Bug#1123069: marked as done (CVE-2025-14282: privilege escalation via unix stream socket forwarding)

Tue, 16 Dec 2025 08:51:22 -0800 

Your message dated Tue, 16 Dec 2025 16:49:40 +0000
with message-id <[email protected]>
and subject line Bug#1123069: fixed in dropbear 2025.89-1
has caused the Debian Bug report #1123069,
regarding CVE-2025-14282: privilege escalation via unix stream socket forwarding
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1123069: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123069
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: dropbear
Version: 2025.88-2
Severity: grave
Justification: user security hole
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>

Dropbear upstream has recently released 2025.89 [0] which fixes
the following vulnerability [1]:

| Privilege escalation via unix stream forwarding in Dropbear server.
| Other programs on a system may authenticate unix sockets via
| SO_PEERCRED, which would be root user for Dropbear forwarded
| connections, allowing root privilege escalation.
|
| Reported by Turistu, and thanks for advice on the fix.
|
| This is tracked as CVE-2025-14282, and affects 2024.84 to 2025.88.
|
| It is fixed by dropping privileges of the dropbear process after
| authentication. Unix stream sockets are now disallowed when a
| forced command is used, either with authorized_key restrictions or
| "dropbear -c command".
|
| In previous affected releases running with "dropbear -j" (will also
| disable TCP fowarding) or building with
| localoptions.h/distrooptions.h "#define DROPBEAR_SVR_LOCALSTREAMFWD
| 0" is a mitigation.
|
| The full fix of dropping privileges requires the commits in
| https://github.com/mkj/dropbear/pull/391
| https://github.com/mkj/dropbear/pull/394
|
| Unix socket forwarding is now disabled when forced command options
| are used, since it could bypass command restrictions.
| This isn't directly related to the privilege escalation, but could
| allow arbitrary commands to be run as the correct user.

-- 
Guilhem.

[0] https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2025q4/002390.html
[1] https://seclists.org/oss-sec/2025/q4/279

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: dropbear
Source-Version: 2025.89-1
Done: Guilhem Moulin <[email protected]>

We believe that the bug you reported is fixed in the latest version of
dropbear, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated dropbear package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 16 Dec 2025 17:14:59 +0100
Source: dropbear
Architecture: source
Version: 2025.89-1
Distribution: unstable
Urgency: high
Maintainer: Guilhem Moulin <[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1123069
Changes:
 dropbear (2025.89-1) unstable; urgency=high
 .
   * New upstream security and bugfix release (closes: #1123069).
     + Fix CVE-2025-14282: Privilege escalation via unix stream forwarding in
       Dropbear server. Other programs on a system may authenticate unix
       sockets via SO_PEERCRED, which would be root user for Dropbear forwarded
       connections, allowing root privilege escalation.
     + Unix stream sockets are now disallowed when a forced command is used,
       either with authorized_key restrictions or "dropbear -c command".
     + The server now drops privileges of the dropbear process after
       authentication.
     + Remote server TCP socket forwarding will now use OS privileged port
       restrictions rather than having a fixed "allow >=1024 for non-root"
       rule.
   * d/control: Remove `Rules-Requires-Root: no`.
   * d/s/lintian-overrides: Drop unused override.
   * d/watch: Port to Version 5.
Checksums-Sha1:
 39a8fa934c9f9c17484463fcf18e3102505bf1ab 2556 dropbear_2025.89-1.dsc
 65a32c5de0041e65cf9ab6cc894a64e07ed31e47 2374006 dropbear_2025.89.orig.tar.bz2
 759ece8f1c87edd16a9fc1531d7df74d46dd1ca2 833 dropbear_2025.89.orig.tar.bz2.asc
 588ac6fe83b2423d87da741df50858c6e75c8380 35208 dropbear_2025.89-1.debian.tar.xz
 7b191c6641aba21ef3bc7059f1bf18427b70eb79 5910 
dropbear_2025.89-1_source.buildinfo
Checksums-Sha256:
 2b2516f3fb5ff6a3371e031e990657c05b928287e29ae4aaa480c05799488832 2556 
dropbear_2025.89-1.dsc
 0d1f7ca711cfc336dc8a85e672cab9cfd8223a02fe2da0a4a7aeb58c9e113634 2374006 
dropbear_2025.89.orig.tar.bz2
 ef0ff9a8fe8e0b6c66892c9415f0d6e8e5676aac5a024ebcc43c2271d1c8f0d6 833 
dropbear_2025.89.orig.tar.bz2.asc
 39b54d8ab88741d76205f97e6ea562f0134325f7647bec55407df65d21506457 35208 
dropbear_2025.89-1.debian.tar.xz
 8312fecbe3be1935dd43b196b34211a0f78e7d842e90b75c7ce14819718a77b6 5910 
dropbear_2025.89-1_source.buildinfo
Files:
 c5c2ebce711f4428467e7dde531f1b44 2556 net optional dropbear_2025.89-1.dsc
 2816ff711130f030daee12cbb10fd5ec 2374006 net optional 
dropbear_2025.89.orig.tar.bz2
 1f0c0a79e8f024412072306eb221970e 833 net optional 
dropbear_2025.89.orig.tar.bz2.asc
 ee3b4f2ea058938b24cf446f42d3e704 35208 net optional 
dropbear_2025.89-1.debian.tar.xz
 74d2ee5c8282578c7d37169e1cd3f5f9 5910 net optional 
dropbear_2025.89-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmlBivMACgkQ05pJnDwh
pVLOyw/+PJt2bPYOgl7CmYG6so8m/P5/WszDMn3BSUxwG0JzIezdflLysAVeyQsh
WDomNN7BEVtsw4fJL13NJV9qr1IkC9ZjQ3t/E3olmKgI5AgpbnXEnGoW/0i27hmZ
QOdpYWzKxyZRidf9EtuG/PjbFBIHOIb0wLpw9Yrwx+uOZRA8AZFhEfMY0yO2S4uI
IMA4KhQ/i40apyUorH64xkzO4YTxtU5bjPEw+WRTUIVg5yC60FJBGJSeXlCPcnGv
QM3WmnT3inebB0I1vS0IuTvr9sGOpZYURx7f7mCDet9t24hIfJMWvN95/qctGSXP
Ydi/745CnqDrE6V96aKNG8Ez0Gx791LsZ/jqoQGqRLUDqQ6S2w+VinNd7kP4siT8
QlFkDR8OgGvZKok4uuhICTYcGbIeFKb3jFpTsRmuHnG63zbDZqsoZgSUMJuNdq3p
zRT6wCgMTMfe4DfvEN1HISXHuwxOaCKDVgwCrT3mZIVjB386C5xKdO4RCr7Ppxhe
54jG574e8NyzSa0gLLWVy1NzQ9TtmHDERCdkZAamykqUDW/iZvzZujUDBGReUQgI
0VpO58gHEoDePCb+awpmbOK8/fVQyReIR2WpTOP2We2vxWlVVJAcCbrSDivyPDfp
30ZLVEZyNoSidkzJCTdtytLYgWiWWrecAE/FYGF5g60ErUyAapM=
=3/hq
-----END PGP SIGNATURE-----

Attachment: pgpKT9BLwONT8.pgp
Description: PGP signature


--- End Message ---

Reply via email to