| Message ID | 20250813103556.3543733-1-praveen.kumar@windriver.com |
|---|---|
| State | New |
| Headers | show |
| Series | [walnascar,1/1] dropbear: upgrade 2024.86 -> dropbear_2025.88 | expand |
This is a feature version update so as such usually not backported to older branches. Patch for this CVE is anyway already on stable/walnascar-nut branch. Peter > -----Original Message----- > From: Praveen Kumar <praveen.kumar@windriver.com> > Sent: Wednesday, August 13, 2025 12:36 > To: openembedded-core@lists.openembedded.org > Cc: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>; Richard > Purdie <richard.purdie@linuxfoundation.org>; Praveen Kumar > <praveen.kumar@windriver.com> > Subject: [oe-core][walnascar][PATCH 1/1] dropbear: upgrade 2024.86 -> > dropbear_2025.88 > > From: Peter Marko <peter.marko@siemens.com> > > Handles CVE-2025-47203 > > SHA1 algorithms were removed by default, so patch for disabling it was > removed together with its package option. Doing it with conditional > patch was anyway a bad design. If someone still needs it, it should be > done via sed command on the config file. > > Refreshed remaining patches. > > Added patch to fix regression of the CVE fix. > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> > (cherry picked from commit c01205e7a4816d78e99d01f86a396ab23d9bde34) > > Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> > --- > .../0001-Fix-proxycmd-without-netcat.patch | 74 +++++++++++++++++++ > ...1-urandom-xauth-changes-to-options.h.patch | 2 +- > .../dropbear-disable-weak-ciphers.patch | 28 ------- > ...ropbear_2024.86.bb => dropbear_2025.88.bb} | 8 +- > 4 files changed, 79 insertions(+), 33 deletions(-) > create mode 100644 meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd- > without-netcat.patch > delete mode 100644 meta/recipes-core/dropbear/dropbear/dropbear-disable-weak- > ciphers.patch > rename meta/recipes-core/dropbear/{dropbear_2024.86.bb => > dropbear_2025.88.bb} (93%) > > diff --git a/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without- > netcat.patch b/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without- > netcat.patch > new file mode 100644 > index 00000000000..3e230b80a15 > --- /dev/null > +++ b/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without- > netcat.patch > @@ -0,0 +1,74 @@ > +From 5cc0127000db5f7567b54d0495fb91a8e452fe09 Mon Sep 17 00:00:00 2001 > +From: Konstantin Demin <rockdrilla@gmail.com> > +Date: Fri, 9 May 2025 22:39:35 +0300 > +Subject: [PATCH] Fix proxycmd without netcat > + > +fixes e5a0ef27c2 "Execute multihop commands directly, no shell" > + > +Signed-off-by: Konstantin Demin <rockdrilla@gmail.com> > + > +Upstream-Status: Backport > [https://github.com/mkj/dropbear/commit/5cc0127000db5f7567b54d0495fb91a8e4 > 52fe09] > +Signed-off-by: Peter Marko <peter.marko@siemens.com> > +--- > + src/cli-main.c | 12 +++++++++++- > + 1 file changed, 11 insertions(+), 1 deletion(-) > + > +diff --git a/src/cli-main.c b/src/cli-main.c > +index 2fafa88..0a052a3 100644 > +--- a/src/cli-main.c > ++++ b/src/cli-main.c > +@@ -77,7 +77,11 @@ int main(int argc, char ** argv) { > + } > + > + #if DROPBEAR_CLI_PROXYCMD > +- if (cli_opts.proxycmd || cli_opts.proxyexec) { > ++ if (cli_opts.proxycmd > ++#if DROPBEAR_CLI_MULTIHOP > ++ || cli_opts.proxyexec > ++#endif > ++ ) { > + cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid); > + if (signal(SIGINT, kill_proxy_sighandler) == SIG_ERR || > + signal(SIGTERM, kill_proxy_sighandler) == SIG_ERR || > +@@ -110,11 +114,13 @@ static void shell_proxy_cmd(const void > *user_data_cmd) { > + dropbear_exit("Failed to run '%s'\n", cmd); > + } > + > ++#if DROPBEAR_CLI_MULTIHOP > + static void exec_proxy_cmd(const void *unused) { > + (void)unused; > + run_command(cli_opts.proxyexec[0], cli_opts.proxyexec, ses.maxfd); > + dropbear_exit("Failed to run '%s'\n", cli_opts.proxyexec[0]); > + } > ++#endif > + > + static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) { > + char * cmd_arg = NULL; > +@@ -145,9 +151,11 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, > pid_t *pid_out) { > + cmd_arg = m_malloc(shell_cmdlen); > + snprintf(cmd_arg, shell_cmdlen, "exec %s", cli_opts.proxycmd); > + exec_fn = shell_proxy_cmd; > ++#if DROPBEAR_CLI_MULTIHOP > + } else { > + /* No shell */ > + exec_fn = exec_proxy_cmd; > ++#endif > + } > + > + ret = spawn_command(exec_fn, cmd_arg, sock_out, sock_in, NULL, > pid_out); > +@@ -159,6 +167,7 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, > pid_t *pid_out) { > + cleanup: > + m_free(cli_opts.proxycmd); > + m_free(cmd_arg); > ++#if DROPBEAR_CLI_MULTIHOP > + if (cli_opts.proxyexec) { > + char **a = NULL; > + for (a = cli_opts.proxyexec; *a; a++) { > +@@ -166,6 +175,7 @@ cleanup: > + } > + m_free(cli_opts.proxyexec); > + } > ++#endif > + } > + > + static void kill_proxy_sighandler(int UNUSED(signo)) { > diff --git a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to- > options.h.patch b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth- > changes-to-options.h.patch > index 9c1dd3f6061..0687e5dab1f 100644 > --- a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to- > options.h.patch > +++ b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to- > options.h.patch > @@ -12,7 +12,7 @@ diff --git a/src/default_options.h b/src/default_options.h > index 6e970bb..ccc8b47 100644 > --- a/src/default_options.h > +++ b/src/default_options.h > -@@ -311,7 +311,7 @@ group1 in Dropbear server too */ > +@@ -317,7 +317,7 @@ group1 in Dropbear server too */ > > /* The command to invoke for xauth when using X11 forwarding. > * "-q" for quiet */ > diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak- > ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak- > ciphers.patch > deleted file mode 100644 > index a20781d31df..00000000000 > --- a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch > +++ /dev/null > @@ -1,28 +0,0 @@ > -From c8a0c8e87b772576f3a431c3b4cacaf5aa001dcc Mon Sep 17 00:00:00 2001 > -From: Joseph Reynolds <joseph.reynolds1@ibm.com> > -Date: Thu, 20 Jun 2019 16:29:15 -0500 > -Subject: [PATCH] dropbear: new feature: disable-weak-ciphers > - > -This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers > -in the dropbear ssh server and client since they're considered weak ciphers > -and we want to support the stong algorithms. > - > -Upstream-Status: Inappropriate [configuration] > -Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com> > ---- > - src/default_options.h | 2 +- > - 1 file changed, 1 insertion(+), 1 deletion(-) > - > -diff --git a/src/default_options.h b/src/default_options.h > -index 12768d1..2b07497 100644 > ---- a/src/default_options.h > -+++ b/src/default_options.h > -@@ -197,7 +197,7 @@ IMPORTANT: Some options will require "make clean" after > changes */ > - * Small systems should generally include either curve25519 or ecdh for > performance. > - * curve25519 is less widely supported but is faster > - */ > --#define DROPBEAR_DH_GROUP14_SHA1 1 > -+#define DROPBEAR_DH_GROUP14_SHA1 0 > - #define DROPBEAR_DH_GROUP14_SHA256 1 > - #define DROPBEAR_DH_GROUP16 0 > - #define DROPBEAR_CURVE25519 1 > diff --git a/meta/recipes-core/dropbear/dropbear_2024.86.bb b/meta/recipes- > core/dropbear/dropbear_2025.88.bb > similarity index 93% > rename from meta/recipes-core/dropbear/dropbear_2024.86.bb > rename to meta/recipes-core/dropbear/dropbear_2025.88.bb > index be246a0ccd5..f203763b173 100644 > --- a/meta/recipes-core/dropbear/dropbear_2024.86.bb > +++ b/meta/recipes-core/dropbear/dropbear_2025.88.bb > @@ -19,11 +19,12 @@ SRC_URI = > "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \ > file://dropbear@.service \ > file://dropbear.socket \ > file://dropbear.default \ > + file://0001-Fix-proxycmd-without-netcat.patch \ > ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', > d)} \ > - ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', > 'file://dropbear-disable-weak-ciphers.patch', '', d)} \ > " > > -SRC_URI[sha256sum] = > "e78936dffc395f2e0db099321d6be659190966b99712b55c530dd0a1822e0a5e" > +SRC_URI[sha256sum] = > "783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4" > +MIRRORS += "http://matt.ucc.asn.au/dropbear/releases/ > https://dropbear.nl/mirror/releases/" > > PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \ > file://0006-dropbear-configuration-file.patch \ > @@ -47,10 +48,9 @@ SBINCOMMANDS = "dropbear dropbearkey > dropbearconvert" > BINCOMMANDS = "dbclient ssh scp" > EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 > PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"' > > -PACKAGECONFIG ?= "disable-weak-ciphers > ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" > +PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" > PACKAGECONFIG[pam] = "--enable-pam,--disable- > pam,libpam,${PAM_PLUGINS}" > PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled- > libtom,libtommath libtomcrypt" > -PACKAGECONFIG[disable-weak-ciphers] = "" > PACKAGECONFIG[enable-x11-forwarding] = "" > > # This option appends to CFLAGS and LDFLAGS from OE > -- > 2.40.0
