catspeed-cc/openwrt
1
1
Fork 0
Code

dropbear: bump to 2026.91

Browse Source 
- update dropbear to latest stable 2026.91;
  for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- cherry-pick upstream patches:
  - sntrup: Fix 64-bit literals
  - Increase MAX_HOSTKEYS to 6
  - Fix too-low pubkey key query count
- automatically refresh patches

Fixes: CVE-2019-6111, CVE-2026-35385
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/23217
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This commit is contained in:
Konstantin Demin 2026-05-19 16:38:13 +03:00 committed by Hauke Mehrtens
parent 06bf4fa978
commit 99b681934d
8 changed files with 92 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
package/network/services/dropbear/Makefile
View File

@ -8,14 +8,14 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=dropbear PKG_NAME:=dropbear
PKG_VERSION:=2025.89 PKG_VERSION:=2026.91
PKG_RELEASE:=1 PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:= \ PKG_SOURCE_URL:= \
https://matt.ucc.asn.au/dropbear/releases/ \ https://matt.ucc.asn.au/dropbear/releases/ \
https://dropbear.nl/mirror/releases/ https://dropbear.nl/mirror/releases/
PKG_HASH:=0d1f7ca711cfc336dc8a85e672cab9cfd8223a02fe2da0a4a7aeb58c9e113634 PKG_HASH:=defa924475abf6bc1e74abc00173e46bfdc804bd47caafa14f5a4ef0cc76da34
PKG_LICENSE:=MIT PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE

27
package/network/services/dropbear/patches/001-sntrup-Fix-64-bit-literals.patch Normal file
View File

@ -0,0 +1,27 @@
From b487b111d0cf735c640e6668aa888f7da4e78b3c Mon Sep 17 00:00:00 2001
From: Matt Johnston <matt@ucc.asn.au>
Date: Mon, 11 May 2026 20:43:50 +0800
Subject: sntrup: Fix 64-bit literals
Avoids warning on 32-bit platform
src/sntrup761.c:1643: warning: integer constant is too large for 'long' type
---
src/sntrup761.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/src/sntrup761.c
+++ b/src/sntrup761.c
@@ -1640,9 +1640,9 @@ __attribute__((unused))
static inline
int crypto_int64_ones_num(crypto_int64 crypto_int64_x) {
crypto_int64_unsigned crypto_int64_y = crypto_int64_x;
- const crypto_int64 C0 = 0x5555555555555555;
- const crypto_int64 C1 = 0x3333333333333333;
- const crypto_int64 C2 = 0x0f0f0f0f0f0f0f0f;
+ const crypto_int64 C0 = INT64_C(0x5555555555555555);
+ const crypto_int64 C1 = INT64_C(0x3333333333333333);
+ const crypto_int64 C2 = INT64_C(0x0f0f0f0f0f0f0f0f);
crypto_int64_y -= ((crypto_int64_y >> 1) & C0);
crypto_int64_y = (crypto_int64_y & C1) + ((crypto_int64_y >> 2) & C1);
crypto_int64_y = (crypto_int64_y + (crypto_int64_y >> 4)) & C2;

23
package/network/services/dropbear/patches/002-Increase-MAX_HOSTKEYS-to-6.patch Normal file
View File

@ -0,0 +1,23 @@
From a05569c6124006bd9b4823db30e824953c5024de Mon Sep 17 00:00:00 2001
From: Matt Johnston <matt@ucc.asn.au>
Date: Wed, 13 May 2026 08:40:17 +0800
Subject: Increase MAX_HOSTKEYS to 6
This allows all key types to be loaded at once, including different
ecdsa sizes.
Suggested by Darren Tucker.
---
src/sysoptions.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/src/sysoptions.h
+++ b/src/sysoptions.h
@@ -283,7 +283,7 @@
#define MAX_KEX_PARTS 1000
#endif
-#define MAX_HOSTKEYS 4
+#define MAX_HOSTKEYS 6
/* The maximum size of the bignum portion of the kexhash buffer */
/* K_S + Q_C + Q_S + K */

33
package/network/services/dropbear/patches/003-Fix-too-low-pubkey-key-query-count.patch Normal file
View File

