From 3ed25d6be719da9095cb4b7fc9673825cd096cf0 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Fri, 5 Dec 2025 10:24:20 +0100 Subject: [PATCH] CVE-2025-61984: Reject usernames with control characters Resolves: RHEL-128399 Signed-off-by: Zoltan Fridrich --- ...9.9p1-reject-cntrl-chars-in-username.patch | 59 +++++++++++++++++++ openssh.spec | 9 ++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 openssh-9.9p1-reject-cntrl-chars-in-username.patch diff --git a/openssh-9.9p1-reject-cntrl-chars-in-username.patch b/openssh-9.9p1-reject-cntrl-chars-in-username.patch new file mode 100644 index 0000000..05bbe4d --- /dev/null +++ b/openssh-9.9p1-reject-cntrl-chars-in-username.patch @@ -0,0 +1,59 @@ +diff --color -ruNp a/ssh.c b/ssh.c +--- a/ssh.c 2025-12-03 15:22:36.754555231 +0100 ++++ b/ssh.c 2025-12-03 16:12:16.715320349 +0100 +@@ -662,6 +662,8 @@ valid_ruser(const char *s) + if (*s == '-') + return 0; + for (i = 0; s[i] != 0; i++) { ++ if (iscntrl((u_char)s[i])) ++ return 0; + if (strchr("'`\";&<>|(){}", s[i]) != NULL) + return 0; + /* Disallow '-' after whitespace */ +@@ -683,6 +685,7 @@ main(int ac, char **av) + struct ssh *ssh = NULL; + int i, r, opt, exit_status, use_syslog, direct, timeout_ms; + int was_addr, config_test = 0, opt_terminated = 0, want_final_pass = 0; ++ int user_on_commandline = 0; + char *p, *cp, *line, *argv0, *logfile; + char cname[NI_MAXHOST], thishost[NI_MAXHOST]; + struct stat st; +@@ -1039,8 +1042,10 @@ main(int ac, char **av) + } + break; + case 'l': +- if (options.user == NULL) ++ if (options.user == NULL) { + options.user = optarg; ++ user_on_commandline = 1; ++ } + break; + + case 'L': +@@ -1143,6 +1148,7 @@ main(int ac, char **av) + if (options.user == NULL) { + options.user = tuser; + tuser = NULL; ++ user_on_commandline = 1; + } + free(tuser); + if (options.port == -1 && tport != -1) +@@ -1157,6 +1163,7 @@ main(int ac, char **av) + if (options.user == NULL) { + options.user = p; + p = NULL; ++ user_on_commandline = 1; + } + *cp++ = '\0'; + host = xstrdup(cp); +@@ -1459,6 +1466,10 @@ main(int ac, char **av) + cinfo->locuser = xstrdup(pw->pw_name); + cinfo->jmphost = xstrdup(options.jump_host == NULL ? + "" : options.jump_host); ++ ++ if (user_on_commandline && !valid_ruser(options.user)) ++ fatal("remote username contains invalid characters"); ++ + cinfo->conn_hash_hex = ssh_connection_hash(cinfo->thishost, + cinfo->remhost, cinfo->portstr, cinfo->remuser, cinfo->jmphost); + diff --git a/openssh.spec b/openssh.spec index efa22f2..e7e7061 100644 --- a/openssh.spec +++ b/openssh.spec @@ -43,7 +43,7 @@ Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: 16%{?dist} +Release: 17%{?dist} URL: http://www.openssh.com/portable.html Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc @@ -221,6 +221,8 @@ Patch1028: openssh-9.9p1-fips-gss.patch Patch1029: openssh-9.9p1-scp-traversing.patch Patch1030: openssh-9.9p1-canonical-match-user.patch Patch1031: openssh-10.0-mlkem-nist.patch +# upstream 35d5917652106aede47621bb3f64044604164043 +Patch1032: openssh-9.9p1-reject-cntrl-chars-in-username.patch License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant Requires: /sbin/nologin @@ -417,6 +419,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0} %patch -P 1029 -p1 -b .scp-traversing %patch -P 1030 -p1 -b .canonical-match-user %patch -P 1031 -p1 -b .mlkem-nist +%patch -P 1032 -p1 -b .reject-cntrl-chars-in-username %patch -P 100 -p1 -b .coverity @@ -697,6 +700,10 @@ test -f %{sysconfig_anaconda} && \ %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so %changelog +* Fri Dec 05 2025 Zoltan Fridrich - 9.9p1-17 +- CVE-2025-61984: Reject usernames with control characters + Resolves: RHEL-128399 + * Mon Nov 03 2025 Dmitry Belyavskiy - 9.9p1-16 - Implement mlkem768nistp256-sha256 and mlkem1024nistp384-sha384 KEX methods Resolves: RHEL-70824