From 3bfba90499afe08746c15afb48e1de67012e2168 Mon Sep 17 00:00:00 2001 From: bitianyuan Date: Tue, 18 Feb 2025 22:06:48 +0800 Subject: [PATCH] Fix CVE-2025-26465 CVE-2025-26466 Signed-off-by: bitianyuan (cherry picked from commit a7d21f3c0bfc0a39811984b4371e0813699ac9c9) --- backport-fix-CVE-2025-26465.patch | 146 ++++++++++++++++++++++++++++++ backport-fix-CVE-2025-26466.patch | 36 ++++++++ openssh.spec | 12 ++- 3 files changed, 193 insertions(+), 1 deletion(-) create mode 100644 backport-fix-CVE-2025-26465.patch create mode 100644 backport-fix-CVE-2025-26466.patch diff --git a/backport-fix-CVE-2025-26465.patch b/backport-fix-CVE-2025-26465.patch new file mode 100644 index 0000000..6003303 --- /dev/null +++ b/backport-fix-CVE-2025-26465.patch @@ -0,0 +1,146 @@ +From 0832aac79517611dd4de93ad0a83577994d9c907 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Tue, 18 Feb 2025 08:02:48 +0000 +Subject: upstream: Fix cases where error codes were not correctly set + +Reported by the Qualys Security Advisory team. ok markus@ + +OpenBSD-Commit-ID: 7bcd4ffe0fa1e27ff98d451fb9c22f5fae6e610d +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit/?id=0832aac79517611dd4de93ad0a83577994d9c907 +--- + krl.c | 2 ++ + ssh-agent.c | 4 ++++ + ssh-sk-client.c | 2 ++ + sshconnect2.c | 5 ++++- + sshsig.c | 1 + + 5 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/krl.c b/krl.c +index f4fc547..cec61a8 100644 +--- a/krl.c ++++ b/krl.c +@@ -674,6 +674,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) + break; + case KRL_SECTION_CERT_SERIAL_BITMAP: + if (rs->lo - bitmap_start > INT_MAX) { ++ r = SSH_ERR_INVALID_FORMAT; + error_f("insane bitmap gap"); + goto out; + } +@@ -1059,6 +1060,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp) + } + + if ((krl = ssh_krl_init()) == NULL) { ++ r = SSH_ERR_ALLOC_FAIL; + error_f("alloc failed"); + goto out; + } +diff --git a/ssh-agent.c b/ssh-agent.c +index 5956438..7418c21 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1204,6 +1204,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp, + "restrict-destination-v00@openssh.com") == 0) { + if (*dcsp != NULL) { + error_f("%s already set", ext_name); ++ r = SSH_ERR_INVALID_FORMAT; + goto out; + } + if ((r = sshbuf_froms(m, &b)) != 0) { +@@ -1230,6 +1231,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp, + } + if (*certs != NULL) { + error_f("%s already set", ext_name); ++ r = SSH_ERR_INVALID_FORMAT; + goto out; + } + if ((r = sshbuf_get_u8(m, &v)) != 0 || +@@ -1241,6 +1243,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp, + while (sshbuf_len(b) != 0) { + if (*ncerts >= AGENT_MAX_EXT_CERTS) { + error_f("too many %s constraints", ext_name); ++ r = SSH_ERR_INVALID_FORMAT; + goto out; + } + *certs = xrecallocarray(*certs, *ncerts, *ncerts + 1, +@@ -1797,6 +1800,7 @@ process_ext_session_bind(SocketEntry *e) + /* record new key/sid */ + if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) { + error_f("too many session IDs recorded"); ++ r = -1; + goto out; + } + e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids, +diff --git a/ssh-sk-client.c b/ssh-sk-client.c +index 321fe53..750accb 100644 +--- a/ssh-sk-client.c ++++ b/ssh-sk-client.c +@@ -439,6 +439,7 @@ sshsk_load_resident(const char *provider_path, const char *device, + } + if ((srk = calloc(1, sizeof(*srk))) == NULL) { + error_f("calloc failed"); ++ r = SSH_ERR_ALLOC_FAIL; + goto out; + } + srk->key = key; +@@ -450,6 +451,7 @@ sshsk_load_resident(const char *provider_path, const char *device, + if ((tmp = recallocarray(srks, nsrks, nsrks + 1, + sizeof(*srks))) == NULL) { + error_f("recallocarray keys failed"); ++ r = SSH_ERR_ALLOC_FAIL; + goto out; + } + debug_f("srks[%zu]: %s %s uidlen %zu", nsrks, +diff --git a/sshconnect2.c b/sshconnect2.c +index 0157595..69cf0c4 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -101,7 +101,7 