Bug#1123069: marked as done (CVE-2025-14282: privilege escalation via unix stream socket forwarding)

[Debian Bug Tracking System]

Your message dated Sat, 20 Dec 2025 11:32:27 +0000
with message-id <e1vwvcf-004xwl...@fasolo.debian.org>
and subject line Bug#1123069: fixed in dropbear 2025.89-1~deb13u1
has caused the Debian Bug report #1123069,
regarding CVE-2025-14282: privilege escalation via unix stream socket forwarding
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1123069: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123069
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: dropbear
Version: 2025.88-2
Severity: grave
Justification: user security hole
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>

Dropbear upstream has recently released 2025.89 [0] which fixes
the following vulnerability [1]:

| Privilege escalation via unix stream forwarding in Dropbear server.
| Other programs on a system may authenticate unix sockets via
| SO_PEERCRED, which would be root user for Dropbear forwarded
| connections, allowing root privilege escalation.
|
| Reported by Turistu, and thanks for advice on the fix.
|
| This is tracked as CVE-2025-14282, and affects 2024.84 to 2025.88.
|
| It is fixed by dropping privileges of the dropbear process after
| authentication. Unix stream sockets are now disallowed when a
| forced command is used, either with authorized_key restrictions or
| "dropbear -c command".
|
| In previous affected releases running with "dropbear -j" (will also
| disable TCP fowarding) or building with
| localoptions.h/distrooptions.h "#define DROPBEAR_SVR_LOCALSTREAMFWD
| 0" is a mitigation.
|
| The full fix of dropping privileges requires the commits in
| https://github.com/mkj/dropbear/pull/391
| https://github.com/mkj/dropbear/pull/394
|
| Unix socket forwarding is now disabled when forced command options
| are used, since it could bypass command restrictions.
| This isn't directly related to the privilege escalation, but could
| allow arbitrary commands to be run as the correct user.

-- 
Guilhem.

[0] https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2025q4/002390.html
[1] https://seclists.org/oss-sec/2025/q4/279

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: dropbear
Source-Version: 2025.89-1~deb13u1
Done: Guilhem Moulin <guil...@debian.org>

We believe that the bug you reported is fixed in the latest version of
dropbear, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1123...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin <guil...@debian.org> (supplier of updated dropbear package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 16 Dec 2025 20:36:49 +0100
Source: dropbear
Architecture: source
Version: 2025.89-1~deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Guilhem Moulin <guil...@debian.org>
Changed-By: Guilhem Moulin <guil...@debian.org>
Closes: 1123069
Changes:
 dropbear (2025.89-1~deb13u1) trixie-security; urgency=high
 .
   * New upstream security and bugfix release (closes: #1123069).
     + Fix CVE-2025-14282: Privilege escalation via unix stream forwarding in
       Dropbear server. Other programs on a system may authenticate unix
       sockets via SO_PEERCRED, which would be root user for Dropbear forwarded
       connections, allowing root privilege escalation.
     + The server now drops privileges of the dropbear process after
       authentication.
     + Remote server TCP socket forwarding will now use OS privileged port
       restrictions rather than having a fixed "allow >=1024 for non-root"
       rule.
     + Unix stream sockets are now disallowed when a forced command is used,
       either with authorized_key restrictions or "dropbear -c command".
   * DEP-8: Add "Depends: e2fsprogs" to remote-unlocking test.
Checksums-Sha1:
 cfb8ea4ab2f193387ca6a6c7850ea1b1d7189a23 2599 dropbear_2025.89-1~deb13u1.dsc
 65a32c5de0041e65cf9ab6cc894a64e07ed31e47 2374006 dropbear_2025.89.orig.tar.bz2
 759ece8f1c87edd16a9fc1531d7df74d46dd1ca2 833 dropbear_2025.89.orig.tar.bz2.asc
 0a4fb5884dd26dc7c63f8983d6f47d5e490b911a 35256 
dropbear_2025.89-1~deb13u1.debian.tar.xz
 1c415e9205ab52a867974bb0aaf3e947bed0c389 5942 
dropbear_2025.89-1~deb13u1_source.buildinfo
Checksums-Sha256:
 4894db0aeed8ab9b25fbea47aa7ef35b055c4473a3512b975b87886db02091f6 2599 
dropbear_2025.89-1~deb13u1.dsc
 0d1f7ca711cfc336dc8a85e672cab9cfd8223a02fe2da0a4a7aeb58c9e113634 2374006 
dropbear_2025.89.orig.tar.bz2
 ef0ff9a8fe8e0b6c66892c9415f0d6e8e5676aac5a024ebcc43c2271d1c8f0d6 833 
dropbear_2025.89.orig.tar.bz2.asc
 6cd9872fa30e82db1c754101b4413a9b343f4e1bb4069d139a03305ab3f882c2 35256 
dropbear_2025.89-1~deb13u1.debian.tar.xz
 cadbc678b117558d2895c2099c6a7247051b09c8dbb64fcd2636209759b939a2 5942 
dropbear_2025.89-1~deb13u1_source.buildinfo
Files:
 1463c3d0e34e8e38a3f90fa6afeed115 2599 net optional 
dropbear_2025.89-1~deb13u1.dsc
 2816ff711130f030daee12cbb10fd5ec 2374006 net optional 
dropbear_2025.89.orig.tar.bz2
 1f0c0a79e8f024412072306eb221970e 833 net optional 
dropbear_2025.89.orig.tar.bz2.asc
 555a4c81eac428b8ff0cd49f4eebd351 35256 net optional 
dropbear_2025.89-1~deb13u1.debian.tar.xz
 dd99c4416631223936ff3fe9d47209c7 5942 net optional 
dropbear_2025.89-1~deb13u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmlBte0ACgkQ05pJnDwh
pVLyDQ//d2S5z/7pQjvSiKaIOaikzT6lxp1C5QZZ7rv7KW2Ccpx9VVjKbHdq96EE
y19COgITwo+b75h8ZoHWxQf6PQsyGg6c3+aCMnZ/D0S3IknC0pHNRTL64H5EFhGR
kVL6v6z2lT/Y6yr4lFPOy3MjB7Hf/WsxbWB1ACrLNyYN+nkjQCiJ42/4BQc7NReP
AO9c+bNsqhQMt8UErbuCgyO6nt54c+GVoMxhmi1GSSj2s7erwVhp1ecI5xL8NnCi
3Hw2dFxteRTC3uuVZ2FkL6QCT7POmpXP9dAiL9NV6VC4jIf9TuFa6kgSVL7fjmS3
Nlv37odVdFv/3cf2vcwAwNhZP7Ya7EToSiBLPNbgGHX+CZflK321P6C6gJM+ZoN7
EoOIQtToYXJHsGWGVrlkWY6zPb+or+FD4s9njdF/dh0t7K+yq709DFOnKlGdIkc2
+y7UGJn1VZDV+ibV0RWnx5iC5xx25Ldsb4+7gGp/UoeANP0cX+koAC4ob/jiWrPl
E/NITaRkJ0tiOk4CZ4DAf4/8OPAnx0qczIkshhA1IPjjyD74j5WFhrpFETcKmnXo
cXlcK+3ngSAxQw16/3OAID0JZpxF5VfMN2JmKxskAaL57TILUz7qcxTLEHjUOQ4y
pwYlakef1SVUR0wntkrhQrh0rxkMSBQfMev8VW/BDYHCSINoPzs=
=YKV3
-----END PGP SIGNATURE-----

pgpF8cfvyhc_1.pgp
Description: PGP signature

--- End Message ---