[AutoPR- Security] Patch openssh for CVE-2025-61985 [MEDIUM] (microsoft#14847)

azurelinux-security · Kanishk-Bansal · web-flow · commit dc98a22a7ae8 · 2025-10-13T09:37:37.000+05:30
Co-authored-by: Kanishk Bansal &lt;103916909+Kanishk-Bansal@users.noreply.github.com&gt;
diff --git a/SPECS/openssh/CVE-2025-61985.patch b/SPECS/openssh/CVE-2025-61985.patch
@@ -0,0 +1,49 @@
+From 47299a3348e9aab69833c11d36cac525c3140fc9 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Thu, 9 Oct 2025 14:34:25 +0000
+Subject: [PATCH] Backport: disallow NUL in urldecode and avoid fatal on large
+ input; sync OpenBSD ID
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/openssh/openssh-portable/commit/43b3bff47bb029f2299bacb6a36057981b39fdb0.patch
+---
+ misc.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/misc.c b/misc.c
+index b8933e9..246bb66 100644
+--- a/misc.c
++++ b/misc.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: misc.c,v 1.174 2022/02/11 00:43:56 dtucker Exp $ */
++/* $OpenBSD: misc.c,v 1.205 2025/09/04 00:30:06 djm Exp $ */
+ /*
+  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+  * Copyright (c) 2005-2020 Damien Miller.  All rights reserved.
+@@ -930,17 +930,21 @@ urldecode(const char *src)
+ {
+ 	char *ret, *dst;
+ 	int ch;
++	size_t srclen;
+ 
+-	ret = xmalloc(strlen(src) + 1);
++	if ((srclen = strlen(src)) >= SIZE_MAX)
++		return NULL;
++	ret = xmalloc(srclen + 1);
+ 	for (dst = ret; *src != '\0'; src++) {
+ 		switch (*src) {
+ 		case '+':
+ 			*dst++ = ' ';
+ 			break;
+ 		case '%':
++			/* note: don't allow \0 characters */
+ 			if (!isxdigit((unsigned char)src[1]) ||
+ 			    !isxdigit((unsigned char)src[2]) ||
+-			    (ch = hexchar(src + 1)) == -1) {
++			    (ch = hexchar(src + 1)) == -1 || ch == 0) {
+ 				free(ret);
+ 				return NULL;
+ 			}
+-- 
+2.45.4
+
diff --git a/SPECS/openssh/openssh.spec b/SPECS/openssh/openssh.spec
@@ -3,7 +3,7 @@
 Summary:        Free version of the SSH connectivity tools
 Name:           openssh
 Version:        %{openssh_ver}
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -50,6 +50,7 @@ Patch350:       CVE-2023-28531.patch
 Patch351:       CVE-2024-6387.patch
 Patch352:       CVE-2025-26465.patch
 Patch353:       CVE-2025-32728.patch
+Patch354:       CVE-2025-61985.patch
 BuildRequires:  audit-devel
 BuildRequires:  autoconf
 BuildRequires:  e2fsprogs-devel
@@ -138,6 +139,7 @@ popd
 %patch351 -p1 -b .cve-2024-6387
 %patch352 -p1 -b .cve-2025-26465
 %patch353 -p1 -b .cve-2025-32728
+%patch354 -p1 -b .CVE-2025-61985
 
 %build
 export CFLAGS="$CFLAGS -fpic"
@@ -294,6 +296,9 @@ fi
 %{_mandir}/man8/ssh-sk-helper.8.gz
 
 %changelog
+* Thu Oct 09 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 8.9p1-9
+- Patch CVE-2025-61985
+
 * Fri Apr 18 2025 Sudipta Pandit <sudpandit@microsoft.com> - 8.9p1-8
 - Patch CVE-2025-32728
 
