CVE-2025-32728: Fix logic error in DisableForwarding option

Resolves: RHEL-86819 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2025-04-29 10:58:40 +02:00 · 2025-04-29 10:58:40 +02:00 · f4e43bc272
commit f4e43bc272
parent f218c44b65
2 changed files with 30 additions and 3 deletions
--- a/openssh-9.9p1-disable-forwarding.patch
+++ b/openssh-9.9p1-disable-forwarding.patch
@ -0,0 +1,22 @@
+diff --color -ruNp a/session.c b/session.c
+--- a/session.c	2025-04-29 11:20:59.475107377 +0200
+++ b/session.c	2025-04-29 11:23:16.638538968 +0200
+@@ -2284,7 +2284,8 @@ session_auth_agent_req(struct ssh *ssh,
+ 	if ((r = sshpkt_get_end(ssh)) != 0)
+ 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
+ 	if (!auth_opts->permit_agent_forwarding_flag ||
+-	    !options.allow_agent_forwarding) {
+	    !options.allow_agent_forwarding ||
+	    options.disable_forwarding) {
+ 		debug_f("agent forwarding disabled");
+ 		return 0;
+ 	}
+@@ -2709,7 +2710,7 @@ session_setup_x11fwd(struct ssh *ssh, Se
+ 		ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
+ 		return 0;
+ 	}
+-	if (!options.x11_forwarding) {
+	if (!options.x11_forwarding || options.disable_forwarding) {
+ 		debug("X11 forwarding disabled in server configuration file.");
+ 		return 0;
+ 	}
--- a/openssh.spec
+++ b/openssh.spec
@ -43,7 +43,7 @@
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
 Version: %{openssh_ver}
-Release: 8%{?dist}
+Release: 9%{?dist}
 URL: http://www.openssh.com/portable.html
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@ -208,6 +208,8 @@ Patch1021: openssh-9.9p2-error_processing.patch
 Patch1022: openssh-9.9p1-openssl-mlkem.patch
 # upstream 8eabd2ae2ca1d7756417a1ee5b41f09c5d997634
 Patch1023: openssh-9.9p1-compression-directive.patch
+# upstream fc86875e6acb36401dfc1dfb6b628a9d1460f367
+Patch1024: openssh-9.9p1-disable-forwarding.patch

 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
 Requires: /sbin/nologin
@ -232,8 +234,6 @@ BuildRequires: systemd-rpm-macros
 BuildRequires: gcc make
 BuildRequires: p11-kit-devel
 BuildRequires: libfido2-devel
-#XXX: temporary, until we have OpenSSL 3.5
-BuildRequires: oqsprovider
 Recommends: p11-kit
 Obsoletes: openssh-ldap < 8.3p1-4
 Obsoletes: openssh-cavs < 8.4p1-5
@ -398,6 +398,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
 %patch -P 1021 -p1 -b .errcode_set
 %patch -P 1022 -p1 -b .openssl-mlkem
 %patch -P 1023 -p1 -b .compression
+%patch -P 1024 -p1 -b .disable-forwarding

 %patch -P 100 -p1 -b .coverity

@ -678,6 +679,10 @@ test -f %{sysconfig_anaconda} && \
 %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so

 %changelog
+* Tue Apr 29 2025 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-9
+- CVE-2025-32728: Fix logic error in DisableForwarding option
+  Resolves: RHEL-86819
+
 * Thu Mar 20 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-8
 - OpenSSH should not use its own implementation of MLKEM
  Resolves: RHEL-58252