!338 Fix CVE-2025-26465

From: @bitianyuan 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12

backport-CVE-2025-26465-Don-t-reply-to-PING-in-preauth-phase-or-during-KEX.patch

@@ -0,0 +1,102 @@
+From 0832aac79517611dd4de93ad0a83577994d9c907 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 18 Feb 2025 08:02:48 +0000
+Subject: upstream: Fix cases where error codes were not correctly set
+
+Reported by the Qualys Security Advisory team. ok markus@
+
+OpenBSD-Commit-ID: 7bcd4ffe0fa1e27ff98d451fb9c22f5fae6e610d
+Conflict:NA
+Reference:https://anongit.mindrot.org/openssh.git/commit/?id=0832aac79517611dd4de93ad0a83577994d9c907
+
+---
+ krl.c           | 2 ++
+ ssh-sk-client.c | 1 +
+ sshconnect2.c   | 5 ++++-
+ sshsig.c        | 1 +
+ 4 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/krl.c b/krl.c
+index ebeee5c..8e94fea 100644
+--- a/krl.c
++++ b/krl.c
+@@ -676,6 +676,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
+ 			break;
+ 		case KRL_SECTION_CERT_SERIAL_BITMAP:
+ 			if (rs->lo - bitmap_start > INT_MAX) {
++				r = SSH_ERR_INVALID_FORMAT;
+ 				error_f("insane bitmap gap");
+ 				goto out;
+ 			}
+@@ -1010,6 +1011,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
+ 		goto out;
+ 
+ 	if ((krl = ssh_krl_init()) == NULL) {
++		r = SSH_ERR_ALLOC_FAIL;
+ 		error_f("alloc failed");
+ 		goto out;
+ 	}
+diff --git a/ssh-sk-client.c b/ssh-sk-client.c
+index 3ac16f5..5f463b5 100644
+--- a/ssh-sk-client.c
++++ b/ssh-sk-client.c
+@@ -411,6 +411,7 @@ sshsk_load_resident(const char *provider_path, const char *device,
+ 		if ((tmp = recallocarray(keys, nkeys, nkeys + 1,
+ 		    sizeof(*keys))) == NULL) {
+ 			error_f("recallocarray keys failed");
++			r = SSH_ERR_ALLOC_FAIL;
+ 			goto out;
+ 		}
+ 		debug_f("keys[%zu]: %s %s", nkeys, sshkey_type(key),
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 414fa2e..d9bfe15 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -97,7 +97,7 @@ static int
+ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
+ {
+ 	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
+-	    xxx_conn_info) == -1)
++	    xxx_conn_info) != 0)
+ 		fatal("Host key verification failed.");
+ 	return 0;
+ }
+@@ -806,6 +806,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+ 
+ 	if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
+ 		debug_f("server sent unknown pkalg %s", pkalg);
++		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 	if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
+@@ -816,6 +817,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+ 		error("input_userauth_pk_ok: type mismatch "
+ 		    "for decoded key (received %d, expected %d)",
+ 		    key->type, pktype);
++		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 
+@@ -835,6 +837,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+ 		    SSH_FP_DEFAULT);
+ 		error_f("server replied with unknown key: %s %s",
+ 		    sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
++		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 	ident = format_identity(id);
+diff --git a/sshsig.c b/sshsig.c
+index 5b3209a..a513138 100644
+--- a/sshsig.c
++++ b/sshsig.c
+@@ -970,6 +970,7 @@ cert_filter_principals(const char *path, u_long linenum,
+ 	}
+ 	if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
+ 		error_f("buffer error");
++		r = SSH_ERR_ALLOC_FAIL;
+ 		goto out;
+ 	}
+ 	/* success */
+-- 
+2.33.0
+