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) + options.required_rsa_size)) != 0) + fatal_r(r, "Bad server host key"); + if (verify_host_key(xxx_host, xxx_hostaddr, hostkey, +- xxx_conn_info) == -1) ++ xxx_conn_info) != 0) + fatal("Host key verification failed."); + return 0; + } +@@ -805,6 +805,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) + + if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) { + debug_f("server sent unknown pkalg %s", pkalg); ++ r = SSH_ERR_INVALID_FORMAT; + goto done; + } + if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { +@@ -815,6 +816,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) + error("input_userauth_pk_ok: type mismatch " + "for decoded key (received %d, expected %d)", + key->type, pktype); ++ r = SSH_ERR_INVALID_FORMAT; + goto done; + } + +@@ -834,6 +836,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) + SSH_FP_DEFAULT); + error_f("server replied with unknown key: %s %s", + sshkey_type(key), fp == NULL ? "" : fp); ++ r = SSH_ERR_INVALID_FORMAT; + goto done; + } + ident = format_identity(id); +diff --git a/sshsig.c b/sshsig.c +index d50d65f..1b7f40d 100644 +--- a/sshsig.c ++++ b/sshsig.c +@@ -874,6 +874,7 @@ cert_filter_principals(const char *path, u_long linenum, + } + if ((principals = sshbuf_dup_string(nprincipals)) == NULL) { + error_f("buffer error"); ++ r = SSH_ERR_ALLOC_FAIL; + goto out; + } + /* success */ +-- +2.33.0 + diff --git a/backport-fix-CVE-2025-26466.patch b/backport-fix-CVE-2025-26466.patch new file mode 100644 index 0000000..6fd12d8 --- /dev/null +++ b/backport-fix-CVE-2025-26466.patch @@ -0,0 +1,36 @@ +From 6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Tue, 18 Feb 2025 08:02:12 +0000 +Subject: upstream: Don't reply to PING in preauth phase or during KEX + +Reported by the Qualys Security Advisory team. ok markus@ + +OpenBSD-Commit-ID: c656ac4abd1504389d1733d85152044b15830217 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit/?id=6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2 +--- + packet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/packet.c b/packet.c +index 00ec509..5da9239 100644 +--- a/packet.c ++++ b/packet.c +@@ -1812,6 +1812,14 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + if ((r = sshpkt_get_string_direct(ssh, &d, &len)) != 0) + return r; + DBG(debug("Received SSH2_MSG_PING len %zu", len)); ++ if (!ssh->state->after_authentication) { ++ DBG(debug("Won't reply to PING in preauth")); ++ break; ++ } ++ if (ssh_packet_is_rekeying(ssh)) { ++ DBG(debug("Won't reply to PING during KEX")); ++ break; ++ } + if ((r = sshpkt_start(ssh, SSH2_MSG_PONG)) != 0 || + (r = sshpkt_put_string(ssh, d, len)) != 0 || + (r = sshpkt_send(ssh)) != 0) +-- +2.33.0 + diff --git a/openssh.spec b/openssh.spec index 7dbfe8c..2a727d7 100644 --- a/openssh.spec +++ b/openssh.spec @@ -6,7 +6,7 @@ %{?no_gtk2:%global gtk2 0} %global sshd_uid 74 -%global openssh_release 4 +%global openssh_release 5 Name: openssh Version: 9.6p1 @@ -111,6 +111,8 @@ Patch70: backport-upstream-make-parsing-user-host-consistently-look-for-t Patch71: backport-upstream-Do-not-apply-authorized_keys-options-when-signature.patch Patch72: backport-upstream-some-extra-paranoia.patch Patch73: backport-fix-CVE-2024-39894.patch +Patch74: backport-fix-CVE-2025-26465.patch +Patch75: backport-fix-CVE-2025-26466.patch Requires: /sbin/nologin Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 @@ -268,6 +270,8 @@ popd %patch -P 71 -p1 %patch -P 72 -p1 %patch -P 73 -p1 +%patch -P 74 -p1 +%patch -P 75 -p1 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 @@ -499,6 +503,12 @@ fi %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %changelog +* Tue Feb 18 2025 bitianyuan - 9.6p1-5 +- Type:CVE +- CVE:CVE-2025-26465 CVE-2025-26466 +- SUG:NA +- DESC:Fix CVE-2025-26465 CVE-2025-26466 + * Fri Feb 7 2025 bitianyuan - 9.6p1-4 - Type:CVE - CVE:CVE-2024-39894 -- Gitee