From 8d2400298fde8b189e3652542ff8b7d2d10c6f20 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 18 Dec 2025 01:19:27 +0000 Subject: [PATCH] import UBI openssh-8.0p1-27.el8_10 --- ...ssh-8.0p1-reject-cntrl-chars-in-username.patch | 12 ++++++++++++ ...ssh-8.7p1-reject-null-char-in-url-string.patch | 15 +++++++++++++++ SPECS/openssh.spec | 14 +++++++++++++- 3 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 SOURCES/openssh-8.0p1-reject-cntrl-chars-in-username.patch create mode 100644 SOURCES/openssh-8.7p1-reject-null-char-in-url-string.patch diff --git a/SOURCES/openssh-8.0p1-reject-cntrl-chars-in-username.patch b/SOURCES/openssh-8.0p1-reject-cntrl-chars-in-username.patch new file mode 100644 index 0000000..0a93c56 --- /dev/null +++ b/SOURCES/openssh-8.0p1-reject-cntrl-chars-in-username.patch @@ -0,0 +1,12 @@ +diff --color -ruNp a/ssh.c b/ssh.c +--- a/ssh.c 2025-12-10 11:51:34.927545274 +0100 ++++ b/ssh.c 2025-12-10 12:05:26.210486999 +0100 +@@ -599,6 +599,8 @@ valid_ruser(const char *s) + if (*s == '-') + return 0; + for (i = 0; s[i] != 0; i++) { ++ if (iscntrl((u_char)s[i])) ++ return 0; + if (strchr("'`\";&<>|(){}", s[i]) != NULL) + return 0; + /* Disallow '-' after whitespace */ diff --git a/SOURCES/openssh-8.7p1-reject-null-char-in-url-string.patch b/SOURCES/openssh-8.7p1-reject-null-char-in-url-string.patch new file mode 100644 index 0000000..146bf12 --- /dev/null +++ b/SOURCES/openssh-8.7p1-reject-null-char-in-url-string.patch @@ -0,0 +1,15 @@ +diff --color -ruNp a/misc.c b/misc.c +--- a/misc.c 2025-12-09 17:16:21.637368818 +0100 ++++ b/misc.c 2025-12-09 17:48:22.679192853 +0100 +@@ -936,9 +936,10 @@ urldecode(const char *src) + *dst++ = ' '; + break; + case '%': ++ /* note: don't allow \0 characters */ + if (!isxdigit((unsigned char)src[1]) || + !isxdigit((unsigned char)src[2]) || +- (ch = hexchar(src + 1)) == -1) { ++ (ch = hexchar(src + 1)) == -1 || ch == 0) { + free(ret); + return NULL; + } diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec index 8c13e06..41f53c0 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec @@ -66,7 +66,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.0p1 -%global openssh_rel 26 +%global openssh_rel 27 %global pam_ssh_agent_ver 0.10.3 %global pam_ssh_agent_rel 7 @@ -296,6 +296,10 @@ Patch1020: openssh-8.7p1-scp-kill-switch.patch Patch1021: openssh-8.0p1-upstream-ignore-SIGPIPE.patch #upstream commit 0832aac79517611dd4de93ad0a83577994d9c907 Patch1022: openssh-8.0p1-CVE-2025-26465.patch +# upstream 35d5917652106aede47621bb3f64044604164043 +Patch1023: openssh-8.0p1-reject-cntrl-chars-in-username.patch +# upstream 43b3bff47bb029f2299bacb6a36057981b39fdb0 +Patch1024: openssh-8.7p1-reject-null-char-in-url-string.patch License: BSD Group: Applications/Internet @@ -545,6 +549,8 @@ popd %patch1020 -p1 -b .scp-kill-switch %patch1021 -p1 -b .ignore-SIGPIPE %patch1022 -p2 -b .cve-2025-26465 +%patch1023 -p1 -b .reject-cntrl-chars-in-username +%patch1024 -p1 -b .reject-null-char-in-url-string autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -830,6 +836,12 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Wed Dec 10 2025 Zoltan Fridrich - 8.0p1-27 +- CVE-2025-61984: Reject usernames with control characters + Resolves: RHEL-128400 +- CVE-2025-61985: Reject URL-strings with NULL characters + Resolves: RHEL-128390 + * Wed Aug 20 2025 Antonio Vieiro - 8.0p1-26 - Fix missing invalid error code checks in OpenSSH. It prevents a MITM attack when VerifyHostKeyDNS is on (CVE-2025-26465)