backport-fix-CVE-2024-6387.patch

@@ -0,0 +1,28 @@
+Reference:https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
+Conflict:NA
+---
+ log.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/log.c b/log.c
+index dca08e4..5ca403a 100644
+--- a/log.c
++++ b/log.c
+@@ -458,12 +458,14 @@ void
+ sshsigdie(const char *file, const char *func, int line, int showfunc,
+     LogLevel level, const char *suffix, const char *fmt, ...)
+ {
++#if 0
+ 	va_list args;
+ 
+ 	va_start(args, fmt);
+ 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
+ 	    suffix, fmt, args);
+ 	va_end(args);
++#endif
+ 	_exit(1);
+ }
+ 
+-- 
+2.33.0
+

backport-fix-CVE-2024-6409.patch

@@ -0,0 +1,22 @@
+Reference:https://www.openwall.com/lists/oss-security/2024/07/08/2
+Conflict:NA
+---
+ sshd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sshd.c b/sshd.c
+index cf7381e..04b7357 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -384,7 +384,7 @@ grace_alarm_handler(int sig)
+ 
+ 	/* Log error and exit. */
+ 	if (use_privsep && pmonitor != NULL && pmonitor->m_pid <= 0)
+-		cleanup_exit(255); /* don't log in privsep child */
++		_exit(1); /* don't log in privsep child */
+ 	else {
+ 		sigdie("Timeout before authentication for %s port %d",
+ 		    ssh_remote_ipaddr(the_active_state),
+-- 
+2.43.0
+

backport-upstream-Set-OPENSSL_BIN-from-OpenSSL-directory.patch

@@ -0,0 +1,78 @@
+From 3c80942727444934fef8e06b2fd6ae51f1025d6d Mon Sep 17 00:00:00 2001
+From: bitianyuan <bitianyuan@huawei.com>
+Date: Thu, 5 Dec 2024 04:41:40 +0000
+Subject: [PATCH] backport-upstream-Set-OPENSSL_BIN-from-OpenSSL-directory
+
+---
+ Makefile.in          | 1 +
+ configure.ac         | 6 ++++++
+ regress/test-exec.sh | 3 ++-
+ 3 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index 01895a7..b26e3a2 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -736,6 +736,7 @@ tests:	file-tests t-exec interop-tests unit
+ unit: regress-unit-binaries
+ 	BUILDDIR=`pwd`; \
+ 	cd $(srcdir)/regress || exit $$?; \
++	OPENSSL_BIN='@OPENSSL_BIN' \
+ 	$(MAKE) \
+ 		.OBJDIR="$${BUILDDIR}/regress" \
+ 		.CURDIR="`pwd`" \
+diff --git a/configure.ac b/configure.ac
+index d5a156c..0b36b5e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -119,10 +119,12 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
+ ])
+ 
+ openssl=yes
++openssl_bin=openssl
+ AC_ARG_WITH([openssl],
+ 	[  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
+ 	[  if test "x$withval" = "xno" ; then
+ 		openssl=no
++		openssl_bin=""
+ 	   fi
+ 	]
+ )
+@@ -2674,6 +2676,7 @@ AC_CHECK_FUNCS([getpgrp],[
+ # Search for OpenSSL
+ saved_CPPFLAGS="$CPPFLAGS"
+ saved_LDFLAGS="$LDFLAGS"
++openssl_bin_PATH="$PATH"
+ AC_ARG_WITH([ssl-dir],
+ 	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
+ 	[
+@@ -2709,9 +2712,12 @@ AC_ARG_WITH([ssl-dir],
+ 			else
+ 				CPPFLAGS="-I${withval} ${CPPFLAGS}"
+ 			fi
++			openssl_bin_PATH="${PATH}${PATH_SEPARATOR}${withval}/bin${PATH_SEPARATOR}${withval}/apps"
+ 		fi
+ 	]
+ )
++AC_PATH_PROGS([openssl_bin], openssl, [], [$openssl_bin_PATH])
++AC_SUBST(OPENSSL_BIN, [${openssl_bin}])
+ 
+ AC_ARG_WITH([openssl-header-check],
+ 	[  --without-openssl-header-check Disable OpenSSL version consistency check],
+diff --git a/regress/test-exec.sh b/regress/test-exec.sh
+index 3e3b20e..44cf725 100644
+--- a/regress/test-exec.sh
++++ b/regress/test-exec.sh
+@@ -102,7 +102,8 @@ CONCH=conch
+ 
+ # Tools used by multiple tests
+ NC=$OBJ/netcat
+-OPENSSL_BIN="${OPENSSL_BIN:-openssl}"
++# Always use the one configure tells us to, even if that's empty.
++#OPENSSL_BIN="${OPENSSL_BIN:-openssl}"
+ 
+ if [ "x$TEST_SSH_SSH" != "x" ]; then
+ 	SSH="${TEST_SSH_SSH}"
+-- 
+2.33.0
+

