commit: 5558e745954113ae526ec57ff9d1f8744ed94810 Author: Viorel Munteanu <ceamac <AT> gentoo <DOT> org> AuthorDate: Thu Dec 18 19:38:25 2025 +0000 Commit: Viorel Munteanu <ceamac <AT> gentoo <DOT> org> CommitDate: Thu Dec 18 19:47:19 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5558e745
net-misc/dropbear: add 2025.89 Includes security updates for CVE-2025-14282 and CVE-2019-6111. Bug: https://bugs.gentoo.org/967696 Bug: https://bugs.gentoo.org/675522 Signed-off-by: Viorel Munteanu <ceamac <AT> gentoo.org> net-misc/dropbear/Manifest | 2 + net-misc/dropbear/dropbear-2025.89.ebuild | 214 ++++++++++++++++++++++++++++++ 2 files changed, 216 insertions(+) diff --git a/net-misc/dropbear/Manifest b/net-misc/dropbear/Manifest index b1c5e6eb2614..bb1fa5d79e2b 100644 --- a/net-misc/dropbear/Manifest +++ b/net-misc/dropbear/Manifest @@ -2,3 +2,5 @@ DIST dropbear-2025.87.tar.bz2 2368085 BLAKE2B 14c47f8311502a821a1b67e4bcedcdc80c DIST dropbear-2025.87.tar.bz2.asc 833 BLAKE2B 86f1ac7bd968eddad2d43bca21864db44c21e5875b7fec54fcc0ddce5bc748462d2639bc2394ca682b84527d49b3b0ef46cfbf07c244ded0b86812b1c6aa7894 SHA512 a5b1dcfb0bd5f5de12959f4b47e526cf3844ad8b7ef26fa0692fac6c2a77d36d5171d37fc405f7d4a2e4e70a6d8cc30366cac9046745a5126593c45b54998a7c DIST dropbear-2025.88.tar.bz2 2370480 BLAKE2B d64f51227a19c77218a32815f75538df96961008c9fd9effec133e457bed0aa3c0837ca1cfdd877101ff09014e5fdd3a1500135887799eaeb0f2207d74799585 SHA512 71194f4792287b9e56e07cfa9a3e97d23b7fda82c858e0219d0d54aee48e77892997330ad1af5654a738b970965a92a79468bbf5c8ba0358b046fd053dfc87ed DIST dropbear-2025.88.tar.bz2.asc 833 BLAKE2B 2399086027e07d186e1199f2a4442d8eb8cbc14476acb004c6879e782c263d760ffb03623dd062e7f3fd381041c503cdc589d6ab4a47db652018a0db6b641d31 SHA512 ac7e5c94668bccdeeeb2bb85722107df7216dc605769ed82638227e7922c85bda9d2b76d219a87d49f276a1c9f18bccfbf7950a009410cb49b958b2f7d9eec04 +DIST dropbear-2025.89.tar.bz2 2374006 BLAKE2B 8533083cccf11329b07dda123df4f875e9d11d59b5aead96fd725b58d513504ac13a8045c8e70498678535e1b38b9d93ec1c880f341b900da8a7adda153b047c SHA512 5420b0c6de08c2e796abe9d0819ce322e244a0d9670678dc750aa07da8426a782b7f8685fa65c8fe053fc5ae0118cc5f31fe7b60d817e6c57000a189f2c97176 +DIST dropbear-2025.89.tar.bz2.asc 833 BLAKE2B b3300da3ebd4384050a523ab5f905b58e561267733c4a31651b9b6781ab041afa53054b5cae091f083bf82e6ca6514de8c687d931dea43dbf72cb510cf9afdf1 SHA512 98049964c10da20502b2623621f2f52b76e356d3d60d933d172232229e1627448a48b767e965c1ff59b3ca3159873e9e8902f6a9ba0a72720b71c0443962701d diff --git a/net-misc/dropbear/dropbear-2025.89.ebuild b/net-misc/dropbear/dropbear-2025.89.ebuild new file mode 100644 index 000000000000..04728c2b4a81 --- /dev/null +++ b/net-misc/dropbear/dropbear-2025.89.ebuild @@ -0,0 +1,214 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{11..13} ) +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/dropbear.asc +inherit autotools pam python-any-r1 savedconfig verify-sig + +DESCRIPTION="Small SSH 2 client/server designed for small memory environments" +HOMEPAGE="https://matt.ucc.asn.au/dropbear/dropbear.html"; +SRC_URI="https://matt.ucc.asn.au/dropbear/releases/${P}.tar.bz2 + https://matt.ucc.asn.au/dropbear/testing/${P}.tar.bz2"; +SRC_URI+=" verify-sig? ( + https://matt.ucc.asn.au/dropbear/releases/${P}.tar.bz2.asc + https://matt.ucc.asn.au/dropbear/testing/${P}.tar.bz2.asc + )" + +LICENSE="MIT GPL-2" # (init script is GPL-2 #426056) +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~x64-macos" +IUSE="bsdpty legacy-ciphers minimal multicall pam +shadow static +syslog test +test-async zlib" +RESTRICT="!test? ( test )" + +LIB_DEPEND=" + virtual/libcrypt:=[static-libs(+)] + zlib? ( virtual/zlib:=[static-libs(+)] ) +" +RDEPEND=" + acct-group/sshd + acct-user/sshd + !static? ( + >=dev-libs/libtomcrypt-1.18.2-r2[libtommath] + >=dev-libs/libtommath-1.2.0 + ${LIB_DEPEND//\[static-libs(+)]} + ) + pam? ( sys-libs/pam ) +" +DEPEND=" + ${RDEPEND} + static? ( ${LIB_DEPEND} ) +" +RDEPEND+=" pam? ( >=sys-auth/pambase-20080219.1 )" +BDEPEND=" + test? ( + sys-libs/nss_wrapper + $(python_gen_any_dep ' + dev-python/attrs[${PYTHON_USEDEP}] + dev-python/iniconfig[${PYTHON_USEDEP}] + dev-python/packaging[${PYTHON_USEDEP}] + dev-python/pluggy[${PYTHON_USEDEP}] + dev-python/py[${PYTHON_USEDEP}] + dev-python/pyparsing[${PYTHON_USEDEP}] + dev-python/pytest[${PYTHON_USEDEP}] + dev-python/psutil[${PYTHON_USEDEP}] + ') + test-async? ( + $(python_gen_any_dep ' + dev-python/asyncssh[${PYTHON_USEDEP}] + ') + ) + ) + verify-sig? ( sec-keys/openpgp-keys-dropbear ) +" + +REQUIRED_USE="pam? ( !static )" + +PATCHES=( + "${FILESDIR}"/${PN}-2024.84-dbscp.patch + "${FILESDIR}"/${PN}-2024.86-tests.patch + "${FILESDIR}"/${PN}-2024.84-test-bg-sleep.patch +) + +set_options() { + progs=( + dropbear dbclient dropbearkey + $(usev !minimal "dropbearconvert scp") + ) + makeopts=( + MULTI=$(usex multicall 1 0) + ) +} + +python_check_deps() { + if use test-async; then + python_has_version "dev-python/asyncssh[${PYTHON_USEDEP}]" + fi + + python_has_version "dev-python/attrs[${PYTHON_USEDEP}]" && \ + python_has_version "dev-python/iniconfig[${PYTHON_USEDEP}]" && \ + python_has_version "dev-python/packaging[${PYTHON_USEDEP}]" && \ + python_has_version "dev-python/pluggy[${PYTHON_USEDEP}]" && \ + python_has_version "dev-python/py[${PYTHON_USEDEP}]" && \ + python_has_version "dev-python/pyparsing[${PYTHON_USEDEP}]" && \ + python_has_version "dev-python/pytest[${PYTHON_USEDEP}]" && \ + python_has_version "dev-python/psutil[${PYTHON_USEDEP}]" +} + +pkg_setup() { + use test && python-any-r1_pkg_setup + + if use static ; then + ewarn "Using bundled copies of libtommath and libtomcrypt" + fi +} + +src_prepare() { + default + + eautoreconf + + # dropbear does not accept -E if built w/o syslog support and fails the tests + if use syslog; then + eapply "${FILESDIR}"/${PN}-2024.84-non-interactive-tests.patch + else + eapply "${FILESDIR}"/${PN}-2024.84-non-interactive-tests-no-syslog.patch + fi + + sed \ + -e '/SFTPSERVER_PATH/s:".*":"/usr/lib/misc/sftp-server":' \ + -e '/DROPBEAR_X11FWD/s:0:1:' \ + -e "/DROPBEAR_DSS/s:0: "$(usex legacy-ciphers 1 0)":" \ + src/default_options.h > localoptions.h || die + sed \ + -e '/pam_start/s:sshd:dropbear:' \ + -i src/svr-authpam.c || die + restore_config localoptions.h + + use test && python_fix_shebang test/parent_dropbear_map.py + + # dropbearconvert is not built with USE minimal + # test_concurrent needs dropbearconvert to convert the key before running + if use minimal; then + rm test/test_dropbearconvert.py test/test_concurrent.py || die + elif ! use test-async; then + # remove this test on platforms where dev-python/asyncssh is not available + rm test/test_concurrent.py || die + fi + + # bsdpty requires CONFIG_LEGACY_PTYS in kernel; disable tests. + # bug #939601 + if use bsdpty; then + rm test/test_channels.py || die + fi +} + +src_configure() { + # Notes: + # 1) We use bundled libtom* when static build is enabled because + # libtomcrypt lacks it and we don't particularly want to add it. + # 2) We disable the hardening flags as our compiler already enables them + # by default as is appropriate for the target. + local myeconfargs=( + --disable-harden + + # bug #836900 + $(use_enable !elibc_musl lastlog) + $(use_enable !elibc_musl wtmp) + + $(use_enable static bundled-libtom) + $(use_enable zlib) + $(use_enable pam) + $(use_enable !bsdpty openpty) + $(use_enable shadow) + $(use_enable static) + $(use_enable syslog) + ) + + econf "${myeconfargs[@]}" +} + +src_compile() { + set_options + emake "${makeopts[@]}" PROGRAMS="${progs[*]}" + + # need symlinks for tests + if use multicall && use test; then + local x + for x in "${progs[@]}" ; do + ln -sf dropbearmulti ${x} || die "ln -s dropbearmulti to ${x} failed" + done + fi +} + +src_install() { + set_options + emake "${makeopts[@]}" PROGRAMS="${progs[*]}" DESTDIR="${D}" install + doman manpages/*.8 + newinitd "${FILESDIR}"/dropbear.init.d-r1 dropbear + newconfd "${FILESDIR}"/dropbear.conf.d dropbear + dodoc CHANGES README.md SMALL.md MULTI.md + + # The multi install target does not install the links right. + if use multicall ; then + pushd "${ED}"/usr/bin &> /dev/null || die + local x + for x in "${progs[@]}" ; do + ln -sf dropbearmulti ${x} || die "ln -s dropbearmulti to ${x} failed" + done + rm -f dropbear + dodir /usr/sbin + dosym -r /usr/bin/dropbearmulti /usr/sbin/dropbear + popd &> /dev/null || die + fi + save_config localoptions.h + + if ! use minimal ; then + mv "${ED}"/usr/bin/{,db}scp || die + fi + + if use pam; then + pamd_mimic system-remote-login dropbear auth account password session + fi +}
