CVE-2025-61984: Reject usernames with control characters

Resolves: RHEL-128399 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2025-12-05 10:24:20 +01:00 · 2025-12-05 10:24:20 +01:00 · 3ed25d6be7
commit 3ed25d6be7
parent d6c153ae72
2 changed files with 67 additions and 1 deletions
--- a/openssh-9.9p1-reject-cntrl-chars-in-username.patch
+++ b/openssh-9.9p1-reject-cntrl-chars-in-username.patch
@ -0,0 +1,59 @@
+diff --color -ruNp a/ssh.c b/ssh.c
+--- a/ssh.c	2025-12-03 15:22:36.754555231 +0100
+++ b/ssh.c	2025-12-03 16:12:16.715320349 +0100
+@@ -662,6 +662,8 @@ valid_ruser(const char *s)
+ 	if (*s == '-')
+ 		return 0;
+ 	for (i = 0; s[i] != 0; i++) {
+		if (iscntrl((u_char)s[i]))
+			return 0;
+ 		if (strchr("'`\";&<>|(){}", s[i]) != NULL)
+ 			return 0;
+ 		/* Disallow '-' after whitespace */
+@@ -683,6 +685,7 @@ main(int ac, char **av)
+ 	struct ssh *ssh = NULL;
+ 	int i, r, opt, exit_status, use_syslog, direct, timeout_ms;
+ 	int was_addr, config_test = 0, opt_terminated = 0, want_final_pass = 0;
+	int user_on_commandline = 0;
+ 	char *p, *cp, *line, *argv0, *logfile;
+ 	char cname[NI_MAXHOST], thishost[NI_MAXHOST];
+ 	struct stat st;
+@@ -1039,8 +1042,10 @@ main(int ac, char **av)
+ 			}
+ 			break;
+ 		case 'l':
+-			if (options.user == NULL)
+			if (options.user == NULL) {
+ 				options.user = optarg;
+				user_on_commandline = 1;
+			}
+ 			break;
+ 
+ 		case 'L':
+@@ -1143,6 +1148,7 @@ main(int ac, char **av)
+ 			if (options.user == NULL) {
+ 				options.user = tuser;
+ 				tuser = NULL;
+				user_on_commandline = 1;
+ 			}
+ 			free(tuser);
+ 			if (options.port == -1 && tport != -1)
+@@ -1157,6 +1163,7 @@ main(int ac, char **av)
+ 				if (options.user == NULL) {
+ 					options.user = p;
+ 					p = NULL;
+					user_on_commandline = 1;
+ 				}
+ 				*cp++ = '\0';
+ 				host = xstrdup(cp);
+@@ -1459,6 +1466,10 @@ main(int ac, char **av)
+ 	cinfo->locuser = xstrdup(pw->pw_name);
+ 	cinfo->jmphost = xstrdup(options.jump_host == NULL ?
+ 	    "" : options.jump_host);
+
+	if (user_on_commandline && !valid_ruser(options.user))
+		fatal("remote username contains invalid characters");
+
+ 	cinfo->conn_hash_hex = ssh_connection_hash(cinfo->thishost,
+ 	    cinfo->remhost, cinfo->portstr, cinfo->remuser, cinfo->jmphost);
+ 
--- a/openssh.spec
+++ b/openssh.spec
@ -43,7 +43,7 @@
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
 Version: %{openssh_ver}
-Release: 16%{?dist}
+Release: 17%{?dist}
 URL: http://www.openssh.com/portable.html
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@ -221,6 +221,8 @@ Patch1028: openssh-9.9p1-fips-gss.patch
 Patch1029: openssh-9.9p1-scp-traversing.patch
 Patch1030: openssh-9.9p1-canonical-match-user.patch
 Patch1031: openssh-10.0-mlkem-nist.patch
+# upstream 35d5917652106aede47621bb3f64044604164043
+Patch1032: openssh-9.9p1-reject-cntrl-chars-in-username.patch

 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
 Requires: /sbin/nologin
@ -417,6 +419,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
 %patch -P 1029 -p1 -b .scp-traversing
 %patch -P 1030 -p1 -b .canonical-match-user
 %patch -P 1031 -p1 -b .mlkem-nist
+%patch -P 1032 -p1 -b .reject-cntrl-chars-in-username

 %patch -P 100 -p1 -b .coverity

@ -697,6 +700,10 @@ test -f %{sysconfig_anaconda} && \
 %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so

 %changelog
+* Fri Dec 05 2025 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-17
+- CVE-2025-61984: Reject usernames with control characters
+  Resolves: RHEL-128399
+
 * Mon Nov 03 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-16
 - Implement mlkem768nistp256-sha256 and mlkem1024nistp384-sha384 KEX methods
  Resolves: RHEL-70824