fix CVE-2025-26465 CVE-2025-32728

Signed-off-by: bitianyuan <bitianyuan@huawei.com>
2025-04-13 21:32:26 +08:00 · 2025-04-13 21:32:26 +08:00 · 96ea89803e
commit 96ea89803e
parent 38de450321
3 changed files with 190 additions and 1 deletions
--- a/backport-fix-CVE-2025-26465.patch
+++ b/backport-fix-CVE-2025-26465.patch
@ -0,0 +1,138 @@
+From 0832aac79517611dd4de93ad0a83577994d9c907 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 18 Feb 2025 08:02:48 +0000
+Subject: upstream: Fix cases where error codes were not correctly set
+
+Reported by the Qualys Security Advisory team. ok markus@
+
+OpenBSD-Commit-ID: 7bcd4ffe0fa1e27ff98d451fb9c22f5fae6e610d
+Conflict:NA
+Reference:https://anongit.mindrot.org/openssh.git/commit/?id=0832aac79517611dd4de93ad0a83577994d9c907
+---
+ krl.c           | 2 ++
+ ssh-agent.c     | 3 +++
+ ssh-sk-client.c | 2 ++
+ sshconnect2.c   | 5 ++++-
+ sshsig.c        | 1 +
+ 5 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/krl.c b/krl.c
+index 8d6dec2..ce640b5 100644
+--- a/krl.c
+++ b/krl.c
+@@ -675,6 +675,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
+ 			break;
+ 		case KRL_SECTION_CERT_SERIAL_BITMAP:
+ 			if (rs->lo - bitmap_start > INT_MAX) {
+				r = SSH_ERR_INVALID_FORMAT;
+ 				error_f("insane bitmap gap");
+ 				goto out;
+ 			}
+@@ -1009,6 +1010,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
+ 		goto out;
+ 
+ 	if ((krl = ssh_krl_init()) == NULL) {
+		r = SSH_ERR_ALLOC_FAIL;
+ 		error_f("alloc failed");
+ 		goto out;
+ 	}
+diff --git a/ssh-agent.c b/ssh-agent.c
+index ccc61cd..c25bed0 100644
+--- a/ssh-agent.c
+++ b/ssh-agent.c
+@@ -1188,6 +1188,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
+ 	    "restrict-destination-v00@openssh.com") == 0) {
+ 		if (*dcsp != NULL) {
+ 			error_f("%s already set", ext_name);
+			r = SSH_ERR_INVALID_FORMAT;
+ 			goto out;
+ 		}
+ 		if ((r = sshbuf_froms(m, &b)) != 0) {
+@@ -1197,6 +1198,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
+ 		while (sshbuf_len(b) != 0) {
+ 			if (*ndcsp >= AGENT_MAX_DEST_CONSTRAINTS) {
+ 				error_f("too many %s constraints", ext_name);
+				r = SSH_ERR_INVALID_FORMAT;
+ 				goto out;
+ 			}
+ 			*dcsp = xrecallocarray(*dcsp, *ndcsp, *ndcsp + 1,
+@@ -1715,6 +1717,7 @@ process_ext_session_bind(SocketEntry *e)
+ 	/* record new key/sid */
+ 	if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) {
+ 		error_f("too many session IDs recorded");
+		r = -1;
+ 		goto out;
+ 	}
+ 	e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids,
+diff --git a/ssh-sk-client.c b/ssh-sk-client.c
+index 321fe53..750accb 100644
+--- a/ssh-sk-client.c
+++ b/ssh-sk-client.c
+@@ -439,6 +439,7 @@ sshsk_load_resident(const char *provider_path, const char *device,
+ 		}
+ 		if ((srk = calloc(1, sizeof(*srk))) == NULL) {
+ 			error_f("calloc failed");
+			r = SSH_ERR_ALLOC_FAIL;
+ 			goto out;
+ 		}
+ 		srk->key = key;
+@@ -450,6 +451,7 @@ sshsk_load_resident(const char *provider_path, const char *device,
+ 		if ((tmp = recallocarray(srks, nsrks, nsrks + 1,
+ 		    sizeof(*srks))) == NULL) {
+ 			error_f("recallocarray keys failed");
+			r = SSH_ERR_ALLOC_FAIL;
+ 			goto out;
+ 		}
+ 		debug_f("srks[%zu]: %s %s uidlen %zu", nsrks,
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 3e6202b..e6d8905 100644
+--- a/sshconnect2.c
+++ b/sshconnect2.c
+@@ -101,7 +101,7 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
+ 	    options.required_rsa_size)) != 0)
+ 		fatal_r(r, "Bad server host key");
+ 	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
+-	    xxx_conn_info) == -1)
+	    xxx_conn_info) != 0)
+ 		fatal("Host key verification failed.");
+ 	return 0;
+ }
+@@ -803,6 +803,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+ 
+ 	if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
+ 		debug_f("server sent unknown pkalg %s", pkalg);
+		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 	if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
+@@ -813,6 +814,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+ 		error("input_userauth_pk_ok: type mismatch "
+ 		    "for decoded key (received %d, expected %d)",
+ 		    key->type, pktype);
+		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 
+@@ -832,6 +834,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+ 		    SSH_FP_DEFAULT);
+ 		error_f("server replied with unknown key: %s %s",
+ 		    sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
+		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 	ident = format_identity(id);
+diff --git a/sshsig.c b/sshsig.c
+index eb2a931..e476aa1 100644
+--- a/sshsig.c
+++ b/sshsig.c
+@@ -863,6 +863,7 @@ cert_filter_principals(const char *path, u_long linenum,
+ 	}
+ 	if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
+ 		error_f("buffer error");
+		r = SSH_ERR_ALLOC_FAIL;
+ 		goto out;
+ 	}
+ 	/* success */
+-- 
+2.43.0
+
--- a/backport-fix-CVE-2025-32728.patch
+++ b/backport-fix-CVE-2025-32728.patch
@ -0,0 +1,41 @@
+From fc86875e6acb36401dfc1dfb6b628a9d1460f367 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 9 Apr 2025 07:00:03 +0000
+Subject: upstream: Fix logic error in DisableForwarding option. This option
+
+was documented as disabling X11 and agent forwarding but it failed to do so.
+Spotted by Tim Rice.
+
+OpenBSD-Commit-ID: fffc89195968f7eedd2fc57f0b1f1ef3193f5ed1
+Conflict:NA
+Reference:https://anongit.mindrot.org/openssh.git/commit/?id=fc86875e6acb36401dfc1dfb6b628a9d1460f367
+---
+ session.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/session.c b/session.c
+index be6a31a..80adc60 100644
+--- a/session.c
+++ b/session.c
+@@ -2351,7 +2351,8 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
+ 	if ((r = sshpkt_get_end(ssh)) != 0)
+ 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
+ 	if (!auth_opts->permit_agent_forwarding_flag ||
+-	    !options.allow_agent_forwarding) {
+	    !options.allow_agent_forwarding ||
+	    options.disable_forwarding) {
+ 		debug_f("agent forwarding disabled");
+ 		return 0;
+ 	}
+@@ -2769,7 +2770,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
+ 		ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
+ 		return 0;
+ 	}
+-	if (!options.x11_forwarding) {
+	if (!options.x11_forwarding || options.disable_forwarding) {
+ 		debug("X11 forwarding disabled in server configuration file.");
+ 		return 0;
+ 	}
+-- 
+2.43.0
+
--- a/openssh.spec
+++ b/openssh.spec
@ -6,7 +6,7 @@
 %{?no_gtk2:%global gtk2 0}

