pool/openssh
SHA256
12
0
Fork 1
Code Issues Pull Requests Activity

- Update to openssh 9.9p2:

Browse Source 
= Security
  * Fix CVE-2025-26465 - ssh(1) in OpenSSH versions 6.8p1 to 9.9p1
    (inclusive) contained a logic error that allowed an on-path
    attacker (a.k.a MITM) to impersonate any server when the
    VerifyHostKeyDNS option is enabled. This option is off by
    default.
  * Fix CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1
    (inclusive) is vulnerable to a memory/CPU denial-of-service
    related to the handling of SSH2_MSG_PING packets. This
    condition may be mitigated using the existing
    PerSourcePenalties feature.
  Both vulnerabilities were discovered and demonstrated to be
  exploitable by the Qualys Security Advisory team. The openSSH
  team thanks them for their detailed review of OpenSSH.
  = Bugfixes
  * ssh(1), sshd(8): fix regression in Match directive that caused
    failures when predicates and their arguments were separated by
    '=' characters instead of whitespace (bz3739).
  * sshd(8): fix the "Match invalid-user" predicate, which was
    matching incorrectly in the initial pass of config evaluation.
  * ssh(1), sshd(8), ssh-keyscan(1): fix mlkem768x25519-sha256 key
    exchange on big-endian systems.
  * Fix a number of build problems on particular operating systems
    and configurations.
- Remove patches that are already included in 9.9p2:
  * 0001-fix-utmpx-ifdef.patch
  * 0002-upstream-fix-regression-introduced-when-I-switched-the-Match.patch
  * 0003-upstream-fix-previous-change-to-ssh_config-Match_-which-broken-on.patch
  * 0004-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-systems-spotted-by.patch

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=283
This commit is contained in:
Antonio Larrosa
2025-02-18 09:56:28 +00:00
committed by Git OBS Bridge
parent d7201bdb47
commit d77e0c9092
12 changed files with 59 additions and 673 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
0001-fix-utmpx-ifdef.patch
View File

@@ -1,36 +0,0 @@
From c7fda601186ff28128cfe3eab9c9c0622de096e1 Mon Sep 17 00:00:00 2001
From: Christoph Ostarek <christoph@zededa.com>
Date: Wed, 3 Jul 2024 12:46:59 +0200
Subject: fix utmpx ifdef
02e16ad95fb1f56ab004b01a10aab89f7103c55d did a copy-paste for
utmpx, but forgot to change the ifdef appropriately
---
loginrec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/loginrec.c b/loginrec.c
index 7460bb2c..45f13dee 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -723,7 +723,7 @@ set_utmpx_time(struct logininfo *li, struct utmpx *utx)
void
construct_utmpx(struct logininfo *li, struct utmpx *utx)
{
-# ifdef HAVE_ADDR_V6_IN_UTMP
+# ifdef HAVE_ADDR_V6_IN_UTMPX
struct sockaddr_in6 *sa6;
# endif
memset(utx, '\0', sizeof(*utx));
@@ -769,7 +769,7 @@ construct_utmpx(struct logininfo *li, struct utmpx *utx)
if (li->hostaddr.sa.sa_family == AF_INET)
utx->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr;
# endif
-# ifdef HAVE_ADDR_V6_IN_UTMP
+# ifdef HAVE_ADDR_V6_IN_UTMPX
/* this is just a 128-bit IPv6 address */
if (li->hostaddr.sa.sa_family == AF_INET6) {
sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa);
--
cgit v1.2.3

291
0002-upstream-fix-regression-introduced-when-I-switched-the-Match.patch
View File

