From 56c8daea0f8ec38419878ae331dc127125e5687c Mon Sep 17 00:00:00 2001
From: bitianyuan <bitianyuan@huawei.com>
Date: Sun, 13 Apr 2025 22:07:24 +0800
Subject: [PATCH] fix CVE-2025-26465 CVE-2025-32728

Signed-off-by: bitianyuan <bitianyuan@huawei.com>
(cherry picked from commit 551af70fafc12798d38666aff929649a43fb54ee)
---
 backport-fix-CVE-2025-26465.patch | 20 ++++++++++-----
 backport-fix-CVE-2025-32728.patch | 41 +++++++++++++++++++++++++++++++
 openssh.spec                      | 10 +++++++-
 3 files changed, 64 insertions(+), 7 deletions(-)
 create mode 100644 backport-fix-CVE-2025-32728.patch

diff --git a/backport-fix-CVE-2025-26465.patch b/backport-fix-CVE-2025-26465.patch
index 6003303..4eebe6c 100644
--- a/backport-fix-CVE-2025-26465.patch
+++ b/backport-fix-CVE-2025-26465.patch
@@ -10,11 +10,11 @@ Conflict:NA
 Reference:https://anongit.mindrot.org/openssh.git/commit/?id=0832aac79517611dd4de93ad0a83577994d9c907
 ---
  krl.c           | 2 ++
- ssh-agent.c     | 4 ++++
+ ssh-agent.c     | 5 +++++
  ssh-sk-client.c | 2 ++
  sshconnect2.c   | 5 ++++-
  sshsig.c        | 1 +
- 5 files changed, 13 insertions(+), 1 deletion(-)
+ 5 files changed, 14 insertions(+), 1 deletion(-)
 
 diff --git a/krl.c b/krl.c
 index f4fc547..cec61a8 100644
@@ -37,7 +37,7 @@ index f4fc547..cec61a8 100644
  		goto out;
  	}
 diff --git a/ssh-agent.c b/ssh-agent.c
-index 5956438..7418c21 100644
+index 5956438..f0ec3db 100644
 --- a/ssh-agent.c
 +++ b/ssh-agent.c
 @@ -1204,6 +1204,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
@@ -48,7 +48,15 @@ index 5956438..7418c21 100644
  			goto out;
  		}
  		if ((r = sshbuf_froms(m, &b)) != 0) {
-@@ -1230,6 +1231,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
+@@ -1213,6 +1214,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
+ 		while (sshbuf_len(b) != 0) {
+ 			if (*ndcsp >= AGENT_MAX_DEST_CONSTRAINTS) {
+ 				error_f("too many %s constraints", ext_name);
++				r = SSH_ERR_INVALID_FORMAT;
+ 				goto out;
+ 			}
+ 			*dcsp = xrecallocarray(*dcsp, *ndcsp, *ndcsp + 1,
+@@ -1230,6 +1232,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
  		}
  		if (*certs != NULL) {
  			error_f("%s already set", ext_name);
@@ -56,7 +64,7 @@ index 5956438..7418c21 100644
  			goto out;
  		}
  		if ((r = sshbuf_get_u8(m, &v)) != 0 ||
-@@ -1241,6 +1243,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
+@@ -1241,6 +1244,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
  		while (sshbuf_len(b) != 0) {
  			if (*ncerts >= AGENT_MAX_EXT_CERTS) {
  				error_f("too many %s constraints", ext_name);
@@ -64,7 +72,7 @@ index 5956438..7418c21 100644
  				goto out;
  			}
  			*certs = xrecallocarray(*certs, *ncerts, *ncerts + 1,
-@@ -1797,6 +1800,7 @@ process_ext_session_bind(SocketEntry *e)
+@@ -1797,6 +1801,7 @@ process_ext_session_bind(SocketEntry *e)
  	/* record new key/sid */
  	if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) {
  		error_f("too many session IDs recorded");
diff --git a/backport-fix-CVE-2025-32728.patch b/backport-fix-CVE-2025-32728.patch
new file mode 100644
index 0000000..d5682dc
--- /dev/null
+++ b/backport-fix-CVE-2025-32728.patch
@@ -0,0 +1,41 @@
+From fc86875e6acb36401dfc1dfb6b628a9d1460f367 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 9 Apr 2025 07:00:03 +0000
+Subject: upstream: Fix logic error in DisableForwarding option. This option
+
+was documented as disabling X11 and agent forwarding but it failed to do so.
+Spotted by Tim Rice.
+
+OpenBSD-Commit-ID: fffc89195968f7eedd2fc57f0b1f1ef3193f5ed1
+Conflict:NA
+Reference:https://anongit.mindrot.org/openssh.git/commit/?id=fc86875e6acb36401dfc1dfb6b628a9d1460f367
+---
+ session.c | 7 +++--
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/session.c b/session.c
+index 6653cd6..94a9161 100644
+--- a/session.c
++++ b/session.c
+@@ -2351,7 +2351,8 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
+ 	if ((r = sshpkt_get_end(ssh)) != 0)
+ 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
+ 	if (!auth_opts->permit_agent_forwarding_flag ||
+-	    !options.allow_agent_forwarding) {
++	    !options.allow_agent_forwarding ||
++	    options.disable_forwarding) {
+ 		debug_f("agent forwarding disabled");
+ 		return 0;
+ 	}
+@@ -2776,7 +2777,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
+ 		ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
+ 		return 0;
+ 	}
+-	if (!options.x11_forwarding) {
++	if (!options.x11_forwarding || options.disable_forwarding) {
+ 		debug("X11 forwarding disabled in server configuration file.");
+ 		return 0;
+ 	}
+-- 
+2.43.0
+
diff --git a/openssh.spec b/openssh.spec
index 2a727d7..6436784 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -6,7 +6,7 @@
 %{?no_gtk2:%global gtk2 0}
 
 %global sshd_uid    74
-%global openssh_release 5
+%global openssh_release 6
 
 Name:           openssh
 Version:        9.6p1
@@ -113,6 +113,7 @@ Patch72:        backport-upstream-some-extra-paranoia.patch
 Patch73:        backport-fix-CVE-2024-39894.patch
 Patch74:        backport-fix-CVE-2025-26465.patch
 Patch75:        backport-fix-CVE-2025-26466.patch
+Patch76:        backport-fix-CVE-2025-32728.patch
 
 Requires:       /sbin/nologin
 Requires:       libselinux >= 2.3-5 audit-libs >= 1.0.8
@@ -272,6 +273,7 @@ popd
 %patch -P 73 -p1
 %patch -P 74 -p1
 %patch -P 75 -p1
+%patch -P 76 -p1
 
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@@ -503,6 +505,12 @@ fi
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 
 %changelog
+* Fri Apr 11 2025 bitianyuan<bitianyuan@huawei.com> - 9.6p1-6
+- Type:CVE
+- CVE:CVE-2025-26465 CVE-2025-32728
+- SUG:NA
+- DESC:fix CVE-2025-26465 CVE-2025-32728
+
 * Tue Feb 18 2025 bitianyuan <bitianyuan@huawei.com> - 9.6p1-5
 - Type:CVE
 - CVE:CVE-2025-26465 CVE-2025-26466
-- 
Gitee