dropbear: upgrade 2024.86 -> dropbear_2025.88

Handles CVE-2025-47203 SHA1 algorithms were removed by default, so patch for disabling it was removed together with its package option. Doing it with conditional patch was anyway a bad design. If someone still needs it, it should be done via sed command on the config file. Refreshed remaining patches. Added patch to fix regression of the CVE fix. (From OE-Core rev: c01205e7a4816d78e99d01f86a396ab23d9bde34) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Peter Marko <peter.marko@siemens.com> 2025-05-14 21:14:38 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-05-15 10:55:26 +0100
commit: 4f7ad219f4b6f03ca43631a5346ac4d1a1570665 (patch)
tree: 183892677fd1eb0ce6eea73655d69579da98543b /meta
parent: 797589dc8786204e5a2ce961062879bc5b88ac57 (diff)
download: poky-4f7ad219f4b6f03ca43631a5346ac4d1a1570665.tar.gz
4 files changed, 78 insertions, 33 deletions
diff --git a/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch b/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch
new file mode 100644
index 0000000000..967b66322f
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch
@@ -0,0 +1,74 @@
+From 5cc0127000db5f7567b54d0495fb91a8e452fe09 Mon Sep 17 00:00:00 2001
+From: Konstantin Demin <rockdrilla@gmail.com>
+Date: Fri, 9 May 2025 22:39:35 +0300
+Subject: [PATCH] Fix proxycmd without netcat
+fixes e5a0ef27c2 "Execute multihop commands directly, no shell"
+Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
+Upstream-Status: Backport [https://github.com/mkj/dropbear/commit/5cc0127000db5f7567b54d0495fb91a8e452fe09]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/cli-main.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+diff --git a/src/cli-main.c b/src/cli-main.c
+index 2fafa88..0a052a3 100644
+--- a/src/cli-main.c
+++ b/src/cli-main.c
+@@ -77,7 +77,11 @@ int main(int argc, char ** argv) {
+        }
+ 
+ #if DROPBEAR_CLI_PROXYCMD
+-       if (cli_opts.proxycmd || cli_opts.proxyexec) {
+       if (cli_opts.proxycmd
+#if DROPBEAR_CLI_MULTIHOP
+               || cli_opts.proxyexec
+#endif
+       ) {
+                cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid);
+                if (signal(SIGINT, kill_proxy_sighandler) == SIG_ERR ||
+                        signal(SIGTERM, kill_proxy_sighandler) == SIG_ERR ||
+@@ -110,11 +114,13 @@ static void shell_proxy_cmd(const void *user_data_cmd) {
+        dropbear_exit("Failed to run '%s'\n", cmd);
+ }
+ 
+#if DROPBEAR_CLI_MULTIHOP
+ static void exec_proxy_cmd(const void *unused) {
+        (void)unused;
+        run_command(cli_opts.proxyexec[0], cli_opts.proxyexec, ses.maxfd);
+        dropbear_exit("Failed to run '%s'\n", cli_opts.proxyexec[0]);
+ }
+#endif
+ 
+ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
+        char * cmd_arg = NULL;
+@@ -145,9 +151,11 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
+                cmd_arg = m_malloc(shell_cmdlen);
+                snprintf(cmd_arg, shell_cmdlen, "exec %s", cli_opts.proxycmd);
+                exec_fn = shell_proxy_cmd;
+#if DROPBEAR_CLI_MULTIHOP
+        } else {
+                /* No shell */
+                exec_fn = exec_proxy_cmd;
+#endif
+        }
+ 
+        ret = spawn_command(exec_fn, cmd_arg, sock_out, sock_in, NULL, pid_out);
+@@ -159,6 +167,7 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
+ cleanup:
+        m_free(cli_opts.proxycmd);
+        m_free(cmd_arg);
+#if DROPBEAR_CLI_MULTIHOP
+        if (cli_opts.proxyexec) {
+                char **a = NULL;
+                for (a = cli_opts.proxyexec; *a; a++) {
+@@ -166,6 +175,7 @@ cleanup:
+                }
+                m_free(cli_opts.proxyexec);
+        }
+#endif
+ }
+ 
+ static void kill_proxy_sighandler(int UNUSED(signo)) {
diff --git a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch
index 9c1dd3f606..0687e5dab1 100644
--- a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch
+++ b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch
@@ -12,7 +12,7 @@ diff --git a/src/default_options.h b/src/default_options.h
 index 6e970bb..ccc8b47 100644
 --- a/src/default_options.h
 +++ b/src/default_options.h
-@@ -311,7 +311,7 @@ group1 in Dropbear server too */
+@@ -317,7 +317,7 @@ group1 in Dropbear server too */
 
 /* The command to invoke for xauth when using X11 forwarding.
