile:1.46
--- pkgsrc/security/dropbear/Makefile:1.45      Thu Jul 24 13:11:37 2025
+++ pkgsrc/security/dropbear/Makefile   Mon Dec 22 08:41:05 2025
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.45 2025/07/24 13:11:37 adam Exp $
+# $NetBSD: Makefile,v 1.46 2025/12/22 08:41:05 adam Exp $
 
-DISTNAME=      dropbear-2025.88
+DISTNAME=      dropbear-2025.89
 CATEGORIES=    security
 MASTER_SITES=  https://matt.ucc.asn.au/dropbear/releases/
 EXTRACT_SUFX=  .tar.bz2
@@ -10,9 +10,10 @@ HOMEPAGE=    https://matt.ucc.asn.au/dropbe
 COMMENT=       Small SSH2 server and client, aimed at embedded market
 LICENSE=       modified-bsd
 
-GNU_CONFIGURE=         yes
-CONFIGURE_ARGS+=       --sysconfdir=${PKG_SYSCONFDIR} --disable-bundled-libtom
 USE_TOOLS+=            gmake
+GNU_CONFIGURE=         yes
+CONFIGURE_ARGS+=       --disable-bundled-libtom
+CONFIGURE_ARGS+=       --sysconfdir=${PKG_SYSCONFDIR}
 
 .include "../../x11/xauth/builtin.mk"
 
@@ -40,7 +41,7 @@ SUBST_CLASSES+=               config
 SUBST_MESSAGE.config=  Fixing path to config directory.
 SUBST_STAGE.config=    post-build
 SUBST_FILES.config=    manpages/dropbear.8 manpages/dropbearkey.1
-SUBST_SED.config=      -e "s,/etc/dropbear/,${PKG_SYSCONFDIR:Q},g"
+SUBST_SED.config=      -e "s,/etc/dropbear/,${PKG_SYSCONFDIR},g"
 
 post-install:
        ${INSTALL_PROGRAM} ${WRKSRC}/scp ${DESTDIR}${PREFIX}/bin/dbscp

Index: pkgsrc/security/dropbear/distinfo
diff -u pkgsrc/security/dropbear/distinfo:1.37 pkgsrc/security/dropbear/distinfo:1.38
--- pkgsrc/security/dropbear/distinfo:1.37      Thu Jul 24 13:11:37 2025
+++ pkgsrc/security/dropbear/distinfo   Mon Dec 22 08:41:05 2025
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.37 2025/07/24 13:11:37 adam Exp $
+$NetBSD: distinfo,v 1.38 2025/12/22 08:41:05 adam Exp $
 
-BLAKE2s (dropbear-2025.88.tar.bz2) = 0b61f76f893fefabdf5c2ae14662da42e43aadaa86acd93b1d9112f02de4d921
-SHA512 (dropbear-2025.88.tar.bz2) = 71194f4792287b9e56e07cfa9a3e97d23b7fda82c858e0219d0d54aee48e77892997330ad1af5654a738b970965a92a79468bbf5c8ba0358b046fd053dfc87ed
-Size (dropbear-2025.88.tar.bz2) = 2370480 bytes
+BLAKE2s (dropbear-2025.89.tar.bz2) = 84ec99f426e966d0441c4420a1ca8f3311e10ed68fc8b684bd877ba02b8d7255
+SHA512 (dropbear-2025.89.tar.bz2) = 5420b0c6de08c2e796abe9d0819ce322e244a0d9670678dc750aa07da8426a782b7f8685fa65c8fe053fc5ae0118cc5f31fe7b60d817e6c57000a189f2c97176
+Size (dropbear-2025.89.tar.bz2) = 2374006 bytes
 SHA1 (patch-Makefile.in) = 0bb649ed8688666513c35e139e7e349fd83b3a1b
 SHA1 (patch-configure) = b17f647043b212adda53aad7fb8dc7e639be9494
+SHA1 (patch-localoptions.h) = 59ddfe3717e7fb961f597be7645557e11bd6e9fb
 SHA1 (patch-src_default__options.h) = c0be06f186a4fb07ad0aedc26047f7077847e75a

Added files:

Index: pkgsrc/security/dropbear/patches/patch-localoptions.h
diff -u /dev/null pkgsrc/security/dropbear/patches/patch-localoptions.h:1.1
--- /dev/null   Mon Dec 22 08:41:05 2025
+++ pkgsrc/security/dropbear/patches/patch-localoptions.h       Mon Dec 22 08:41:05 2025
@@ -0,0 +1,11 @@
+$NetBSD: patch-localoptions.h,v 1.1 2025/12/22 08:41:05 adam Exp $
+
+Darwin and NetBSD do not have setresgid().
+
+--- localoptions.h.orig        2025-12-22 08:27:44.271032869 +0000
++++ localoptions.h
+@@ -0,0 +1,4 @@
++#if defined(__APPLE__) || defined(__NetBSD__)
++#define DROPBEAR_SVR_LOCALSTREAMFWD 0
++#define DROPBEAR_SVR_DROP_PRIVS 0
++#endif

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/textproc/py-sphinx-automodapi
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/textproc/py-sphinx-automodapi
Indexes:

Home | Main Index | Thread Index | Old Index