 %global sshd_uid    74
-%global openssh_release 7
+%global openssh_release 8

 Name:           openssh
 Version:        9.3p2
@ -114,6 +114,8 @@ Patch91:        backport-openssh-6.6p1-keyperm.patch
 Patch92:        backport-upstream-make-parsing-user-host-consistently-look-for-the-last-in.patch
 Patch93:        backport-upstream-Do-not-apply-authorized_keys-options-when-signature.patch
 Patch94:        backport-upstream-some-extra-paranoia.patch
+Patch95:        backport-fix-CVE-2025-26465.patch
+Patch96:        backport-fix-CVE-2025-32728.patch

 Requires:       /sbin/nologin
 Requires:       libselinux >= 2.3-5 audit-libs >= 1.0.8
@ -277,6 +279,8 @@ popd
 %patch92 -p1
 %patch93 -p1
 %patch94 -p1
+%patch95 -p1
+%patch96 -p1

 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@ -493,6 +497,12 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*

 %changelog
+* Fri Apr 11 2025 bitianyuan<bitianyuan@huawei.com> - 9.3p2-8
+- Type:CVE
+- CVE:CVE-2025-26465 CVE-2025-32728
+- SUG:NA
+- DESC:fix CVE-2025-26465 CVE-2025-32728
+
 * Tue Jan 14 2025 bitianyuan <bitianyuan@huawei.com> - 9.3p2-7
 - Type:bugfix
 - ID:NA