From 86167c3d5ab9369dba2d7397ee8bd79cf60fd74f Mon Sep 17 00:00:00 2001
From: hdliu <dev03108@linx-info.com>
Date: Mon, 14 Apr 2025 13:08:06 +0800
Subject: [PATCH] Fix CVE-2025-32728

Signed-off-by: hdliu <dev03108@linx-info.com>
(cherry picked from commit bbdf6195f7b126bec7013cd9e3789021fd7ea529)
---
 backport-upstream_CVE-2025-32728.patch | 39 ++++++++++++++++++++++++++
 openssh.spec                           | 10 ++++++-
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 backport-upstream_CVE-2025-32728.patch

diff --git a/backport-upstream_CVE-2025-32728.patch b/backport-upstream_CVE-2025-32728.patch
new file mode 100644
index 0000000..2cb4617
--- /dev/null
+++ b/backport-upstream_CVE-2025-32728.patch
@@ -0,0 +1,39 @@
+From a14795025b80225ca3741073c48783604189b663 Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Mon, 14 Apr 2025 12:48:57 +0800
+Subject: [PATCH] Fix logic error in DisableForwarding option. This option
+
+was documented as disabling X11 and agent forwarding but it failed to do so.
+Spotted by Tim Rice.
+
+OpenBSD-Commit-ID: fffc89195968f7eedd2fc57f0b1f1ef3193f5ed1
+---
+ session.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/session.c b/session.c
+index 1b67393..e968c22 100644
+--- a/session.c
++++ b/session.c
+@@ -2345,7 +2345,8 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
+ 	if ((r = sshpkt_get_end(ssh)) != 0)
+ 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
+ 	if (!auth_opts->permit_agent_forwarding_flag ||
+-	    !options.allow_agent_forwarding) {
++	    !options.allow_agent_forwarding ||
++	    options.disable_forwarding) {
+ 		debug_f("agent forwarding disabled");
+ 		return 0;
+ 	}
+@@ -2761,7 +2762,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
+ 		ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
+ 		return 0;
+ 	}
+-	if (!options.x11_forwarding) {
++	if (!options.x11_forwarding || options.disable_forwarding) {
+ 		debug("X11 forwarding disabled in server configuration file.");
+ 		return 0;
+ 	}
+-- 
+2.33.0
+
diff --git a/openssh.spec b/openssh.spec
index 203b4dc..f02bd80 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -6,7 +6,7 @@
 %{?no_gtk2:%global gtk2 0}
 
 %global sshd_uid    74
-%global openssh_release 34
+%global openssh_release 35
 
 Name:           openssh
 Version:        8.8p1
@@ -135,6 +135,7 @@ Patch105:       backport-fix-CVE-2024-6387.patch
 Patch106:       backport-fix-CVE-2024-6409.patch
 Patch107:       backport-upstream-Set-OPENSSL_BIN-from-OpenSSL-directory.patch
 Patch108:       backport-CVE-2025-26465-Don-t-reply-to-PING-in-preauth-phase-or-during-KEX.patch
+Patch109:       backport-upstream_CVE-2025-32728.patch
 
 Requires:       /sbin/nologin
 Requires:       libselinux >= 2.3-5 audit-libs >= 1.0.8
@@ -320,6 +321,7 @@ popd
 %patch106 -p1
 %patch107 -p1
 %patch108 -p1
+%patch109 -p1
 
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@@ -526,6 +528,12 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 
 %changelog
+* Mon Apr 14 2025 hdliu<hdliu@linx-info.com> - 8.8p1-35
+- Type:CVE
+- CVE:CVE-2025-32728
+- SUG:NA
+- DESC:Fix CVE-2025-32728
+
 * Tue Feb 18 2025 bitianyuan<bitianyuan@huawei.com> - 8.8p1-34
 - Type:CVE
 - CVE:CVE-2025-26465
-- 
Gitee