azurelinux-security · azurelinux-security · Oct 9, 2025
diff --git a/SPECS/openssh/CVE-2025-61984.patch b/SPECS/openssh/CVE-2025-61984.patch
@@ -0,0 +1,122 @@
+From dd02e9decdb3d0a171c71666793afb8d36de2292 Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Thu, 9 Oct 2025 16:32:16 +0000
+Subject: [PATCH] backport: Improve rules for %-expansion of username; avoid
+ expanding commandline user, add control-char check in valid_ruser, validate
+ expanded/literal users accordingly
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://github.com/openssh/openssh-portable/commit/43b3bff47bb029f2299bacb6a36057981b39fdb0.patch
+---
+ ssh.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 58 insertions(+), 3 deletions(-)
+
+diff --git a/ssh.c b/ssh.c
+index 0019281..e871aa3 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -243,6 +243,31 @@ default_client_percent_dollar_expand(const char *str,
+ 	return ret;
+ }
+
++/* Like default_client_percent_dollar_expand() but exclude %r and %C */
++static char *
++default_client_percent_dollar_expand_nouser(const char *str,
++    const struct ssh_conn_info *cinfo)
++{
++	char *ret;
++
++	ret = percent_dollar_expand(str,
++	    /* omit C (conn_hash_hex) and r (remuser) */
++	    "L", cinfo->shorthost,
++	    "i", cinfo->uidstr,
++	    "k", cinfo->keyalias,
++	    "l", cinfo->thishost,
++	    "n", cinfo->host_arg,
++	    "p", cinfo->portstr,
++	    "d", cinfo->homedir,
++	    "h", cinfo->remhost,
++	    "u", cinfo->locuser,
++	    "j", cinfo->jmphost,
++	    (char *)NULL);
++	if (ret == NULL)
++		fatal("invalid environment variable expansion");
++	return ret;
++}
++
+ /*
+  * Attempt to resolve a host name / port to a set of addresses and
+  * optionally return any CNAMEs encountered along the way.
+@@ -670,6 +695,7 @@ main(int ac, char **av)
+ 	struct ssh *ssh = NULL;
+ 	int i, r, opt, exit_status, use_syslog, direct, timeout_ms;
+ 	int was_addr, config_test = 0, opt_terminated = 0, want_final_pass = 0;
++	int user_on_commandline = 0, user_was_default = 0, user_expanded = 0;
+ 	char *p, *cp, *line, *argv0, *logfile;
+ 	char cname[NI_MAXHOST], thishost[NI_MAXHOST];
+ 	struct stat st;
+@@ -1016,8 +1042,10 @@ main(int ac, char **av)
+ 			}
+ 			break;
+ 		case 'l':
+-			if (options.user == NULL)
++			if (options.user == NULL) {
+ 				options.user = optarg;
++				user_on_commandline = 1;
++			}
+ 			break;
+
+ 		case 'L':
+@@ -1288,8 +1316,10 @@ main(int ac, char **av)
+ 	if (fill_default_options(&options) != 0)
+ 		cleanup_exit(255);
+
+-	if (options.user == NULL)
++	if (options.user == NULL) {
++		user_was_default = 1;
+ 		options.user = xstrdup(pw->pw_name);
++	}
+
+ 	/*
+ 	 * If ProxyJump option specified, then construct a ProxyCommand now.
+@@ -1430,11 +1460,36 @@ main(int ac, char **av)
+ 	    options.host_key_alias : options.host_arg);
+ 	cinfo->host_arg = xstrdup(options.host_arg);
+ 	cinfo->remhost = xstrdup(host);
+-	cinfo->remuser = xstrdup(options.user);
+ 	cinfo->homedir = xstrdup(pw->pw_dir);
+ 	cinfo->locuser = xstrdup(pw->pw_name);
+ 	cinfo->jmphost = xstrdup(options.jump_host == NULL ?
+ 	    "" : options.jump_host);
++
++	/*
++	 * If the user was specified via a configuration directive then attempt
++	 * to expand it. It cannot contain %r (itself) or %C since User is
++	 * a component of the hash.
++	 */
++	if (!user_on_commandline && !user_was_default) {
++		char *up;
++		up = default_client_percent_dollar_expand_nouser(options.user, cinfo);
++		user_expanded = strcmp(up, options.user) != 0;
++		free(options.user);
++		options.user = up;
++	}
++
++	/*
++	 * Usernames specified on the commandline or expanded from the
++	 * configuration file must be validated.
++	 * Conversely, usernames from getpwnam(3) or specified as literals
++	 * via configuration (i.e. not expanded) are not subject to validation.
++	 */
++	if ((user_on_commandline || user_expanded) &&
++	    !valid_ruser(options.user))
++		fatal("remote username contains invalid characters");
++
++	/* Now User is expanded, store it and calculate hash. */
++	cinfo->remuser = xstrdup(options.user);
+ 	cinfo->conn_hash_hex = ssh_connection_hash(cinfo->thishost,
+ 	    cinfo->remhost, cinfo->portstr, cinfo->remuser, cinfo->jmphost);
+
+-- 
+2.45.4
+
diff --git a/SPECS/openssh/CVE-2025-61985.patch b/SPECS/openssh/CVE-2025-61985.patch
@@ -0,0 +1,46 @@
+From 4c9a93a418fe3377737484c3f210595e8400da93 Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Thu, 9 Oct 2025 15:57:10 +0000
+Subject: [PATCH] misc.c: urldecode: don't allow NUL in percent-escapes; avoid
+ fatal on oversized input; sync OpenBSD RCS id to 1.205
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://github.com/openssh/openssh-portable/commit/35d5917652106aede47621bb3f64044604164043
+---
+ misc.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/misc.c b/misc.c
+index afdf514..275e280 100644
+--- a/misc.c
++++ b/misc.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: misc.c,v 1.196 2024/06/06 17:15:25 djm Exp $ */
++/* $OpenBSD: misc.c,v 1.205 2025/09/04 00:30:06 djm Exp $ */
+ /*
+  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+  * Copyright (c) 2005-2020 Damien Miller.  All rights reserved.
+@@ -969,7 +969,7 @@ urldecode(const char *src)
+ 	size_t srclen;
+
+ 	if ((srclen = strlen(src)) >= SIZE_MAX)
+-		fatal_f("input too large");
++		return NULL;
+ 	ret = xmalloc(srclen + 1);
+ 	for (dst = ret; *src != '\0'; src++) {
+ 		switch (*src) {
+@@ -977,9 +977,10 @@ urldecode(const char *src)
+ 			*dst++ = ' ';
+ 			break;
+ 		case '%':
++			/* note: don't allow \0 characters */
+ 			if (!isxdigit((unsigned char)src[1]) ||
+ 			    !isxdigit((unsigned char)src[2]) ||
+-			    (ch = hexchar(src + 1)) == -1) {
++			    (ch = hexchar(src + 1)) == -1 || ch == 0) {
+ 				free(ret);
+ 				return NULL;
+ 			}
+-- 
+2.45.4
+
diff --git a/SPECS/openssh/openssh.spec b/SPECS/openssh/openssh.spec
@@ -40,6 +40,8 @@ Patch401:       CVE-2025-32728.patch
 # The tests fail with the following error:
 #   dlsym(sk_api_version) failed: (...)/sk-dummy.so: undefined symbol: sk_api_version
 Patch965: openssh-8.2p1-visibility.patch
+Patch966: CVE-2025-61984.patch
+Patch967: CVE-2025-61985.patch
 BuildRequires:  audit-devel
 BuildRequires:  autoconf
 BuildRequires:  e2fsprogs-devel
@@ -100,6 +102,8 @@ The module is most useful for su and sudo service stacks.
 
 %prep
 %setup -q -a 3
+%patch 966 -p1
+%patch 967 -p1
 
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
 %patch -P 300 -p2 -b .psaa-build