@@ -1,291 +0,0 @@
From 66878e12a207fa9746dee3e2bdcca29b704cf035 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 25 Sep 2024 01:24:04 +0000
Subject: upstream: fix regression introduced when I switched the "Match"
criteria tokeniser to a more shell-like one. Apparently the old tokeniser
(accidentally?) allowed "Match criteria=argument" as well as the "Match
criteria argument" syntax that we tested for.
People were using this syntax so this adds back support for
"Match criteria=argument"
bz3739 ok dtucker
OpenBSD-Commit-ID: d1eebedb8c902002b75b75debfe1eeea1801f58a
---
misc.c | 23 ++++++++++++++++++++++-
misc.h | 3 ++-
readconf.c | 28 +++++++++++++++++++++++-----
servconf.c | 57 ++++++++++++++++++++++++++++++++++++++++++---------------
4 files changed, 89 insertions(+), 22 deletions(-)
diff --git a/misc.c b/misc.c
index afdf5142..1b4b55c5 100644
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.196 2024/06/06 17:15:25 djm Exp $ */
+/* $OpenBSD: misc.c,v 1.197 2024/09/25 01:24:04 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005-2020 Damien Miller. All rights reserved.
@@ -107,6 +107,27 @@ rtrim(char *s)
}
}
+/*
+ * returns pointer to character after 'prefix' in 's' or otherwise NULL
+ * if the prefix is not present.
+ */
+const char *
+strprefix(const char *s, const char *prefix, int ignorecase)
+{
+ size_t prefixlen;
+
+ if ((prefixlen = strlen(prefix)) == 0)
+ return s;
+ if (ignorecase) {
+ if (strncasecmp(s, prefix, prefixlen) != 0)
+ return NULL;
+ } else {
+ if (strncmp(s, prefix, prefixlen) != 0)
+ return NULL;
+ }
+ return s + prefixlen;
+}
+
/* set/unset filedescriptor to non-blocking */
int
set_nonblock(int fd)
diff --git a/misc.h b/misc.h
index 11340389..efecdf1a 100644
--- a/misc.h
+++ b/misc.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.h,v 1.109 2024/06/06 17:15:25 djm Exp $ */
+/* $OpenBSD: misc.h,v 1.110 2024/09/25 01:24:04 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -56,6 +56,7 @@ struct ForwardOptions {
char *chop(char *);
void rtrim(char *);
void skip_space(char **);
+const char *strprefix(const char *, const char *, int);
char *strdelim(char **);
char *strdelimw(char **);
int set_nonblock(int);
diff --git a/readconf.c b/readconf.c
index 3d9cc6db..de42fb6f 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.390 2024/09/15 00:57:36 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.391 2024/09/25 01:24:04 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -710,7 +710,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
struct passwd *pw, const char *host_arg, const char *original_host,
int final_pass, int *want_final_pass, const char *filename, int linenum)
{
- char *arg, *oattrib, *attrib, *cmd, *host, *criteria;
+ char *arg, *oattrib, *attrib = NULL, *cmd, *host, *criteria;
const char *ruser;
int r, this_result, result = 1, attributes = 0, negate;
@@ -731,7 +731,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
debug2("checking match for '%s' host %s originally %s",
full_line, host, original_host);
- while ((oattrib = attrib = argv_next(acp, avp)) != NULL) {
+ while ((oattrib = argv_next(acp, avp)) != NULL) {
+ attrib = xstrdup(oattrib);
/* Terminate on comment */
if (*attrib == '#') {
argv_consume(acp);
@@ -777,9 +778,23 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
this_result ? "" : "not ", oattrib);
continue;
}
+
+ /* Keep this list in sync with below */
+ if (strprefix(attrib, "host=", 1) != NULL ||
+ strprefix(attrib, "originalhost=", 1) != NULL ||
+ strprefix(attrib, "user=", 1) != NULL ||
+ strprefix(attrib, "localuser=", 1) != NULL ||
+ strprefix(attrib, "localnetwork=", 1) != NULL ||
+ strprefix(attrib, "tagged=", 1) != NULL ||
+ strprefix(attrib, "exec=", 1) != NULL) {
+ arg = strchr(attrib, '=');
+ *(arg++) = '\0';
+ } else {
+ arg = argv_next(acp, avp);
+ }
+
/* All other criteria require an argument */
- if ((arg = argv_next(acp, avp)) == NULL ||
- *arg == '\0' || *arg == '#') {
+ if (arg == NULL || *arg == '\0' || *arg == '#') {
error("Missing Match criteria for %s", attrib);
result = -1;
goto out;
@@ -856,6 +871,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
criteria == NULL ? "" : criteria,
criteria == NULL ? "" : "\"");
free(criteria);
+ free(attrib);
+ attrib = NULL;
}
if (attributes == 0) {
error("One or more attributes required for Match");
@@ -865,6 +882,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
out:
if (result != -1)
debug2("match %sfound", result ? "" : "not ");
+ free(attrib);
free(host);
return result;
}
diff --git a/servconf.c b/servconf.c
index 89b8413e..dd774f46 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.418 2024/09/15 03:09:44 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.419 2024/09/25 01:24:04 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -1033,7 +1033,7 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
int line, struct connection_info *ci)
{
int result = 1, attributes = 0, port;
- char *arg, *attrib;
+ char *arg, *attrib = NULL, *oattrib;
if (ci == NULL)
debug3("checking syntax for 'Match %s'", full_line);
@@ -1047,7 +1047,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
ci->laddress ? ci->laddress : "(null)", ci->lport);
}
- while ((attrib = argv_next(acp, avp)) != NULL) {
+ while ((oattrib = argv_next(acp, avp)) != NULL) {
+ attrib = xstrdup(oattrib);
/* Terminate on comment */
if (*attrib == '#') {
argv_consume(acp); /* mark all arguments consumed */
@@ -1062,11 +1063,13 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
*arg != '\0' && *arg != '#')) {
error("'all' cannot be combined with other "
"Match attributes");
- return -1;
+ result = -1;
+ goto out;
}
if (arg != NULL && *arg == '#')
argv_consume(acp); /* consume remaining args */
- return 1;
+ result = 1;
+ goto out;
}
/* Criterion "invalid-user" also has no argument */
if (strcasecmp(attrib, "invalid-user") == 0) {
@@ -1078,11 +1081,26 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
debug("matched invalid-user at line %d", line);
continue;
}
+
+ /* Keep this list in sync with below */
+ if (strprefix(attrib, "user=", 1) != NULL ||
+ strprefix(attrib, "group=", 1) != NULL ||
+ strprefix(attrib, "host=", 1) != NULL ||
+ strprefix(attrib, "address=", 1) != NULL ||
+ strprefix(attrib, "localaddress=", 1) != NULL ||
+ strprefix(attrib, "localport=", 1) != NULL ||
+ strprefix(attrib, "rdomain=", 1) != NULL) {
+ arg = strchr(attrib, '=');
+ *(arg++) = '\0';
+ } else {
+ arg = argv_next(acp, avp);
+ }
+
/* All other criteria require an argument */
- if ((arg = argv_next(acp, avp)) == NULL ||
- *arg == '\0' || *arg == '#') {
+ if (arg == NULL || *arg == '\0' || *arg == '#') {
error("Missing Match criteria for %s", attrib);
- return -1;
+ result = -1;
+ goto out;
}
if (strcasecmp(attrib, "user") == 0) {
if (ci == NULL || (ci->test && ci->user == NULL)) {
@@ -1105,7 +1123,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
match_test_missing_fatal("Group", "user");
switch (match_cfg_line_group(arg, line, ci->user)) {
case -1:
- return -1;
+ result = -1;
+ goto out;
case 0:
result = 0;
}
@@ -1141,7 +1160,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
result = 0;
break;
case -2:
- return -1;
+ result = -1;
+ goto out;
}
} else if (strcasecmp(attrib, "localaddress") == 0){
if (ci == NULL || (ci->test && ci->laddress == NULL)) {
@@ -1166,13 +1186,15 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
result = 0;
break;
case -2:
- return -1;
+ result = -1;
+ goto out;
}
} else if (strcasecmp(attrib, "localport") == 0) {
if ((port = a2port(arg)) == -1) {
error("Invalid LocalPort '%s' on Match line",
arg);
- return -1;
+ result = -1;
+ goto out;
}
if (ci == NULL || (ci->test && ci->lport == -1)) {
result = 0;
@@ -1200,16 +1222,21 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
debug("user %.100s matched 'RDomain %.100s' at "
"line %d", ci->rdomain, arg, line);
} else {
- error("Unsupported Match attribute %s", attrib);
- return -1;
+ error("Unsupported Match attribute %s", oattrib);
+ result = -1;
+ goto out;
}
+ free(attrib);
+ attrib = NULL;
}
if (attributes == 0) {
error("One or more attributes required for Match");
return -1;
}
- if (ci != NULL)
+ out:
+ if (ci != NULL && result != -1)
debug3("match %sfound", result ? "" : "not ");
+ free(attrib);
return result;
}
--
cgit v1.2.3

