XPost: linux.debian.devel.release

--gS2aC9rA+mKyXPoR
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: dropbear@packages.debian.org
Control: affects -1 + src:dropbear
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]

Fix CVE-2025-47203 (shell injection vulnerability in multihop handling).

[ Impact ]

dbclient(1) hostnames could result in running arbitrary shell commands
locally during multihop handling.

[ Tests ]

Manual tests for the injection itself and also to ensure that multihop
still works.

[ Risks ]

Low risk: backported patches from upstream's 2022.84 to 2025.88 release.

[ Checklist ]

[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable

[ Changes ]

Backport upstream changes to fix CVE-2025-47203.

--
Guilhem.

--gS2aC9rA+mKyXPoR
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment; filename="dropbear.debdiff" Content-Transfer-Encoding: quoted-printable

diffstat for dropbear-2022.83 dropbear-2022.83

changelog | 6
patches/CVE-2025-47203.patch | 365 ++++++++++
patches/Handle-arbitrary-length-paths-and-commands-in-multihop_pa.patch | 99 ++
patches/series | 2
4 files changed, 472 insertions(+)

diff -Nru dropbear-2022.83/debian/changelog dropbear-2022.83/debian/changelog --- dropbear-2022.83/debian/changelog 2024-07-09 14:22:02.000000000 +0200
+++ dropbear-2022.83/debian/changelog 2025-05-16 15:01:36.000000000 +0200
@@ -1,3 +1,9 @@
+dropbear (2022.83-1+deb12u3) bookworm; urgency=high
+
+ * Fix CVE-2025-47203: Shell injection vulnerability in multihop handling.
+
+ -- Guilhem Moulin <gui