  * "-q" for quiet */
diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
deleted file mode 100644
index a20781d31d..0000000000
--- a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From c8a0c8e87b772576f3a431c3b4cacaf5aa001dcc Mon Sep 17 00:00:00 2001
-From: Joseph Reynolds <joseph.reynolds1@ibm.com>
-Date: Thu, 20 Jun 2019 16:29:15 -0500
-Subject: [PATCH] dropbear: new feature: disable-weak-ciphers
-This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers
-in the dropbear ssh server and client since they're considered weak ciphers
-and we want to support the stong algorithms.
-Upstream-Status: Inappropriate [configuration]
-Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
---
- src/default_options.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/src/default_options.h b/src/default_options.h
-index 12768d1..2b07497 100644
--- a/src/default_options.h
-+++ b/src/default_options.h
-@@ -197,7 +197,7 @@ IMPORTANT: Some options will require "make clean" after changes */
-  * Small systems should generally include either curve25519 or ecdh for performance.
-  * curve25519 is less widely supported but is faster
-  */
-#define DROPBEAR_DH_GROUP14_SHA1 1
-+#define DROPBEAR_DH_GROUP14_SHA1 0
- #define DROPBEAR_DH_GROUP14_SHA256 1
- #define DROPBEAR_DH_GROUP16 0
- #define DROPBEAR_CURVE25519 1
diff --git a/meta/recipes-core/dropbear/dropbear_2024.86.bb b/meta/recipes-core/dropbear/dropbear_2025.88.bb
index 38faaebc2a..f203763b17 100644
--- a/meta/recipes-core/dropbear/dropbear_2024.86.bb
+++ b/meta/recipes-core/dropbear/dropbear_2025.88.bb
@@ -19,11 +19,11 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
           file://dropbear@.service \
           file://dropbear.socket \
           file://dropbear.default \
+           file://0001-Fix-proxycmd-without-netcat.patch \
           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
-           ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
           "
-SRC_URI[sha256sum] = "e78936dffc395f2e0db099321d6be659190966b99712b55c530dd0a1822e0a5e"
+SRC_URI[sha256sum] = "783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4"
 MIRRORS += "http://matt.ucc.asn.au/dropbear/releases/ https://dropbear.nl/mirror/releases/"
 PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
@@ -48,10 +48,9 @@ SBINCOMMANDS = "dropbear dropbearkey dropbearconvert"
 BINCOMMANDS = "dbclient ssh scp"
 EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
-PACKAGECONFIG ?= "disable-weak-ciphers ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"
+PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"
 PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,${PAM_PLUGINS}"
 PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt"
-PACKAGECONFIG[disable-weak-ciphers] = ""
 PACKAGECONFIG[enable-x11-forwarding] = ""
 # This option appends to CFLAGS and LDFLAGS from OE
author	Peter Marko <peter.marko@siemens.com>	2025-05-14 21:14:38 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-05-15 10:55:26 +0100
commit	4f7ad219f4b6f03ca43631a5346ac4d1a1570665 (patch)
tree	183892677fd1eb0ce6eea73655d69579da98543b /meta
parent	797589dc8786204e5a2ce961062879bc5b88ac57 (diff)
download	poky-4f7ad219f4b6f03ca43631a5346ac4d1a1570665.tar.gz

diff --git a/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch b/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch new file mode 100644 index 0000000000..967b66322f --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch
