diff --git a/SPECS/openssh/CVE-2025-61984.patch b/SPECS/openssh/CVE-2025-61984.patch new file mode 100644 index 00000000000..f7dea4b04fd --- /dev/null +++ b/SPECS/openssh/CVE-2025-61984.patch @@ -0,0 +1,122 @@ +From dd02e9decdb3d0a171c71666793afb8d36de2292 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Thu, 9 Oct 2025 16:32:16 +0000 +Subject: [PATCH] backport: Improve rules for %-expansion of username; avoid + expanding commandline user, add control-char check in valid_ruser, validate + expanded/literal users accordingly + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/openssh/openssh-portable/commit/43b3bff47bb029f2299bacb6a36057981b39fdb0.patch +--- + ssh.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 58 insertions(+), 3 deletions(-) + +diff --git a/ssh.c b/ssh.c +index 0019281..e871aa3 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -243,6 +243,31 @@ default_client_percent_dollar_expand(const char *str, + return ret; + } + ++/* Like default_client_percent_dollar_expand() but exclude %r and %C */ ++static char * ++default_client_percent_dollar_expand_nouser(const char *str, ++ const struct ssh_conn_info *cinfo) ++{ ++ char *ret; ++ ++ ret = percent_dollar_expand(str, ++ /* omit C (conn_hash_hex) and r (remuser) */ ++ "L", cinfo->shorthost, ++ "i", cinfo->uidstr, ++ "k", cinfo->keyalias, ++ "l", cinfo->thishost, ++ "n", cinfo->host_arg, ++ "p", cinfo->portstr, ++ "d", cinfo->homedir, ++ "h", cinfo->remhost, ++ "u", cinfo->locuser, ++ "j", cinfo->jmphost, ++ (char *)NULL); ++ if (ret == NULL) ++ fatal("invalid environment variable expansion"); ++ return ret; ++} ++ + /* + * Attempt to resolve a host name / port to a set of addresses and + * optionally return any CNAMEs encountered along the way. +@@ -670,6 +695,7 @@ main(int ac, char **av) + struct ssh *ssh = NULL; + int i, r, opt, exit_status, use_syslog, direct, timeout_ms; + int was_addr, config_test = 0, opt_terminated = 0, want_final_pass = 0; ++ int user_on_commandline = 0, user_was_default = 0, user_expanded = 0; + char *p, *cp, *line, *argv0, *logfile; + char cname[NI_MAXHOST], thishost[NI_MAXHOST]; + struct stat st; +@@ -1016,8 +1042,10 @@ main(int ac, char **av) + } + break; + case 'l': +- if (options.user == NULL) ++ if (options.user == NULL) { + options.user = optarg; ++ user_on_commandline = 1; ++ } + break; + + case 'L': +@@ -1288,8 +1316,10 @@ main(int ac, char **av) + if (fill_default_options(&options) != 0) + cleanup_exit(255); + +- if (options.user == NULL) ++ if (options.user == NULL) { ++ user_was_default = 1; + options.user = xstrdup(pw->pw_name); ++ } + + /* + * If ProxyJump option specified, then construct a ProxyCommand now. +@@ -1430,11 +1460,36 @@ main(int ac, char **av) + options.host_key_alias : options.host_arg); + cinfo->host_arg = xstrdup(options.host_arg); + cinfo->remhost = xstrdup(host); +- cinfo->remuser = xstrdup(options.user); + cinfo->homedir = xstrdup(pw->pw_dir); + cinfo->locuser = xstrdup(pw->pw_name); + cinfo->jmphost = xstrdup(options.jump_host == NULL ? + "" : options.jump_host); ++ ++ /* ++ * If the user was specified via a configuration directive then attempt ++ * to expand it. It cannot contain %r (itself) or %C since User is ++ * a component of the hash. ++ */ ++ if (!user_on_commandline && !user_was_default) { ++ char *up; ++ up = default_client_percent_dollar_expand_nouser(options.user, cinfo); ++ user_expanded = strcmp(up, options.user) != 0; ++ free(options.user); ++ options.user = up; ++ } ++ ++ /* ++ * Usernames specified on the commandline or expanded from the ++ * configuration file must be validated. ++ * Conversely, usernames from getpwnam(3) or specified as literals ++ * via configuration (i.e. not expanded) are not subject to validation. ++ */ ++ if ((user_on_commandline || user_expanded) && ++ !valid_ruser(options.user)) ++ fatal("remote username contains invalid characters"); ++ ++ /* Now User is expanded, store it and calculate hash. */ ++ cinfo->remuser = xstrdup(options.user); + cinfo->conn_hash_hex = ssh_connection_hash(cinfo->thishost, + cinfo->remhost, cinfo->portstr, cinfo->remuser, cinfo->jmphost); + +-- +2.45.4 + diff --git a/SPECS/openssh/CVE-2025-61985.patch b/SPECS/openssh/CVE-2025-61985.patch new file mode 100644 index 00000000000..64cfc19c3a2 --- /dev/null +++ b/SPECS/openssh/CVE-2025-61985.patch @@ -0,0 +1,46 @@ +From 4c9a93a418fe3377737484c3f210595e8400da93 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Thu, 9 Oct 2025 15:57:10 +0000 +Subject: [PATCH] misc.c: urldecode: don't allow NUL in percent-escapes; avoid + fatal on oversized input; sync OpenBSD RCS id to 1.205 + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/openssh/openssh-portable/commit/35d5917652106aede47621bb3f64044604164043 +--- + misc.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/misc.c b/misc.c +index afdf514..275e280 100644 +--- a/misc.c ++++ b/misc.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: misc.c,v 1.196 2024/06/06 17:15:25 djm Exp $ */ ++/* $OpenBSD: misc.c,v 1.205 2025/09/04 00:30:06 djm Exp $ */ + /* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2005-2020 Damien Miller. All rights reserved. +@@ -969,7 +969,7 @@ urldecode(const char *src) + size_t srclen; + + if ((srclen = strlen(src)) >= SIZE_MAX) +- fatal_f("input too large"); ++ return NULL; + ret = xmalloc(srclen + 1); + for (dst = ret; *src != '\0'; src++) { + switch (*src) { +@@ -977,9 +977,10 @@ urldecode(const char *src) + *dst++ = ' '; + break; + case '%': ++ /* note: don't allow \0 characters */ + if (!isxdigit((unsigned char)src[1]) || + !isxdigit((unsigned char)src[2]) || +- (ch = hexchar(src + 1)) == -1) { ++ (ch = hexchar(src + 1)) == -1 || ch == 0) { + free(ret); + return NULL; + } +-- +2.45.4 + diff --git a/SPECS/openssh/openssh.spec b/SPECS/openssh/openssh.spec index 8ce1300086a..e66c884301a 100644 --- a/SPECS/openssh/openssh.spec +++ b/SPECS/openssh/openssh.spec @@ -40,6 +40,8 @@ Patch401: CVE-2025-32728.patch # The tests fail with the following error: # dlsym(sk_api_version) failed: (...)/sk-dummy.so: undefined symbol: sk_api_version Patch965: openssh-8.2p1-visibility.patch +Patch966: CVE-2025-61984.patch +Patch967: CVE-2025-61985.patch BuildRequires: audit-devel BuildRequires: autoconf BuildRequires: e2fsprogs-devel @@ -100,6 +102,8 @@ The module is most useful for su and sudo service stacks. %prep %setup -q -a 3 +%patch 966 -p1 +%patch 967 -p1 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} %patch -P 300 -p2 -b .psaa-build