65
0003-upstream-fix-previous-change-to-ssh_config-Match_-which-broken-on.patch
View File

@@ -1,65 +0,0 @@
From 19bcb2d90c6caf14abf386b644fb24eb7afab889 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Thu, 26 Sep 2024 23:55:08 +0000
Subject: upstream: fix previous change to ssh_config Match, which broken on
negated Matches; spotted by phessler@ ok deraadt@
OpenBSD-Commit-ID: b1c6acec66cd5bd1252feff1d02ad7129ced37c7
---
readconf.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/readconf.c b/readconf.c
index de42fb6f..9f559269 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.391 2024/09/25 01:24:04 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.392 2024/09/26 23:55:08 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -710,7 +710,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
struct passwd *pw, const char *host_arg, const char *original_host,
int final_pass, int *want_final_pass, const char *filename, int linenum)
{
- char *arg, *oattrib, *attrib = NULL, *cmd, *host, *criteria;
+ char *arg, *oattrib = NULL, *attrib = NULL, *cmd, *host, *criteria;
const char *ruser;
int r, this_result, result = 1, attributes = 0, negate;
@@ -731,8 +731,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
debug2("checking match for '%s' host %s originally %s",
full_line, host, original_host);
- while ((oattrib = argv_next(acp, avp)) != NULL) {
- attrib = xstrdup(oattrib);
+ while ((attrib = argv_next(acp, avp)) != NULL) {
+ attrib = oattrib = xstrdup(attrib);
/* Terminate on comment */
if (*attrib == '#') {
argv_consume(acp);
@@ -871,8 +871,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
criteria == NULL ? "" : criteria,
criteria == NULL ? "" : "\"");
free(criteria);
- free(attrib);
- attrib = NULL;
+ free(oattrib);
+ oattrib = attrib = NULL;
}
if (attributes == 0) {
error("One or more attributes required for Match");
@@ -882,7 +882,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
out:
if (result != -1)
debug2("match %sfound", result ? "" : "not ");
- free(attrib);
+ free(oattrib);
free(host);
return result;
}
--
cgit v1.2.3

94
0004-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-systems-spotted-by.patch
View File