Thank you for your submission. Patchtest identified one or more issues with the patch. Please see the log below for more information: --- Testing patch /home/patchtest/share/mboxes/walnascar-1-1-dropbear-upgrade-2024.86---dropbear_2025.88.patch FAIL: test CVE tag format: Missing or incorrectly formatted CVE tag in patch file. Correct or include the CVE tag in the patch with format: "CVE: CVE-YYYY-XXXX" (test_patch.TestPatch.test_cve_tag_format) PASS: pretest src uri left files (test_metadata.TestMetadata.pretest_src_uri_left_files) PASS: test CVE check ignore (test_metadata.TestMetadata.test_cve_check_ignore) PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence) PASS: test Signed-off-by presence (test_patch.TestPatch.test_signed_off_by_presence) PASS: test Upstream-Status presence (test_patch.TestPatch.test_upstream_status_presence_format) PASS: test author valid (test_mbox.TestMbox.test_author_valid) PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence) PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags) PASS: test lic files chksum modified not mentioned (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned) PASS: test max line length (test_metadata.TestMetadata.test_max_line_length) PASS: test mbox format (test_mbox.TestMbox.test_mbox_format) PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade) PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format) PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length) PASS: test src uri left files (test_metadata.TestMetadata.test_src_uri_left_files) PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list) SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint) SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format) SKIP: test lic files chksum presence: No added recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_presence) SKIP: test license presence: No added recipes, skipping test (test_metadata.TestMetadata.test_license_presence) SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint) SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head) SKIP: test summary presence: No added recipes, skipping test (test_metadata.TestMetadata.test_summary_presence) --- Please address the issues identified and submit a new revision of the patch, or alternatively, reply to this email with an explanation of why the patch should be accepted. If you believe these results are due to an error in patchtest, please submit a bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category under 'Yocto Project Subprojects'). For more information on specific failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank you!
diff --git a/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch b/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch new file mode 100644 index 00000000000..3e230b80a15 --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch @@ -0,0 +1,74 @@ +From 5cc0127000db5f7567b54d0495fb91a8e452fe09 Mon Sep 17 00:00:00 2001 +From: Konstantin Demin <rockdrilla@gmail.com> +Date: Fri, 9 May 2025 22:39:35 +0300 +Subject: [PATCH] Fix proxycmd without netcat + +fixes e5a0ef27c2 "Execute multihop commands directly, no shell" + +Signed-off-by: Konstantin Demin <rockdrilla@gmail.com> + +Upstream-Status: Backport [https://github.com/mkj/dropbear/commit/5cc0127000db5f7567b54d0495fb91a8e452fe09] +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + src/cli-main.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/src/cli-main.c b/src/cli-main.c +index 2fafa88..0a052a3 100644 +--- a/src/cli-main.c ++++ b/src/cli-main.c +@@ -77,7 +77,11 @@ int main(int argc, char ** argv) { + } + + #if DROPBEAR_CLI_PROXYCMD +- if (cli_opts.proxycmd || cli_opts.proxyexec) { ++ if (cli_opts.proxycmd ++#if DROPBEAR_CLI_MULTIHOP ++ || cli_opts.proxyexec ++#endif ++ ) { + cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid); + if (signal(SIGINT, kill_proxy_sighandler) == SIG_ERR || + signal(SIGTERM, kill_proxy_sighandler) == SIG_ERR || +@@ -110,11 +114,13 @@ static void shell_proxy_cmd(const void *user_data_cmd) { + dropbear_exit("Failed to run '%s'\n", cmd); + } + ++#if DROPBEAR_CLI_MULTIHOP + static void exec_proxy_cmd(const void *unused) { + (void)unused; + run_command(cli_opts.proxyexec[0], cli_opts.proxyexec, ses.maxfd); + dropbear_exit("Failed