openssh.spec

@@ -6,7 +6,7 @@
 %{?no_gtk2:%global gtk2 0}
 
 %global sshd_uid    74
-%global openssh_release 30
+%global openssh_release 34
 
 Name:           openssh
 Version:        8.8p1
@@ -131,6 +131,10 @@ Patch101:       backport-upstream-In-channel_request_remote_forwarding-the-pa.pa
 Patch102:       backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch
 Patch103:       backport-CVE-2023-48795.patch
 Patch104:       fix-memory-leak-in-kex-exchange.patch 
+Patch105:       backport-fix-CVE-2024-6387.patch
+Patch106:       backport-fix-CVE-2024-6409.patch
+Patch107:       backport-upstream-Set-OPENSSL_BIN-from-OpenSSL-directory.patch
+Patch108:       backport-CVE-2025-26465-Don-t-reply-to-PING-in-preauth-phase-or-during-KEX.patch
 
 Requires:       /sbin/nologin
 Requires:       libselinux >= 2.3-5 audit-libs >= 1.0.8
@@ -312,6 +316,10 @@ popd
 %patch102 -p1
 %patch103 -p1
 %patch104 -p1
+%patch105 -p1
+%patch106 -p1
+%patch107 -p1
+%patch108 -p1
 
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@@ -386,7 +394,7 @@ popd
 if [ -e /sys/fs/selinux/enforce ]; then
     # Store the SElinux state
     cat /sys/fs/selinux/enforce > selinux.tmp
-    setenfore 0
+    setenforce 0
 fi
 make tests
 if [ -e /sys/fs/selinux/enforce ]; then
@@ -518,6 +526,30 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 
 %changelog
+* Tue Feb 18 2025 bitianyuan<bitianyuan@huawei.com> - 8.8p1-34
+- Type:CVE
+- CVE:CVE-2025-26465
+- SUG:NA
+- DESC:Fix CVE-2025-26465
+
+* Thu Dec 5 2024 bitianyuan<bitianyuan@huawei.com> - 8.8p1-33
+- Type:bugfix
+- CVE:
+- SUG:NA
+- DESC:Set OPENSSL_BIN from OpenSSL directory
+
+* Wed Jul 10 2024 songjuntao<songjuntao@kylinos.cn> - 8.8p1-32
+- Type:CVE
+- CVE:CVE-2024-6409
+- SUG:NA
+- DESC:Fix CVE-2024-6409
+
+* Tue Jul 2 2024 renmingshuai<renmingshuai@huawei.com> - 8.8p1-31
+- Type:CVE
+- CVE:CVE-2024-6387
+- SUG:NA
+- DESC:Fix CVE-2024-6387
+
 * Mon Apr 29 2024 renmingshuai<renmingshuai@huawei.com> - 8.8p1-30
 - Type:bugfix
 - CVE:

skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch

@@ -1,100 +0,0 @@
-From a0772385f1b4086aacdc6d84a3daea4b2ef26f30 Mon Sep 17 00:00:00 2001
-From: chengyechun <chengyechun1@huawei.com>
-Date: Thu, 5 Jan 2023 23:43:22 +0800
-Subject: [PATCH] skip tests for '%C' if there is no openssl on local path
-
----
- regress/percent.sh                            | 24 +++++++++++----
- ...t-if-there-is-no-openssl-on-local-pa.patch | 30 +++++++++++++++++++
- 2 files changed, 48 insertions(+), 6 deletions(-)
- create mode 100644 skip-percent-test-if-there-is-no-openssl-on-local-pa.patch
-
-diff --git a/regress/percent.sh b/regress/percent.sh
-index 7ed4184..9c112eb 100644
---- a/regress/percent.sh
-+++ b/regress/percent.sh
-@@ -13,6 +13,10 @@ USERID=`id -u`
- HOST=`hostname | cut -f1 -d.`
- HOSTNAME=`hostname`
- 
-+# Check if there is openssl in local PATH
-+NOOPENSSL=0
-+for i in $PATH;do [ -x "$i/openssl" ] && NOOPENSSL=1; done
-+
- # Localcommand is evaluated after connection because %T is not available
- # until then.  Because of this we use a different method of exercising it,
- # and we can't override the remote user otherwise authentication will fail.
-@@ -77,11 +81,14 @@ for i in matchexec localcommand remotecommand controlpath identityagent \
- 	if [ "$i" = "$localcommand" ]; then
- 		trial $i '%T' NONE
- 	fi
--	# Matches implementation in readconf.c:ssh_connection_hash()
--	HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" |
--	    $OPENSSL_BIN sha1 | cut -f2 -d' '`
-+    # skip tests for '%C' since no openssl in local PATH
-+	if [ $NOOPENSSL -eq 1 ]; then
-+	    # Matches implementation in readconf.c:ssh_connection_hash()	
-+        HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" |
-+            $OPENSSL_BIN sha1 | cut -f2 -d' '`
-+	fi
- 	trial $i '%%' '%'
--	trial $i '%C' $HASH
-+	if [ $NOOPENSSL -eq 1 ]; then trial $i '%C' $HASH; fi
- 	trial $i '%i' $USERID
- 	trial $i '%h' 127.0.0.1
- 	trial $i '%L' $HOST
-@@ -95,8 +102,13 @@ for i in matchexec localcommand remotecommand controlpath identityagent \
- 	# containing %d for UserKnownHostsFile
- 	if [ "$i" != "userknownhostsfile" ]; then
- 		trial $i '%d' $HOME
--		trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \
--		    "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER"
-+        if [ $NOOPENSSL -eq 0 ]; then
-+            trial $i '%%/%i/%h/%d/%L/%l/%n/%p/%r/%u' \
-+                "%/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER"
-+        else
-+		    trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \
-+		        "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER"
-+        fi
- 	fi
- done
- 
-diff --git a/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch b/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch
-new file mode 100644
-index 0000000..c7af5d9
---- /dev/null
-+++ b/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch
-@@ -0,0 +1,30 @@
-+From 1da9e48b41ab6eca157d4fa3b74490510d9006ae Mon Sep 17 00:00:00 2001
-+From: chengyechun <chengyechun1@huawei.com>
-+Date: Thu, 5 Jan 2023 23:43:22 +0800
-+Subject: [PATCH] skip percent test if there is no openssl on local path as
-+ scp3 did
-+
-+---
-+ regress/percent.sh | 6 ++++++
-+ 1 file changed, 6 insertions(+)
-+
-+diff --git a/regress/percent.sh b/regress/percent.sh
-+index 7ed4184..08afbc8 100644
-+--- a/regress/percent.sh
-++++ b/regress/percent.sh
-+@@ -8,6 +8,12 @@ if [ -x "/usr/xpg4/bin/id" ]; then
-+ 	export PATH
-+ fi
-+ 
-++NOOPENSSL=0
-++for i in $PATH;do [ -x "$i/openssl" ] && $OPENSSL=1; done
-++if [ $? -eq 0 ]; then
-++	skip "No openssl on local path."
-++fi
-++
-+ USER=`id -u -n`
-+ USERID=`id -u`
-+ HOST=`hostname | cut -f1 -d.`
-+-- 
-+2.23.0
-+
--- 
-2.23.0
-