@@ -1,94 +0,0 @@
From 11f348196b3fb51c3d8d1f4f36db9d73f03149ed Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sun, 27 Oct 2024 02:06:01 +0000
Subject: upstream: fix ML-KEM768x25519 KEX on big-endian systems; spotted by
jsg@ feedback/ok deraadt@
OpenBSD-Commit-ID: 26d81a430811672bc762687166986cad40d28cc0
---
libcrux_mlkem768_sha3.h | 8 +++++---
mlkem768.sh | 17 ++++++++++++-----
2 files changed, 17 insertions(+), 8 deletions(-)
diff --git a/libcrux_mlkem768_sha3.h b/libcrux_mlkem768_sha3.h
index a82d60e8..b8ac1436 100644
--- a/libcrux_mlkem768_sha3.h
+++ b/libcrux_mlkem768_sha3.h
@@ -1,4 +1,5 @@
-/* $OpenBSD: libcrux_mlkem768_sha3.h,v 1.1 2024/09/02 12:13:56 djm Exp $ */
+/* $OpenBSD: libcrux_mlkem768_sha3.h,v 1.2 2024/10/27 02:06:01 djm Exp $ */
+
/* Extracted from libcrux revision 84c5d87b3092c59294345aa269ceefe0eb97cc35 */
/*
@@ -160,18 +161,19 @@ static inline void Eurydice_slice_to_array3(uint8_t *dst_tag, char *dst_ok,
// CORE STUFF (conversions, endianness, ...)
static inline void core_num__u64_9__to_le_bytes(uint64_t v, uint8_t buf[8]) {
+ v = htole64(v);
memcpy(buf, &v, sizeof(v));
}
static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t buf[8]) {
uint64_t v;
memcpy(&v, buf, sizeof(v));
- return v;
+ return le64toh(v);
}
static inline uint32_t core_num__u32_8__from_le_bytes(uint8_t buf[4]) {
uint32_t v;
memcpy(&v, buf, sizeof(v));
- return v;
+ return le32toh(v);
}
static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) {
diff --git a/mlkem768.sh b/mlkem768.sh
index 2fdc2831..3d12b2ed 100644
--- a/mlkem768.sh
+++ b/mlkem768.sh
@@ -1,9 +1,10 @@
#!/bin/sh
-# $OpenBSD: mlkem768.sh,v 1.2 2024/09/04 05:11:33 djm Exp $
+# $OpenBSD: mlkem768.sh,v 1.3 2024/10/27 02:06:01 djm Exp $
# Placed in the Public Domain.
#
-WANT_LIBCRUX_REVISION="origin/main"
+#WANT_LIBCRUX_REVISION="origin/main"
+WANT_LIBCRUX_REVISION="84c5d87b3092c59294345aa269ceefe0eb97cc35"
FILES="
libcrux/libcrux-ml-kem/cg/eurydice_glue.h
@@ -47,6 +48,7 @@ echo '#define KRML_NOINLINE __attribute__((noinline, unused))'
echo '#define KRML_HOST_EPRINTF(...)'
echo '#define KRML_HOST_EXIT(x) fatal_f("internal error")'
echo
+
for i in $FILES; do
echo "/* from $i */"
# Changes to all files:
@@ -56,11 +58,16 @@ for i in $FILES; do
-e 's/[ ]*$//' \
$i | \
case "$i" in
- # XXX per-file handling goes here.
+ */libcrux-ml-kem/cg/eurydice_glue.h)
+ # Replace endian functions with versions that work.
+ perl -0777 -pe 's/(static inline void core_num__u64_9__to_le_bytes.*\n)([^}]*\n)/\1 v = htole64(v);\n\2/' |
+ perl -0777 -pe 's/(static inline uint64_t core_num__u64_9__from_le_bytes.*?)return v;/\1return le64toh(v);/s' |
+ perl -0777 -pe 's/(static inline uint32_t core_num__u32_8__from_le_bytes.*?)return v;/\1return le32toh(v);/s'
+ ;;
# Default: pass through.
*)
- cat
- ;;
+ cat
+ ;;
esac
echo
done
--
cgit v1.2.3

155
fix-CVE-2025-26465-and-CVE-2025-26466.patch
View File

@@ -1,155 +0,0 @@
diff --git a/krl.c b/krl.c
index 51a2871..4ecb2c7 100644
--- a/krl.c
+++ b/krl.c
@@ -672,6 +672,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
break;
case KRL_SECTION_CERT_SERIAL_BITMAP:
if (rs->lo - bitmap_start > INT_MAX) {
+ r = SSH_ERR_INVALID_FORMAT;
error_f("insane bitmap gap");
goto out;
}
@@ -1057,6 +1058,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp)
}
if ((krl = ssh_krl_init()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
error_f("alloc failed");
goto out;
}
diff --git a/packet.c b/packet.c
index 72803fd..fa0f7ca 100644
--- a/packet.c
+++ b/packet.c
@@ -1839,6 +1839,14 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
if ((r = sshpkt_get_string_direct(ssh, &d, &len)) != 0)
return r;
DBG(debug("Received SSH2_MSG_PING len %zu", len));
+ if (!ssh->state->after_authentication) {
+ DBG(debug("Won't reply to PING in preauth"));
+ break;
+ }
+ if (ssh_packet_is_rekeying(ssh)) {
+ DBG(debug("Won't reply to PING during KEX"));
+ break;
+ }
if ((r = sshpkt_start(ssh, SSH2_MSG_PONG)) != 0 ||
(r = sshpkt_put_string(ssh, d, len)) != 0 ||
(r = sshpkt_send(ssh)) != 0)
diff --git a/ssh-agent.c b/ssh-agent.c
index 73276f6..607c4a0 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1207,6 +1207,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
"restrict-destination-v00@openssh.com") == 0) {
if (*dcsp != NULL) {
error_f("%s already set", ext_name);
+ r = SSH_ERR_INVALID_FORMAT;
goto out;
}
if ((r = sshbuf_froms(m, &b)) != 0) {
@@ -1216,6 +1217,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
while (sshbuf_len(b) != 0) {
if (*ndcsp >= AGENT_MAX_DEST_CONSTRAINTS) {
error_f("too many %s constraints", ext_name);
+ r = SSH_ERR_INVALID_FORMAT;
goto out;
}
*dcsp = xrecallocarray(*dcsp, *ndcsp, *ndcsp + 1,
@@ -1233,6 +1235,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
}
if (*certs != NULL) {
error_f("%s already set", ext_name);
+ r = SSH_ERR_INVALID_FORMAT;
goto out;
}
if ((r = sshbuf_get_u8(m, &v)) != 0 ||
@@ -1244,6 +1247,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
while (sshbuf_len(b) != 0) {
if (*ncerts >= AGENT_MAX_EXT_CERTS) {
error_f("too many %s constraints", ext_name);
+ r = SSH_ERR_INVALID_FORMAT;
goto out;
}
*certs = xrecallocarray(*certs, *ncerts, *ncerts + 1,
@@ -1744,6 +1748,7 @@ process_ext_session_bind(SocketEntry *e)
/* record new key/sid */
if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) {
error_f("too many session IDs recorded");
+ r = -1;
goto out;
}
e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids,
diff --git a/ssh-sk-client.c b/ssh-sk-client.c
index c00c633..27d27a2 100644
--- a/ssh-sk-client.c
+++ b/ssh-sk-client.c
@@ -429,6 +429,7 @@ sshsk_load_resident(const char *provider_path, const char *device,
}
if ((srk = calloc(1, sizeof(*srk))) == NULL) {
error_f("calloc failed");
+ r = SSH_ERR_ALLOC_FAIL;
goto out;
}
srk->key = key;
@@ -440,6 +441,7 @@ sshsk_load_resident(const char *provider_path, const char *device,
if ((tmp = recallocarray(srks, nsrks, nsrks + 1,
sizeof(*srks))) == NULL) {
error_f("recallocarray keys failed");
+ r = SSH_ERR_ALLOC_FAIL;
goto out;
}
debug_f("srks[%zu]: %s %s uidlen %zu", nsrks,
diff --git a/sshconnect2.c b/sshconnect2.c
index 9940833..9751b68 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -94,7 +94,7 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
options.required_rsa_size)) != 0)
fatal_r(r, "Bad server host key");
if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
- xxx_conn_info) == -1)
+ xxx_conn_info) != 0)
fatal("Host key verification failed.");
return 0;
}
@@ -692,6 +692,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
debug_f("server sent unknown pkalg %s", pkalg);
+ r = SSH_ERR_INVALID_FORMAT;
goto done;
}
if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
@@ -702,6 +703,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
error("input_userauth_pk_ok: type mismatch "
"for decoded key (received %d, expected %d)",
key->type, pktype);
+ r = SSH_ERR_INVALID_FORMAT;
goto done;
}
@@ -721,6 +723,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
SSH_FP_DEFAULT);
error_f("server replied with unknown key: %s %s",
sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
+ r = SSH_ERR_INVALID_FORMAT;
goto done;
}
ident = format_identity(id);
diff --git a/sshsig.c b/sshsig.c
index 72bbf73..a88e939 100644
--- a/sshsig.c
+++ b/sshsig.c
@@ -877,6 +877,7 @@ cert_filter_principals(const char *path, u_long linenum,
}
if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
error_f("buffer error");
+ r = SSH_ERR_ALLOC_FAIL;
goto out;
}
/* success */