@@ -0,0 +1,74 @@
		1	From 5cc0127000db5f7567b54d0495fb91a8e452fe09 Mon Sep 17 00:00:00 2001
		2	From: Konstantin Demin <rockdrilla@gmail.com>
		3	Date: Fri, 9 May 2025 22:39:35 +0300
		4	Subject: [PATCH] Fix proxycmd without netcat
		5
		6	fixes e5a0ef27c2 "Execute multihop commands directly, no shell"
		7
		8	Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
		9
		10	Upstream-Status: Backport [https://github.com/mkj/dropbear/commit/5cc0127000db5f7567b54d0495fb91a8e452fe09]
		11	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		12	---
		13	src/cli-main.c \| 12 +++++++++++-
		14	1 file changed, 11 insertions(+), 1 deletion(-)
		15
		16	diff --git a/src/cli-main.c b/src/cli-main.c
		17	index 2fafa88..0a052a3 100644
		18	--- a/src/cli-main.c
		19	+++ b/src/cli-main.c
		20	@@ -77,7 +77,11 @@ int main(int argc, char ** argv) {
		21	}
		22
		23	#if DROPBEAR_CLI_PROXYCMD
		24	- if (cli_opts.proxycmd \|\| cli_opts.proxyexec) {
		25	+ if (cli_opts.proxycmd
		26	+#if DROPBEAR_CLI_MULTIHOP
		27	+ \|\| cli_opts.proxyexec
		28	+#endif
		29	+ ) {
		30	cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid);
		31	if (signal(SIGINT, kill_proxy_sighandler) == SIG_ERR \|\|
		32	signal(SIGTERM, kill_proxy_sighandler) == SIG_ERR \|\|
		33	@@ -110,11 +114,13 @@ static void shell_proxy_cmd(const void *user_data_cmd) {
		34	dropbear_exit("Failed to run '%s'\n", cmd);
		35	}
		36
		37	+#if DROPBEAR_CLI_MULTIHOP
		38	static void exec_proxy_cmd(const void *unused) {
		39	(void)unused;
		40	run_command(cli_opts.proxyexec[0], cli_opts.proxyexec, ses.maxfd);
		41	dropbear_exit("Failed to run '%s'\n", cli_opts.proxyexec[0]);
		42	}
		43	+#endif
		44
		45	static void cli_proxy_cmd(int sock_in, int sock_out, pid_t *pid_out) {
		46	char * cmd_arg = NULL;
		47	@@ -145,9 +151,11 @@ static void cli_proxy_cmd(int sock_in, int sock_out, pid_t *pid_out) {
		48	cmd_arg = m_malloc(shell_cmdlen);
		49	snprintf(cmd_arg, shell_cmdlen, "exec %s", cli_opts.proxycmd);
		50	exec_fn = shell_proxy_cmd;
		51	+#if DROPBEAR_CLI_MULTIHOP
		52	} else {
		53	/* No shell */
		54	exec_fn = exec_proxy_cmd;
		55	+#endif
		56	}
		57
		58	ret = spawn_command(exec_fn, cmd_arg, sock_out, sock_in, NULL, pid_out);
		59	@@ -159,6 +167,7 @@ static void cli_proxy_cmd(int sock_in, int sock_out, pid_t *pid_out) {
		60	cleanup:
		61	m_free(cli_opts.proxycmd);
		62	m_free(cmd_arg);
		63	+#if DROPBEAR_CLI_MULTIHOP
		64	if (cli_opts.proxyexec) {
		65	char **a = NULL;
		66	for (a = cli_opts.proxyexec; *a; a++) {
		67	@@ -166,6 +175,7 @@ cleanup:
		68	}
		69	m_free(cli_opts.proxyexec);
		70	}
		71	+#endif
		72	}
		73
		74	static void kill_proxy_sighandler(int UNUSED(signo)) {


diff --git a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch index 9c1dd3f606..0687e5dab1 100644 --- a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch +++ b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch
@@ -12,7 +12,7 @@ diff --git a/src/default_options.h b/src/default_options.h
12	index 6e970bb..ccc8b47 100644	12	index 6e970bb..ccc8b47 100644
13	--- a/src/default_options.h	13	--- a/src/default_options.h
14	+++ b/src/default_options.h	14	+++ b/src/default_options.h
15	@@ -311,7 +311,7 @@ group1 in Dropbear server too */	15	@@ -317,7 +317,7 @@ group1 in Dropbear server too */
16		16
17	/* The command to invoke for xauth when using X11 forwarding.	17	/* The command to invoke for xauth when using X11 forwarding.