to run '%s'\n", cli_opts.proxyexec[0]); + } ++#endif + + static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) { + char * cmd_arg = NULL; +@@ -145,9 +151,11 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) { + cmd_arg = m_malloc(shell_cmdlen); + snprintf(cmd_arg, shell_cmdlen, "exec %s", cli_opts.proxycmd); + exec_fn = shell_proxy_cmd; ++#if DROPBEAR_CLI_MULTIHOP + } else { + /* No shell */ + exec_fn = exec_proxy_cmd; ++#endif + } + + ret = spawn_command(exec_fn, cmd_arg, sock_out, sock_in, NULL, pid_out); +@@ -159,6 +167,7 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) { + cleanup: + m_free(cli_opts.proxycmd); + m_free(cmd_arg); ++#if DROPBEAR_CLI_MULTIHOP + if (cli_opts.proxyexec) { + char **a = NULL; + for (a = cli_opts.proxyexec; *a; a++) { +@@ -166,6 +175,7 @@ cleanup: + } + m_free(cli_opts.proxyexec); + } ++#endif + } + + static void kill_proxy_sighandler(int UNUSED(signo)) { diff --git a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch index 9c1dd3f6061..0687e5dab1f 100644 --- a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch +++ b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch @@ -12,7 +12,7 @@ diff --git a/src/default_options.h b/src/default_options.h index 6e970bb..ccc8b47 100644 --- a/src/default_options.h +++ b/src/default_options.h -@@ -311,7 +311,7 @@ group1 in Dropbear server too */ +@@ -317,7 +317,7 @@ group1 in Dropbear server too */ /* The command to invoke for xauth when using X11 forwarding. * "-q" for quiet */ diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch deleted file mode 100644 index a20781d31df..00000000000 --- a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch +++ /dev/null @@ -1,28 +0,0 @@ -From c8a0c8e87b772576f3a431c3b4cacaf5aa001dcc Mon Sep 17 00:00:00 2001 -From: Joseph Reynolds <joseph.reynolds1@ibm.com> -Date: Thu, 20 Jun 2019 16:29:15 -0500 -Subject: [PATCH] dropbear: new feature: disable-weak-ciphers - -This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers -in the dropbear ssh server and client since they're considered weak ciphers -and we want to support the stong algorithms. - -Upstream-Status: Inappropriate [configuration] -Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com> ---- - src/default_options.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/default_options.h b/src/default_options.h -index 12768d1..2b07497 100644 ---- a/src/default_options.h -+++ b/src/default_options.h -@@ -197,7 +197,7 @@ IMPORTANT: Some options will require "make clean" after changes */ - * Small systems should generally include either curve25519 or ecdh for performance. - * curve25519 is less widely supported but is faster - */ --#define DROPBEAR_DH_GROUP14_SHA1 1 -+#define DROPBEAR_DH_GROUP14_SHA1 0 - #define DROPBEAR_DH_GROUP14_SHA256 1 - #define DROPBEAR_DH_GROUP16 0 - #define DROPBEAR_CURVE25519 1 diff --git a/meta/recipes-core/dropbear/dropbear_2024.86.bb b/meta/recipes-core/dropbear/dropbear_2025.88.bb similarity index 93% rename from meta/recipes-core/dropbear/dropbear_2024.86.bb rename to meta/recipes-core/dropbear/dropbear_2025.88.bb index be246a0ccd5..f203763b173 100644 --- a/meta/recipes-core/dropbear/dropbear_2024.86.bb +++ b/meta/recipes-core/dropbear/dropbear_2025.88.bb @@ -19,11 +19,12 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \ file://dropbear@.service \ file://dropbear.socket \ file://dropbear.default \ + file://0001-Fix-proxycmd-without-netcat.patch \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \ " -SRC_URI[sha256sum] = "e78936dffc395f2e0db099321d6be659190966b99712b55c530dd0a1822e0a5e" +SRC_URI[sha256sum] = "783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4" +MIRRORS += "http://matt.ucc.asn.au/dropbear/releases/ https://dropbear.nl/mirror/releases/" PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \ file://0006-dropbear-configuration-file.patch \ @@ -47,10 +48,9 @@ SBINCOMMANDS = "dropbear dropbearkey dropbearconvert" BINCOMMANDS = "dbclient ssh scp" EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"' -PACKAGECONFIG ?= "disable-weak-ciphers ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" +PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,${PAM_PLUGINS}" PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt" -PACKAGECONFIG[disable-weak-ciphers] = "" PACKAGECONFIG[enable-x11-forwarding] = "" # This option appends to CFLAGS and LDFLAGS from OE