[AutoPR- Security] Patch openssh for CVE-2025-61985, CVE-2025-61984 [LOW] (microsoft#14827)

Co-authored-by: Kanishk Bansal <[email protected]>
Co-authored-by: Akarsh Chaudhary <[email protected]>

Author: 3 people

SPECS/openssh/CVE-2025-61984.patch

@@ -0,0 +1,31 @@
+From c3f60955db44c675359e6fa512e16eb2f6fddd0b Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Tue, 7 Oct 2025 16:06:54 +0000
+Subject: [PATCH] Backport: Improve rules for %-expansion of username. Validate
+ control chars in usernames, avoid percent expansion for command line or
+ default users; expand only configuration-specified users without using %r/%C;
+ update validation rules accordingly.
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://github.com/openssh/openssh-portable/commit/35d5917652106aede47621bb3f64044604164043.patch
+
+---
+ ssh.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ssh.c b/ssh.c
+index 0019281..182c7c3 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -649,6 +649,8 @@ valid_ruser(const char *s)
+ 	if (*s == '-')
+ 		return 0;
+ 	for (i = 0; s[i] != 0; i++) {
++		if (iscntrl((u_char)s[i]))
++			return 0;
+ 		if (strchr("'`\";&<>|(){}", s[i]) != NULL)
+ 			return 0;
+ 		/* Disallow '-' after whitespace */
+-- 
+2.43.0
+

SPECS/openssh/CVE-2025-61985.patch

@@ -0,0 +1,47 @@
+From 8c0e088108a64862ca7ffe120d1b75a0dc9393d2 Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Tue, 7 Oct 2025 15:56:10 +0000
+Subject: [PATCH] misc: urldecode: don't allow NUL in url-encoded strings;
+ avoid fatal on oversized input\n\nUpstream OpenBSD change: don't allow \0
+ characters in url-encoded strings. Suggested by David Leadbeater, ok deraadt@
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://github.com/openssh/openssh-portable/commit/43b3bff47bb029f2299bacb6a36057981b39fdb0.patch
+---
+ misc.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/misc.c b/misc.c
+index afdf514..275e280 100644
+--- a/misc.c
++++ b/misc.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: misc.c,v 1.196 2024/06/06 17:15:25 djm Exp $ */
++/* $OpenBSD: misc.c,v 1.205 2025/09/04 00:30:06 djm Exp $ */
+ /*
+  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+  * Copyright (c) 2005-2020 Damien Miller.  All rights reserved.
+@@ -969,7 +969,7 @@ urldecode(const char *src)
+ 	size_t srclen;
+ 
+ 	if ((srclen = strlen(src)) >= SIZE_MAX)
+-		fatal_f("input too large");
++		return NULL;
+ 	ret = xmalloc(srclen + 1);
+ 	for (dst = ret; *src != '\0'; src++) {
+ 		switch (*src) {
+@@ -977,9 +977,10 @@ urldecode(const char *src)
+ 			*dst++ = ' ';
+ 			break;
+ 		case '%':
++			/* note: don't allow \0 characters */
+ 			if (!isxdigit((unsigned char)src[1]) ||
+ 			    !isxdigit((unsigned char)src[2]) ||
+-			    (ch = hexchar(src + 1)) == -1) {
++			    (ch = hexchar(src + 1)) == -1 || ch == 0) {
+ 				free(ret);
+ 				return NULL;
+ 			}
+-- 
+2.45.4
+

SPECS/openssh/openssh.spec

@@ -3,7 +3,7 @@
 Summary:        Free version of the SSH connectivity tools
 Name:           openssh
 Version:        %{openssh_ver}
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -36,10 +36,13 @@ Patch307:       pam_ssh_agent_auth-0.10.2-dereference.patch
 #This CVE Patches both CVE-2025-26465 and CVE-2025-26466
 Patch400:       CVE-2025-26465.patch
 Patch401:       CVE-2025-32728.patch
+Patch402:       CVE-2025-61984.patch
+Patch403:       CVE-2025-61985.patch
 # sk-dummy.so built with -fvisibility=hidden does not work
 # The tests fail with the following error:
 #   dlsym(sk_api_version) failed: (...)/sk-dummy.so: undefined symbol: sk_api_version
 Patch965: openssh-8.2p1-visibility.patch
+
 BuildRequires:  audit-devel
 BuildRequires:  autoconf
 BuildRequires:  e2fsprogs-devel
@@ -116,6 +119,8 @@ popd
 %patch -P 400 -p1 -b .CVE-2025-26465.patch
 %patch -P 401 -p1 -b .CVE-2025-32728.patch
 %patch -P 965 -p1 -b .visibility
+%patch -P 402 -p1 -b .CVE-2025-61984.patch
+%patch -P 403 -p1 -b .CVE-2025-61985.patch
 
 %build
 # The -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth.
@@ -274,6 +279,9 @@ fi
 %{_mandir}/man8/ssh-sk-helper.8.gz
 
 %changelog
+* Tue Oct 07 2025 Azure Linux Security Servicing Account <[email protected]> - 9.8p1-5
+- Patch CVE-2025-61985, CVE-2025-61984
+
 * Thu Apr 17 2025 Sudipta Pandit <[email protected]> - 9.8p1-4
 - Patch CVE-2025-32728