From 29a0927954fbb732669023c45ba845e505e84d71 Mon Sep 17 00:00:00 2001
From: wenxin <wx02272781@alibaba-inc.com>
Date: Mon, 4 Aug 2025 10:18:52 +0800
Subject: [PATCH] Add patch to fix CVE-2025-32728

---
 CVE-2025-32728.patch | 43 +++++++++++++++++++++++++++++++++++++++++++
 openssh.spec         | 10 +++++++++-
 2 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2025-32728.patch

diff --git a/CVE-2025-32728.patch b/CVE-2025-32728.patch
new file mode 100644
index 0000000..5f3ef3b
--- /dev/null
+++ b/CVE-2025-32728.patch
@@ -0,0 +1,43 @@
+From fc86875e6acb36401dfc1dfb6b628a9d1460f367 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 9 Apr 2025 07:00:03 +0000
+Subject: [PATCH] upstream: Fix logic error in DisableForwarding option. This
+ option
+
+was documented as disabling X11 and agent forwarding but it failed to do so.
+Spotted by Tim Rice.
+
+OpenBSD-Commit-ID: fffc89195968f7eedd2fc57f0b1f1ef3193f5ed1
+---
+ session.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/session.c b/session.c
+index 52a4a3446e6..6444c77f31c 100644
+--- a/session.c
++++ b/session.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: session.c,v 1.340 2024/12/06 06:55:28 dtucker Exp $ */
++/* $OpenBSD: session.c,v 1.341 2025/04/09 07:00:03 djm Exp $ */
+ /*
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+  *                    All rights reserved
+@@ -2171,7 +2171,8 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
+ 	if ((r = sshpkt_get_end(ssh)) != 0)
+ 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
+ 	if (!auth_opts->permit_agent_forwarding_flag ||
+-	    !options.allow_agent_forwarding) {
++	    !options.allow_agent_forwarding ||
++	    options.disable_forwarding) {
+ 		debug_f("agent forwarding disabled");
+ 		return 0;
+ 	}
+@@ -2566,7 +2567,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
+ 		ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
+ 		return 0;
+ 	}
+-	if (!options.x11_forwarding) {
++	if (!options.x11_forwarding || options.disable_forwarding) {
+ 		debug("X11 forwarding disabled in server configuration file.");
+ 		return 0;
+ 	}
diff --git a/openssh.spec b/openssh.spec
index 93d3215..c70b697 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -1,4 +1,4 @@
-%define anolis_release 1
+%define anolis_release 2
 
 %global WITH_SELINUX 1
 
@@ -227,6 +227,10 @@ Patch1018: 0001-upstream-Fix-logic-error-in-DisableForwarding-option.patch
 # https://anongit.mindrot.org/openssh.git/commit/?id=0832aac79517611dd4de93ad0a83577994d9c907
 Patch1019: bugfix-for-cve-2025-26465.patch
 
+# CVE-2025-32728
+# https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367
+Patch1020: CVE-2025-32728.patch
+
 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
 Requires: /sbin/nologin
 
@@ -443,6 +447,7 @@ popd
 %patch -P 1017 -p1
 %patch -P 1018 -p1
 %patch -P 1019 -p1
+%patch -P 1020 -p1
 
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -751,6 +756,9 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Mon Aug 04 2025 wenxin <wx02272781@alibaba-inc.com> - 9.6p1-2
+- Add patch to fix CVE-2025-32728
+
 * Tue Jun 03 2025 Cheng Yang <yc02267530@alibaba-inc.com> - 9.6p1-1
 - update to 9.6p1
 - The patch was removed because the new version already included the patch content
-- 
Gitee