diff --git a/backport-fix-CVE-2025-26465.patch b/backport-fix-CVE-2025-26465.patch new file mode 100644 index 0000000000000000000000000000000000000000..e514b92a2474c80401fdcc42d83e4f8f83c58b4e --- /dev/null +++ b/backport-fix-CVE-2025-26465.patch @@ -0,0 +1,101 @@ +From 0832aac79517611dd4de93ad0a83577994d9c907 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Tue, 18 Feb 2025 08:02:48 +0000 +Subject: upstream: Fix cases where error codes were not correctly set + +Reported by the Qualys Security Advisory team. ok markus@ + +OpenBSD-Commit-ID: 7bcd4ffe0fa1e27ff98d451fb9c22f5fae6e610d +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit/?id=0832aac79517611dd4de93ad0a83577994d9c907 +--- + krl.c | 2 ++ + ssh-sk-client.c | 1 + + sshconnect2.c | 5 ++++- + sshsig.c | 1 + + 4 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/krl.c b/krl.c +index 03476de..6b3e7a0 100644 +--- a/krl.c ++++ b/krl.c +@@ -677,6 +677,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) + break; + case KRL_SECTION_CERT_SERIAL_BITMAP: + if (rs->lo - bitmap_start > INT_MAX) { ++ r = SSH_ERR_INVALID_FORMAT; + error("%s: insane bitmap gap", __func__); + goto out; + } +@@ -1012,6 +1013,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, + goto out; + + if ((krl = ssh_krl_init()) == NULL) { ++ r = SSH_ERR_ALLOC_FAIL; + error("%s: alloc failed", __func__); + goto out; + } +diff --git a/ssh-sk-client.c b/ssh-sk-client.c +index 8d7e6c3..bc5e189 100644 +--- a/ssh-sk-client.c ++++ b/ssh-sk-client.c +@@ -420,6 +420,7 @@ sshsk_load_resident(const char *provider_path, const char *device, + if ((tmp = recallocarray(keys, nkeys, nkeys + 1, + sizeof(*keys))) == NULL) { + error("%s: recallocarray keys failed", __func__); ++ r = SSH_ERR_ALLOC_FAIL; + goto out; + } + debug("%s: keys[%zu]: %s %s", __func__, +diff --git a/sshconnect2.c b/sshconnect2.c +index ae018ff..aee158d 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -97,7 +97,7 @@ struct sockaddr *xxx_hostaddr; + static int + verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) + { +- if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) == -1) ++ if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) != 0) + fatal("Host key verification failed."); + return 0; + } +@@ -765,6 +765,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) + + if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) { + debug("%s: server sent unknown pkalg %s", __func__, pkalg); ++ r = SSH_ERR_INVALID_FORMAT; + goto done; + } + if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { +@@ -775,6 +776,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) + error("input_userauth_pk_ok: type mismatch " + "for decoded key (received %d, expected %d)", + key->type, pktype); ++ r = SSH_ERR_INVALID_FORMAT; + goto done; + } + +@@ -794,6 +796,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) + SSH_FP_DEFAULT); + error("%s: server replied with unknown key: %s %s", __func__, + sshkey_type(key), fp == NULL ? "" : fp); ++ r = SSH_ERR_INVALID_FORMAT; + goto done; + } + ident = format_identity(id); +diff --git a/sshsig.c b/sshsig.c +index e63a36e..2ce994d 100644 +--- a/sshsig.c ++++ b/sshsig.c +@@ -908,6 +908,7 @@ cert_filter_principals(const char *path, u_long linenum, + } + if ((principals = sshbuf_dup_string(nprincipals)) == NULL) { + error("%s: buffer error", __func__); ++ r = SSH_ERR_ALLOC_FAIL; + goto out; + } + /* success */ +-- +2.43.0 + diff --git a/backport-fix-CVE-2025-32728.patch b/backport-fix-CVE-2025-32728.patch new file mode 100644 index 0000000000000000000000000000000000000000..7b19eb51cdb2ac2317939a078f7a4c1f474a0f3f --- /dev/null +++ b/backport-fix-CVE-2025-32728.patch @@ -0,0 +1,41 @@ +From fc86875e6acb36401dfc1dfb6b628a9d1460f367 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Wed, 9 Apr 2025 07:00:03 +0000 +Subject: upstream: Fix logic error in DisableForwarding option. This option + +was documented as disabling X11 and agent forwarding but it failed to do so. +Spotted by Tim Rice. + +OpenBSD-Commit-ID: fffc89195968f7eedd2fc57f0b1f1ef3193f5ed1 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit/?id=fc86875e6acb36401dfc1dfb6b628a9d1460f367 +--- + session.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/session.c b/session.c +index 383c8ee..00535a6 100644 +--- a/session.c ++++ b/session.c +@@ -2348,7 +2348,8 @@ session_auth_agent_req(struct ssh *ssh, Session *s) + if ((r = sshpkt_get_end(ssh)) != 0) + sshpkt_fatal(ssh, r, "%s: parse packet", __func__); + if (!auth_opts->permit_agent_forwarding_flag || +- !options.allow_agent_forwarding) { ++ !options.allow_agent_forwarding || ++ options.disable_forwarding) { + debug("%s: agent forwarding disabled", __func__); + return 0; + } +@@ -2766,7 +2767,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s) + ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options."); + return 0; + } +- if (!options.x11_forwarding) { ++ if (!options.x11_forwarding || options.disable_forwarding) { + debug("X11 forwarding disabled in server configuration file."); + return 0; + } +-- +2.43.0 + diff --git a/openssh.spec b/openssh.spec index 2d4e6d87e57611a136f5f31666268cadea97b945..2910d501671b635a21c3c27c811b677c7d0c7eec 100644 --- a/openssh.spec +++ b/openssh.spec @@ -6,7 +6,7 @@ %{?no_gtk2:%global gtk2 0} %global sshd_uid 74 -%global openssh_release 30 +%global openssh_release 31 Name: openssh Version: 8.2p1 @@ -106,6 +106,8 @@ Patch72: set-ssh-config.patch Patch73: backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch Patch74: backport-CVE-2023-48795.patch Patch75: fix-memory-leak-in-kex-exchange.patch +Patch76: backport-fix-CVE-2025-26465.patch +Patch77: backport-fix-CVE-2025-32728.patch Requires: /sbin/nologin Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 @@ -284,6 +286,8 @@ popd %patch73 -p1 %patch74 -p1 %patch75 -p1 +%patch76 -p1 +%patch77 -p1 autoreconf pushd pam_ssh_agent_auth-0.10.3 @@ -493,6 +497,12 @@ getent passwd sshd >/dev/null || \ %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %changelog +* Fri Apr 11 2025 bitianyuan - 8.2p1-31 +- Type:CVE +- CVE:CVE-2025-26465 CVE-2025-32728 +- SUG:NA +- DESC:fix CVE-2025-26465 CVE-2025-32728 + * Fri Feb 2 2024 songjuntao - 8.2p1-30 - Type:bugfix - CVE: