packages/openssh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2025-26465 CVE-2025-32728

Browse Source 
Signed-off-by: bitianyuan <bitianyuan@huawei.com>
This commit is contained in:
bitianyuan 2025-04-13 21:20:19 +08:00
parent f4a99783cf
commit 4d5ebc8cbb
3 changed files with 153 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
backport-fix-CVE-2025-26465.patch Normal file
View File

@ -0,0 +1,101 @@
From 0832aac79517611dd4de93ad0a83577994d9c907 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Tue, 18 Feb 2025 08:02:48 +0000
Subject: upstream: Fix cases where error codes were not correctly set
Reported by the Qualys Security Advisory team. ok markus@
OpenBSD-Commit-ID: 7bcd4ffe0fa1e27ff98d451fb9c22f5fae6e610d
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit/?id=0832aac79517611dd4de93ad0a83577994d9c907
---
krl.c | 2 ++
ssh-sk-client.c | 1 +
sshconnect2.c | 5 ++++-
sshsig.c | 1 +
4 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/krl.c b/krl.c
index 03476de..6b3e7a0 100644
--- a/krl.c
+++ b/krl.c
@@ -677,6 +677,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
break;
case KRL_SECTION_CERT_SERIAL_BITMAP:
if (rs->lo - bitmap_start > INT_MAX) {
+ r = SSH_ERR_INVALID_FORMAT;
error("%s: insane bitmap gap", __func__);
goto out;
}
@@ -1012,6 +1013,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
goto out;
if ((krl = ssh_krl_init()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
error("%s: alloc failed", __func__);
goto out;
}
diff --git a/ssh-sk-client.c b/ssh-sk-client.c
index 8d7e6c3..bc5e189 100644
--- a/ssh-sk-client.c
+++ b/ssh-sk-client.c
@@ -420,6 +420,7 @@ sshsk_load_resident(const char *provider_path, const char *device,
if ((tmp = recallocarray(keys, nkeys, nkeys + 1,
sizeof(*keys))) == NULL) {
error("%s: recallocarray keys failed", __func__);
+ r = SSH_ERR_ALLOC_FAIL;
goto out;
}
debug("%s: keys[%zu]: %s %s", __func__,
diff --git a/sshconnect2.c b/sshconnect2.c
index ae018ff..aee158d 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -97,7 +97,7 @@ struct sockaddr *xxx_hostaddr;
static int
verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
{
- if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) == -1)
+ if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) != 0)
fatal("Host key verification failed.");
return 0;
}
@@ -765,6 +765,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
debug("%s: server sent unknown pkalg %s", __func__, pkalg);
+ r = SSH_ERR_INVALID_FORMAT;
goto done;
}
if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
@@ -775,6 +776,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
error("input_userauth_pk_ok: type mismatch "
"for decoded key (received %d, expected %d)",
key->type, pktype);
+ r = SSH_ERR_INVALID_FORMAT;
goto done;
}
@@ -794,6 +796,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
SSH_FP_DEFAULT);
error("%s: server replied with unknown key: %s %s", __func__,
sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
+ r = SSH_ERR_INVALID_FORMAT;
goto done;
}
ident = format_identity(id);
diff --git a/sshsig.c b/sshsig.c
index e63a36e..2ce994d 100644
--- a/sshsig.c
+++ b/sshsig.c
@@ -908,6 +908,7 @@ cert_filter_principals(const char *path, u_long linenum,
}
if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
error("%s: buffer error", __func__);
+ r = SSH_ERR_ALLOC_FAIL;
goto out;
}
/* success */
--
2.43.0

41
backport-fix-CVE-2025-32728.patch Normal file
View File

@ -0,0 +1,41 @@
From fc86875e6acb36401dfc1dfb6b628a9d1460f367 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 9 Apr 2025 07:00:03 +0000
Subject: upstream: Fix logic error in DisableForwarding option. This option
was documented as disabling X11 and agent forwarding but it failed to do so.
Spotted by Tim Rice.
OpenBSD-Commit-ID: fffc89195968f7eedd2fc57f0b1f1ef3193f5ed1
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit/?id=fc86875e6acb36401dfc1dfb6b628a9d1460f367
---
session.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/session.c b/session.c
index 383c8ee..00535a6 100644
--- a/session.c
+++ b/session.c
@@ -2348,7 +2348,8 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
if ((r = sshpkt_get_end(ssh)) != 0)
sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
if (!auth_opts->permit_agent_forwarding_flag ||
- !options.allow_agent_forwarding) {
+ !options.allow_agent_forwarding ||
+ options.disable_forwarding) {
debug("%s: agent forwarding disabled", __func__);
return 0;
}
@@ -2766,7 +2767,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
return 0;
}
- if (!options.x11_forwarding) {
+ if (!options.x11_forwarding || options.disable_forwarding) {
debug("X11 forwarding disabled in server configuration file.");
return 0;
}
--
2.43.0

12
openssh.spec
View File

@ -6,7 +6,7 @@
%{?no_gtk2:%global gtk2 0}
%global sshd_uid 74
%global openssh_release 30
%global openssh_release 31
Name: openssh
Version: 8.2p1
@ -106,6 +106,8 @@ Patch72: set-ssh-config.patch
Patch73: backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch
Patch74: backport-CVE-2023-48795.patch
Patch75: fix-memory-leak-in-kex-exchange.patch
Patch76: backport-fix-CVE-2025-26465.patch
Patch77: backport-fix-CVE-2025-32728.patch
Requires: /sbin/nologin
Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8
@ -284,6 +286,8 @@ popd
%patch73 -p1
%patch74 -p1
%patch75 -p1
%patch76 -p1
%patch77 -p1
autoreconf
pushd pam_ssh_agent_auth-0.10.3
@ -493,6 +497,12 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%changelog
* Fri Apr 11 2025 bitianyuan<bitianyuan@huawei.com> - 8.2p1-31
- Type:CVE
- CVE:CVE-2025-26465 CVE-2025-32728
- SUG:NA
- DESC:fix CVE-2025-26465 CVE-2025-32728
* Fri Feb 2 2024 songjuntao<songjuntao@kylinos.cn> - 8.2p1-30
- Type:bugfix
- CVE: