packages/openssh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2025-26465

Browse Source 
Signed-off-by: bitianyuan <bitianyuan@huawei.com>
This commit is contained in:
bitianyuan 2025-02-18 21:09:48 +08:00
parent 2f0d852e48
commit 1b877bb2b1
2 changed files with 111 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
backport-CVE-2025-26465-Don-t-reply-to-PING-in-preauth-phase-or-during-KEX.patch Normal file
View File

@ -0,0 +1,102 @@
From 0832aac79517611dd4de93ad0a83577994d9c907 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Tue, 18 Feb 2025 08:02:48 +0000
Subject: upstream: Fix cases where error codes were not correctly set
Reported by the Qualys Security Advisory team. ok markus@
OpenBSD-Commit-ID: 7bcd4ffe0fa1e27ff98d451fb9c22f5fae6e610d
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit/?id=0832aac79517611dd4de93ad0a83577994d9c907
---
krl.c | 2 ++
ssh-sk-client.c | 1 +
sshconnect2.c | 5 ++++-
sshsig.c | 1 +
4 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/krl.c b/krl.c
index ebeee5c..8e94fea 100644
--- a/krl.c
+++ b/krl.c
@@ -676,6 +676,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
break;
case KRL_SECTION_CERT_SERIAL_BITMAP:
if (rs->lo - bitmap_start > INT_MAX) {
+ r = SSH_ERR_INVALID_FORMAT;
error_f("insane bitmap gap");
goto out;
}
@@ -1010,6 +1011,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
goto out;
if ((krl = ssh_krl_init()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
error_f("alloc failed");
goto out;
}
diff --git a/ssh-sk-client.c b/ssh-sk-client.c
index 3ac16f5..5f463b5 100644
--- a/ssh-sk-client.c
+++ b/ssh-sk-client.c
@@ -411,6 +411,7 @@ sshsk_load_resident(const char *provider_path, const char *device,
if ((tmp = recallocarray(keys, nkeys, nkeys + 1,
sizeof(*keys))) == NULL) {
error_f("recallocarray keys failed");
+ r = SSH_ERR_ALLOC_FAIL;
goto out;
}
debug_f("keys[%zu]: %s %s", nkeys, sshkey_type(key),
diff --git a/sshconnect2.c b/sshconnect2.c
index 414fa2e..d9bfe15 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -97,7 +97,7 @@ static int
verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
{
if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
- xxx_conn_info) == -1)
+ xxx_conn_info) != 0)
fatal("Host key verification failed.");
return 0;
}
@@ -806,6 +806,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
debug_f("server sent unknown pkalg %s", pkalg);
+ r = SSH_ERR_INVALID_FORMAT;
goto done;
}
if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
@@ -816,6 +817,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
error("input_userauth_pk_ok: type mismatch "
"for decoded key (received %d, expected %d)",
key->type, pktype);
+ r = SSH_ERR_INVALID_FORMAT;
goto done;
}
@@ -835,6 +837,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
SSH_FP_DEFAULT);
error_f("server replied with unknown key: %s %s",
sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
+ r = SSH_ERR_INVALID_FORMAT;
goto done;
}
ident = format_identity(id);
diff --git a/sshsig.c b/sshsig.c
index 5b3209a..a513138 100644
--- a/sshsig.c
+++ b/sshsig.c
@@ -970,6 +970,7 @@ cert_filter_principals(const char *path, u_long linenum,
}
if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
error_f("buffer error");
+ r = SSH_ERR_ALLOC_FAIL;
goto out;
}
/* success */
--
2.33.0

10
openssh.spec
View File

@ -6,7 +6,7 @@
%{?no_gtk2:%global gtk2 0} %{?no_gtk2:%global gtk2 0}
%global sshd_uid 74 %global sshd_uid 74
%global openssh_release 33 %global openssh_release 34
Name: openssh Name: openssh
Version: 8.8p1 Version: 8.8p1
@ -134,6 +134,7 @@ Patch104: fix-memory-leak-in-kex-exchange.patch
Patch105: backport-fix-CVE-2024-6387.patch Patch105: backport-fix-CVE-2024-6387.patch
Patch106: backport-fix-CVE-2024-6409.patch Patch106: backport-fix-CVE-2024-6409.patch
Patch107: backport-upstream-Set-OPENSSL_BIN-from-OpenSSL-directory.patch Patch107: backport-upstream-Set-OPENSSL_BIN-from-OpenSSL-directory.patch
Patch108: backport-CVE-2025-26465-Don-t-reply-to-PING-in-preauth-phase-or-during-KEX.patch
Requires: /sbin/nologin Requires: /sbin/nologin
Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8
@ -318,6 +319,7 @@ popd
%patch105 -p1 %patch105 -p1
%patch106 -p1 %patch106 -p1
%patch107 -p1 %patch107 -p1
%patch108 -p1
autoreconf autoreconf
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@ -524,6 +526,12 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%changelog %changelog
* Tue Feb 18 2025 bitianyuan<bitianyuan@huawei.com> - 8.8p1-34
- Type:CVE
- CVE:CVE-2025-26465
- SUG:NA
- DESC:Fix CVE-2025-26465
* Thu Dec 5 2024 bitianyuan<bitianyuan@huawei.com> - 8.8p1-33 * Thu Dec 5 2024 bitianyuan<bitianyuan@huawei.com> - 8.8p1-33
- Type:bugfix - Type:bugfix
- CVE: - CVE: