From 40f5f26708d6f5f9ea5e6292d8d3e895e175f394 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Fri, 5 Dec 2025 10:27:33 +0100
Subject: [PATCH] CVE-2025-61985: Reject URL-strings with NULL characters

Resolves: RHEL-128388

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
 ...9.9p1-reject-null-char-in-url-string.patch | 24 +++++++++++++++++++
 openssh.spec                                  |  5 ++++
 2 files changed, 29 insertions(+)
 create mode 100644 openssh-9.9p1-reject-null-char-in-url-string.patch

diff --git a/openssh-9.9p1-reject-null-char-in-url-string.patch b/openssh-9.9p1-reject-null-char-in-url-string.patch
new file mode 100644
index 0000000..9b2d378
--- /dev/null
+++ b/openssh-9.9p1-reject-null-char-in-url-string.patch
@@ -0,0 +1,24 @@
+diff --color -ruNp a/misc.c b/misc.c
+--- a/misc.c	2025-12-03 16:19:11.255135131 +0100
++++ b/misc.c	2025-12-03 16:21:53.769590836 +0100
+@@ -998,7 +998,7 @@ urldecode(const char *src)
+ 	size_t srclen;
+ 
+ 	if ((srclen = strlen(src)) >= SIZE_MAX)
+-		fatal_f("input too large");
++		return NULL;
+ 	ret = xmalloc(srclen + 1);
+ 	for (dst = ret; *src != '\0'; src++) {
+ 		switch (*src) {
+@@ -1006,9 +1006,10 @@ urldecode(const char *src)
+ 			*dst++ = ' ';
+ 			break;
+ 		case '%':
++			/* note: don't allow \0 characters */
+ 			if (!isxdigit((unsigned char)src[1]) ||
+ 			    !isxdigit((unsigned char)src[2]) ||
+-			    (ch = hexchar(src + 1)) == -1) {
++			    (ch = hexchar(src + 1)) == -1 || ch == 0) {
+ 				free(ret);
+ 				return NULL;
+ 			}
diff --git a/openssh.spec b/openssh.spec
index e7e7061..7b68ba3 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -223,6 +223,8 @@ Patch1030: openssh-9.9p1-canonical-match-user.patch
 Patch1031: openssh-10.0-mlkem-nist.patch
 # upstream 35d5917652106aede47621bb3f64044604164043
 Patch1032: openssh-9.9p1-reject-cntrl-chars-in-username.patch
+# upstream 43b3bff47bb029f2299bacb6a36057981b39fdb0
+Patch1033: openssh-9.9p1-reject-null-char-in-url-string.patch
 
 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
 Requires: /sbin/nologin
@@ -420,6 +422,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
 %patch -P 1030 -p1 -b .canonical-match-user
 %patch -P 1031 -p1 -b .mlkem-nist
 %patch -P 1032 -p1 -b .reject-cntrl-chars-in-username
+%patch -P 1033 -p1 -b .reject-null-char-in-url-string
 
 %patch -P 100 -p1 -b .coverity
 
@@ -703,6 +706,8 @@ test -f %{sysconfig_anaconda} && \
 * Fri Dec 05 2025 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-17
 - CVE-2025-61984: Reject usernames with control characters
   Resolves: RHEL-128399
+- CVE-2025-61985: Reject URL-strings with NULL characters
+  Resolves: RHEL-128388
 
 * Mon Nov 03 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-16
 - Implement mlkem768nistp256-sha256 and mlkem1024nistp384-sha384 KEX methods