@ -0,0 +1,33 @@
From ee65bff1567576a223febcdd5ae552326a4da4b1 Mon Sep 17 00:00:00 2001
From: Matt Johnston <matt@ucc.asn.au>
Date: Tue, 19 May 2026 19:03:39 +0800
Subject: Fix too-low pubkey key query count
Dropbear 2026.90 added a limit to the number of queries that could be
made to a server when determining usable keys. This was intended to be
set to 15 (MAX_PUBKEY_QUERIES) but the logic was incorrect (and also
debug code was accidentally committed). This meant only 10 (default
MAX_AUTH_TRIES/-T) tried keys would be allowed - not a huge difference.
Reported by Rui Salvaterra
Fixes: db0d3fd0a9e9 ("Limit server number of public key queries")
---
src/svr-authpubkey.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/src/svr-authpubkey.c
+++ b/src/svr-authpubkey.c
@@ -173,9 +173,9 @@ void svr_auth_pubkey(int valid_user) {
* Start counting failures (incrfail) only when it's reaching
* the limit.
*/
- unsigned int free_query_limit = 0;
- MAX(0, (int)svr_opts.maxauthtries - MAX_PUBKEY_QUERIES);
- int incrfail = ses.authstate.serv_pubkey_query_count > free_query_limit;
+ unsigned int free_query_limit =
+ MAX(0, MAX_PUBKEY_QUERIES - (int)svr_opts.maxauthtries);
+ int incrfail = ses.authstate.serv_pubkey_query_count >= free_query_limit;
send_msg_userauth_failure(0, incrfail);
ses.authstate.serv_pubkey_query_count++;
goto out;

6
package/network/services/dropbear/patches/100-pubkey_path.patch
View File

@ -3,7 +3,7 @@
--- a/src/svr-authpubkey.c --- a/src/svr-authpubkey.c
+++ b/src/svr-authpubkey.c +++ b/src/svr-authpubkey.c
@@ -79,6 +79,39 @@ static void send_msg_userauth_pk_ok(cons @@ -80,6 +80,39 @@ static void send_msg_userauth_pk_ok(cons
const unsigned char* keyblob, unsigned int keybloblen); const unsigned char* keyblob, unsigned int keybloblen);
static int checkfileperm(char * filename); static int checkfileperm(char * filename);
@ -43,7 +43,7 @@
/* process a pubkey auth request, sending success or failure message as /* process a pubkey auth request, sending success or failure message as
* appropriate */ * appropriate */
void svr_auth_pubkey(int valid_user) { void svr_auth_pubkey(int valid_user) {
@@ -439,16 +472,22 @@ out: @@ -459,16 +492,22 @@ out:
static char *authorized_keys_filepath() { static char *authorized_keys_filepath() {
size_t len = 0; size_t len = 0;
char *pathname = NULL, *dir = NULL; char *pathname = NULL, *dir = NULL;
@ -69,7 +69,7 @@
m_free(dir); m_free(dir);
return pathname; return pathname;
} }
@@ -549,11 +588,23 @@ out: @@ -572,11 +611,23 @@ out:
* When this path is inside the user's home dir it checks up to and including * When this path is inside the user's home dir it checks up to and including
* the home dir, otherwise it checks every path component. */ * the home dir, otherwise it checks every path component. */
static int checkpubkeyperms() { static int checkpubkeyperms() {

4
package/network/services/dropbear/patches/110-change_user.patch
View File

@ -1,6 +1,6 @@
--- a/src/svr-auth.c --- a/src/svr-auth.c
+++ b/src/svr-auth.c +++ b/src/svr-auth.c
@@ -510,9 +510,9 @@ void svr_switch_user(void) { @@ -504,9 +504,9 @@ void svr_switch_user(void) {
/* We can only change uid/gid as root ... */ /* We can only change uid/gid as root ... */
if (getuid() == 0) { if (getuid() == 0) {
@ -12,7 +12,7 @@
dropbear_exit("Error changing user group"); dropbear_exit("Error changing user group");
} }
@@ -534,7 +534,7 @@ void svr_switch_user(void) { @@ -528,7 +528,7 @@ void svr_switch_user(void) {
} }
#endif #endif

2
package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
View File

@ -1,6 +1,6 @@
--- a/src/cli-runopts.c --- a/src/cli-runopts.c
+++ b/src/cli-runopts.c +++ b/src/cli-runopts.c
@@ -340,6 +340,10 @@ void cli_getopts(int argc, char ** argv) @@ -352,6 +352,10 @@ void cli_getopts(int argc, char ** argv)
case 'z': case 'z':
opts.disable_ip_tos = 1; opts.disable_ip_tos = 1;
break; break;

2
package/network/services/dropbear/patches/600-allow-blank-root-password.patch
View File

@ -1,6 +1,6 @@
--- a/src/svr-auth.c --- a/src/svr-auth.c
+++ b/src/svr-auth.c +++ b/src/svr-auth.c
@@ -124,7 +124,7 @@ void recv_msg_userauth_request() { @@ -122,7 +122,7 @@ void recv_msg_userauth_request() {
AUTH_METHOD_NONE_LEN) == 0) { AUTH_METHOD_NONE_LEN) == 0) {
TRACE(("recv_msg_userauth_request: 'none' request")) TRACE(("recv_msg_userauth_request: 'none' request"))
if (valid_user if (valid_user