Backport fix for 2025-47913

- Add CVE-2025-47913.patch to fix an SSH client process terminating
  when receiving an unexpected message type in response to a key
  listing or signing request (bsc#1253611, CVE-2025-47913)

CVE-2025-47913.patch

@@ -0,0 +1,54 @@
+From 2de8ea5d01b38bc555bc0ea8d00fc701841c571d Mon Sep 17 00:00:00 2001
+From: Nicola Murino <nicola.murino@gmail.com>
+Date: Sun, 31 Aug 2025 20:07:32 +0200
+Subject: [PATCH] ssh/agent: return an error for unexpected message types
+
+Previously, receiving an unexpected message type in response to a key
+listing or a signing request could cause a panic due to a failed type
+assertion.
+
+This change adds a default case to the type switch in order to detect
+and explicitly handle unknown or invalid message types, returning a
+descriptive error instead of crashing.
+
+Fixes golang/go#75178
+
+Change-Id: Icbc3432adc79fe3c56b1ff23c6724d7a6f710f3a
+Reviewed-on: https://go-review.googlesource.com/c/crypto/+/700295
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Michael Pratt <mpratt@google.com>
+Reviewed-by: Jakub Ciolek <jakub@ciolek.dev>
+---
+ ssh/agent/client.go | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/ssh/agent/client.go b/ssh/agent/client.go
+index 37525e1..b357e18 100644
+--- a/ssh/agent/client.go
++++ b/ssh/agent/client.go
+@@ -430,8 +430,9 @@ func (c *client) List() ([]*Key, error) {
+ 		return keys, nil
+ 	case *failureAgentMsg:
+ 		return nil, errors.New("agent: failed to list keys")
++	default:
++		return nil, fmt.Errorf("agent: failed to list keys, unexpected message type %T", msg)
+ 	}
+-	panic("unreachable")
+ }
+ 
+ // Sign has the agent sign the data using a protocol 2 key as defined
+@@ -462,8 +463,9 @@ func (c *client) SignWithFlags(key ssh.PublicKey, data []byte, flags SignatureFl
+ 		return &sig, nil
+ 	case *failureAgentMsg:
+ 		return nil, errors.New("agent: failed to sign challenge")
++	default:
++		return nil, fmt.Errorf("agent: failed to sign challenge, unexpected message type %T", msg)
+ 	}
+-	panic("unreachable")
+ }
+ 
+ // unmarshal parses an agent message in packet, returning the parsed
+-- 
+2.51.1
+

amazon-ssm-agent.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Nov 18 09:53:32 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Add CVE-2025-47913.patch to fix an SSH client process terminating
+  when receiving an unexpected message type in response to a key
+  listing or signing request (bsc#1253611, CVE-2025-47913)
+
 -------------------------------------------------------------------
 Tue Apr 15 10:41:20 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
 

amazon-ssm-agent.spec

@@ -24,6 +24,10 @@ License:        Apache-2.0
 Group:          System/Management
 URL:            https://github.com/aws/amazon-ssm-agent
 Source0:        https://github.com/aws/amazon-ssm-agent/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM - Fix an SSH client process terminating when receiving an unexpected
+# message type in response to a key listing or signing request (CVE-2025-47913)
+# Partial patch taken from https://cs.opensource.google/go/x/crypto/+/559e062ce8bfd6a39925294620b50906ca2a6f95
+Patch0:         CVE-2025-47913.patch
 BuildRequires:  go >= 1.21
 BuildRequires:  pkgconfig(systemd)
 Requires:       systemd
@@ -95,6 +99,9 @@ environment that are configured for Systems Manager.
 
 %prep
 %setup -q
+pushd vendor/golang.org/x/crypto
+%patch -P0 -p1
+popd
 sed -i -e 's#const[ \s]*Version.*#const Version = "%{version}"#g' agent/version/version.go
 sed -i 's#/bin/#/sbin/#' packaging/linux/amazon-ssm-agent.service
 sed -i 's#var defaultWorkerPath = "/usr/bin/"#var defaultWorkerPath = "/usr/sbin/"#' agent/appconfig/constants_unix.go