18	* "-q" for quiet */	18	* "-q" for quiet */


diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch deleted file mode 100644 index a20781d31d..0000000000 --- a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch +++ /dev/null
@@ -1,28 +0,0 @@
1	From c8a0c8e87b772576f3a431c3b4cacaf5aa001dcc Mon Sep 17 00:00:00 2001
2	From: Joseph Reynolds <joseph.reynolds1@ibm.com>
3	Date: Thu, 20 Jun 2019 16:29:15 -0500
4	Subject: [PATCH] dropbear: new feature: disable-weak-ciphers
5
6	This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers
7	in the dropbear ssh server and client since they're considered weak ciphers
8	and we want to support the stong algorithms.
9
10	Upstream-Status: Inappropriate [configuration]
11	Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
12	---
13	src/default_options.h \| 2 +-
14	1 file changed, 1 insertion(+), 1 deletion(-)
15
16	diff --git a/src/default_options.h b/src/default_options.h
17	index 12768d1..2b07497 100644
18	--- a/src/default_options.h
19	+++ b/src/default_options.h
20	@@ -197,7 +197,7 @@ IMPORTANT: Some options will require "make clean" after changes */
21	* Small systems should generally include either curve25519 or ecdh for performance.
22	* curve25519 is less widely supported but is faster
23	*/
24	-#define DROPBEAR_DH_GROUP14_SHA1 1
25	+#define DROPBEAR_DH_GROUP14_SHA1 0
26	#define DROPBEAR_DH_GROUP14_SHA256 1
27	#define DROPBEAR_DH_GROUP16 0
28	#define DROPBEAR_CURVE25519 1


diff --git a/meta/recipes-core/dropbear/dropbear_2024.86.bb b/meta/recipes-core/dropbear/dropbear_2025.88.bb index 38faaebc2a..f203763b17 100644 --- a/meta/recipes-core/dropbear/dropbear_2024.86.bb +++ b/meta/recipes-core/dropbear/dropbear_2025.88.bb
@@ -19,11 +19,11 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
19	file://dropbear@.service \	19	file://dropbear@.service \
20	file://dropbear.socket \	20	file://dropbear.socket \
21	file://dropbear.default \	21	file://dropbear.default \
		22	file://0001-Fix-proxycmd-without-netcat.patch \
22	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \	23	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
23	${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
24	"	24	"
25		25
26	SRC_URI[sha256sum] = "e78936dffc395f2e0db099321d6be659190966b99712b55c530dd0a1822e0a5e"	26	SRC_URI[sha256sum] = "783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4"
27	MIRRORS += "http://matt.ucc.asn.au/dropbear/releases/ https://dropbear.nl/mirror/releases/"	27	MIRRORS += "http://matt.ucc.asn.au/dropbear/releases/ https://dropbear.nl/mirror/releases/"
28		28
29	PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \	29	PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
@@ -48,10 +48,9 @@ SBINCOMMANDS = "dropbear dropbearkey dropbearconvert"
48	BINCOMMANDS = "dbclient ssh scp"	48	BINCOMMANDS = "dbclient ssh scp"
49	EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'	49	EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
50		50
51	PACKAGECONFIG ?= "disable-weak-ciphers ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"	51	PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"
52	PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,${PAM_PLUGINS}"	52	PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,${PAM_PLUGINS}"
53	PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt"	53	PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt"
54	PACKAGECONFIG[disable-weak-ciphers] = ""
55	PACKAGECONFIG[enable-x11-forwarding] = ""	54	PACKAGECONFIG[enable-x11-forwarding] = ""
56		55
57	# This option appends to CFLAGS and LDFLAGS from OE	56	# This option appends to CFLAGS and LDFLAGS from OE