From 875c735cbb9218749fc7e207c745c8f5449617d4 Mon Sep 17 00:00:00 2001 From: wenxin Date: Mon, 10 Nov 2025 17:41:59 +0800 Subject: [PATCH] add patch to fix CVE-2025-61984 CVE-2025-61985 --- backport-fix-CVE-2025-61984.patch | 132 ++++++++++++++++++++++++++++++ backport-fix-CVE-2025-61985.patch | 42 ++++++++++ openssh.spec | 15 +++- 3 files changed, 188 insertions(+), 1 deletion(-) create mode 100644 backport-fix-CVE-2025-61984.patch create mode 100644 backport-fix-CVE-2025-61985.patch diff --git a/backport-fix-CVE-2025-61984.patch b/backport-fix-CVE-2025-61984.patch new file mode 100644 index 0000000..b716d60 --- /dev/null +++ b/backport-fix-CVE-2025-61984.patch @@ -0,0 +1,132 @@ +From 35d5917652106aede47621bb3f64044604164043 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Thu, 4 Sep 2025 00:29:09 +0000 +Subject: upstream: Improve rules for %-expansion of username. + +Usernames passed on the commandline will no longer be subject to +% expansion. Some tools invoke ssh with connection information +(i.e. usernames and host names) supplied from untrusted sources. +These may contain % expansion sequences which could yield +unexpected results. + +Since openssh-9.6, all usernames have been subject to validity +checking. This change tightens the validity checks by refusing +usernames that include control characters (again, these can cause +surprises when supplied adversarially). + +This change also relaxes the validity checks in one small way: +usernames supplied via the configuration file as literals (i.e. +include no % expansion characters) are not subject to these +validity checks. This allows usernames that contain arbitrary +characters to be used, but only via configuration files. This +is done on the basis that ssh's configuration is trusted. + +Pointed out by David Leadbeater, ok deraadt@ + +OpenBSD-Commit-ID: e2f0c871fbe664aba30607321575e7c7fc798362 +Conflict:Without feature "Allow %-token and environment variable expansion in User" +Reference:https://anongit.mindrot.org/openssh.git/patch/?id=35d5917652106aede47621bb3f64044604164043 + +--- + ssh.c | 31 +++++++++++++++++++++++++------ + 1 file changed, 25 insertions(+), 6 deletions(-) + +diff --git a/ssh.c b/ssh.c +index b3b13ba..3103522 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -650,6 +650,8 @@ valid_ruser(const char *s) + if (*s == '-') + return 0; + for (i = 0; s[i] != 0; i++) { ++ if (iscntrl((u_char)s[i])) ++ return 0; + if (strchr("'`\";&<>|(){}", s[i]) != NULL) + return 0; + /* Disallow '-' after whitespace */ +@@ -671,6 +673,7 @@ main(int ac, char **av) + struct ssh *ssh = NULL; + int i, r, opt, exit_status, use_syslog, direct, timeout_ms; + int was_addr, config_test = 0, opt_terminated = 0, want_final_pass = 0; ++ int user_on_commandline = 0, user_was_default = 0; + char *p, *cp, *line, *argv0, *logfile; + char cname[NI_MAXHOST], thishost[NI_MAXHOST]; + struct stat st; +@@ -1027,8 +1030,10 @@ main(int ac, char **av) + } + break; + case 'l': +- if (options.user == NULL) +- options.user = optarg; ++ if (options.user == NULL){ ++ options.user = xstrdup(optarg); ++ user_on_commandline = 1; ++ } + break; + + case 'L': +@@ -1131,6 +1136,7 @@ main(int ac, char **av) + if (options.user == NULL) { + options.user = tuser; + tuser = NULL; ++ user_on_commandline = 1; + } + free(tuser); + if (options.port == -1 && tport != -1) +@@ -1145,6 +1151,7 @@ main(int ac, char **av) + if (options.user == NULL) { + options.user = p; + p = NULL; ++ user_on_commandline = 1; + } + *cp++ = '\0'; + host = xstrdup(cp); +@@ -1166,8 +1173,6 @@ main(int ac, char **av) + + if (!valid_hostname(host)) + fatal("hostname contains invalid characters"); +- if (options.user != NULL && !valid_ruser(options.user)) +- fatal("remote username contains invalid characters"); + options.host_arg = xstrdup(host); + + /* Initialize the command to execute on remote host. */ +@@ -1299,8 +1304,10 @@ main(int ac, char **av) + if (fill_default_options(&options) != 0) + cleanup_exit(255); + +- if (options.user == NULL) ++ if (options.user == NULL){ ++ user_was_default = 1; + options.user = xstrdup(pw->pw_name); ++ } + + /* + * If ProxyJump option specified, then construct a ProxyCommand now. +@@ -1441,11 +1448,23 @@ main(int ac, char **av) + options.host_key_alias : options.host_arg); + cinfo->host_arg = xstrdup(options.host_arg); + cinfo->remhost = xstrdup(host); +- cinfo->remuser = xstrdup(options.user); + cinfo->homedir = xstrdup(pw->pw_dir); + cinfo->locuser = xstrdup(pw->pw_name); + cinfo->jmphost = xstrdup(options.jump_host == NULL ? + "" : options.jump_host); ++ ++ /* ++ * Usernames specified on the commandline or expanded from the ++ * configuration file must be validated. ++ * Conversely, usernames from getpwnam(3) or specified as literals ++ * via configuration (i.e. not expanded) are not subject to validation. ++ */ ++ if ((user_on_commandline) && ++ !valid_ruser(options.user)) ++ fatal("remote username contains invalid characters"); ++ ++ /* Now User is expanded, store it and calculate hash. */ ++ cinfo->remuser = xstrdup(options.user); + cinfo->conn_hash_hex = ssh_connection_hash(cinfo->thishost, + cinfo->remhost, cinfo->portstr, cinfo->remuser, cinfo->jmphost); + +-- +2.47.3 + diff --git a/backport-fix-CVE-2025-61985.patch b/backport-fix-CVE-2025-61985.patch new file mode 100644 index 0000000..02f7dc0 --- /dev/null +++ b/backport-fix-CVE-2025-61985.patch @@ -0,0 +1,42 @@ +From 43b3bff47bb029f2299bacb6a36057981b39fdb0 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Thu, 4 Sep 2025 00:30:06 +0000 +Subject: upstream: don't allow \0 characters in url-encoded strings. + +Suggested by David Leadbeater, ok deraadt@ + +OpenBSD-Commit-ID: c92196cef0f970ceabc1e8007a80b01e9b7cd49c +Reference:https://anongit.mindrot.org/openssh.git/patch/?id=43b3bff47bb029f2299bacb6a36057981b39fdb0 + +--- + misc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/misc.c b/misc.c +index 7d644eb..fe7e538 100644 +--- a/misc.c ++++ b/misc.c +@@ -963,7 +963,7 @@ urldecode(const char *src) + size_t srclen; + + if ((srclen = strlen(src)) >= SIZE_MAX) +- fatal_f("input too large"); ++ return NULL; + ret = xmalloc(srclen + 1); + for (dst = ret; *src != '\0'; src++) { + switch (*src) { +@@ -971,9 +971,10 @@ urldecode(const char *src) + *dst++ = ' '; + break; + case '%': ++ /* note: don't allow \0 characters */ + if (!isxdigit((unsigned char)src[1]) || + !isxdigit((unsigned char)src[2]) || +- (ch = hexchar(src + 1)) == -1) { ++ (ch = hexchar(src + 1)) == -1 || ch == 0) { + free(ret); + return NULL; + } +-- +2.47.3 + diff --git a/openssh.spec b/openssh.spec index 4b524dc..821e6a8 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,4 +1,4 @@ -%define anolis_release 3 +%define anolis_release 4 %global WITH_SELINUX 1 @@ -239,6 +239,14 @@ Patch1021: bugfix-for-cve-2024-39894.patch # https://github.com/openssh/openssh-portable/commit/6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2 Patch1022: bugfix-for-cve-2025-26466.patch +# CVE-2025-61984 +# https://anongit.mindrot.org/openssh.git/patch/?id=35d5917652106aede47621bb3f64044604164043 +Patch1023: backport-fix-CVE-2025-61984.patch + +# CVE-2025-61985 +# https://anongit.mindrot.org/openssh.git/patch/?id=43b3bff47bb029f2299bacb6a36057981b39fdb0 +Patch1024: backport-fix-CVE-2025-61985.patch + # https://github.com/openssh/openssh-portable/commit/81c1099d22b81ebfd20a334ce986c4f753b0db29 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant Requires: /sbin/nologin @@ -459,6 +467,8 @@ popd %patch -P 1020 -p1 %patch -P 1021 -p1 %patch -P 1022 -p1 +%patch -P 1023 -p1 +%patch -P 1024 -p1 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -767,6 +777,9 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Mon Nov 10 2025 wenxin - 9.6p1-4 +- add patch to fix CVE-2025-61984 CVE-2025-61985 + * Tue Sep 2 2025 zjl02254423 - 9.6p1-3 - add patch to fix CVE-2024-39894,CVE-2025-26466 -- Gitee