BIN
openssh-9.9p1.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

16
openssh-9.9p1.tar.gz.asc
View File

@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmbspccACgkQKj9BTnNg
YLppxRAAv7eU/Xd2w9MX9vWQdhugiPByEcKg7KuKXUUs9xJGy+HbLqPqUCvn1UW6
qodKoSAdeBuSB7AjzuIQ1lTVX7C67OmZaVPRq25ar5b+Wq4SSlv23KMRq0b4EVyw
pOW6R9tsxqYBwYaiXQ50APcYL8SpepnGU+b/iR15f7q3SU2XMVVtkVb149UdLOqK
smfurbDGwUKFb2Q009MUfEV/d9zq31tdSjphvkqAXCcmxc8siuOYWYcByuysie+m
NpaOpee0047L5JIxNSLsa2yZrJZhClP8LbTCH1Vfwr7l0KE5nvL2qAtPKI2XxGQC
3jXrDLzp10RFxV8sCym+QlY9pZyzGj9d3G7vCHtxWGQ1Y0Qt+xs18OeBpjiehRhl
WM3Y+cjoN35jBaGhOoHdh3ePZQdTUyZ16aSv0h/cUHOohiM7i/4XW+dQtkqsJsw4
a81O0E64WrL8ho3Ju9mwcVZ9A0aEaftJsmJPDB+qYBjF/i7xcnH32LginzP5pel7
/W0aS2C1ZNo3QKHezI6IA9MyENMZiAMy2ybvfmN0HgLBaBY1plJ8a5GvMwJc+Qwh
iCHLCQ6Qgf/1hh+F6liTXnhtedtFHneJdyqvd7XOoardDEipZjxcnGa4HthbDFU+
8XdHKnWWhn4BLA+y7KB3ZGURniQK+qibwkF6J63CuMU+LmG+bvQ=
=Ukrb
-----END PGP SIGNATURE-----

BIN
openssh-9.9p2.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
openssh-9.9p2.tar.gz.asc Normal file
View File

@@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAme0QfUACgkQKj9BTnNg
YLo91A/7BcRjsaDO7VydmhkGWrQOtD/7p4LaSjJE8JY23YsEVRvOkUKJ8OPo7uVq
LxcpDqlaVxHSO/zVfgZg4tQHJct4MLp20PvokMCi6+k7GcioL+TOB19ON0FAx/Pq
vgUWv7jd7w0kT/Rpkygtrg4i0oFf2lg5cJEGFTHAuXsny+Sj+vmcCk92K2TW4e/8
tKgBsZrN7qVnmOAUeyAxFLZ7WiDVzfLTlPiVOfrGjEkbzNLiavjiCGBhGspkluRi
16O5txRp248FqlLgv42sgfUmJOqLSuSNchqk5ioB/9lHia5tDFG/d/4uNP/ELX6M
cAKvs0C0XV3QZxCxBQDL7/49YMsdFnbRIin86mPcahqb75ZpkK9rIgHuKhpgY8Jo
q8WlIPehai3vBWAkpFAsPWOZZwjd6a4C/YmD3pGyjH32rL6gxdHjKGs49nhKkDG9
izwIeCmNu3Ta+e/wEPcOBSX75bFfC83f51yhJb6PUvBl9OSm/L0LeoszmsKWd32j
Iu19zqlabAH7zZSEl1ZWd6Ct0X5XOEaOXGamz5Qw7XIEqfYmQyX/aY5M3/mWmq0K
1Z29MCEtFOirIiwcwUw80d4MCIIEol26M97Y00ZmZMBO7bCoCVr8FldHBfqbHBtC
dTdqesVDiRD/j5VZ3y/MgYo5e13F2OvtdCbvUi3DF2Uh5Rnk2nw=
=r4jr
-----END PGP SIGNATURE-----

2
openssh-askpass-gnome.spec
View File

@@ -18,7 +18,7 @@
%define _name openssh
Name: openssh-askpass-gnome
Version: 9.9p1
Version: 9.9p2
Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause

38
openssh.changes
View File

@@ -1,3 +1,41 @@
-------------------------------------------------------------------
Tue Feb 18 09:15:48 UTC 2025 - Antonio Larrosa <alarrosa@suse.com>
- Update to openssh 9.9p2:
= Security
* Fix CVE-2025-26465 - ssh(1) in OpenSSH versions 6.8p1 to 9.9p1
(inclusive) contained a logic error that allowed an on-path
attacker (a.k.a MITM) to impersonate any server when the
VerifyHostKeyDNS option is enabled. This option is off by
default.
* Fix CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1
(inclusive) is vulnerable to a memory/CPU denial-of-service
related to the handling of SSH2_MSG_PING packets. This
condition may be mitigated using the existing
PerSourcePenalties feature.
Both vulnerabilities were discovered and demonstrated to be
exploitable by the Qualys Security Advisory team. The openSSH
team thanks them for their detailed review of OpenSSH.
= Bugfixes
* ssh(1), sshd(8): fix regression in Match directive that caused
failures when predicates and their arguments were separated by
'=' characters instead of whitespace (bz3739).
* sshd(8): fix the "Match invalid-user" predicate, which was
matching incorrectly in the initial pass of config evaluation.
* ssh(1), sshd(8), ssh-keyscan(1): fix mlkem768x25519-sha256 key
exchange on big-endian systems.
* Fix a number of build problems on particular operating systems
and configurations.
- Remove patches that are already included in 9.9p2:
* 0001-fix-utmpx-ifdef.patch
* 0002-upstream-fix-regression-introduced-when-I-switched-the-Match.patch
* 0003-upstream-fix-previous-change-to-ssh_config-Match_-which-broken-on.patch
* 0004-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-systems-spotted-by.patch
* fix-CVE-2025-26465-and-CVE-2025-26466.patch
-------------------------------------------------------------------
Thu Feb 13 11:29:19 UTC 2025 - Antonio Larrosa <alarrosa@suse.com>

13
openssh.spec
View File

@@ -51,7 +51,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openssh
Version: 9.9p1
Version: 9.9p2
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
@@ -138,22 +138,11 @@ Patch103: openssh-6.6p1-privsep-selinux.patch
Patch104: openssh-6.6p1-keycat.patch
Patch105: openssh-6.6.1p1-selinux-contexts.patch
Patch106: openssh-7.6p1-cleanup-selinux.patch
# PATCH-FIX-UPSTREAM bsc#1237040 CVE-2025-26465 bsc#1237041 CVE-2025-26466
Patch107: fix-CVE-2025-26465-and-CVE-2025-26466.patch
# 200 - 300 -- Patches submitted to upstream
# PATCH-FIX-UPSTREAM -- https://github.com/openssh/openssh-portable/pull/452 boo#1229010
Patch200: 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
# PATCH-FIX-UPSTREAM -- https://bugzilla.mindrot.org/show_bug.cgi?id=3655#c4
Patch201: fix-x11-regression-bsc1229449.patch
# PATCH-FIX-UPSTREAM -- From the V_9_9 branch
Patch202: 0001-fix-utmpx-ifdef.patch
# PATCH-FIX-UPSTREAM -- From the V_9_9 branch
Patch203: 0002-upstream-fix-regression-introduced-when-I-switched-the-Match.patch
# PATCH-FIX-UPSTREAM -- From the V_9_9 branch
Patch204: 0003-upstream-fix-previous-change-to-ssh_config-Match_-which-broken-on.patch
# PATCH-FIX-UPSTREAM -- From the V_9_9 branch
Patch205: 0004-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-systems-spotted-by.patch
# 1000 - 2000 -- Conditional patches
%if %{with crypto_policies}
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support