From 543ad4010ff1a4eb82a4c28f0ce59ee06308d9d7 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Tue, 14 Apr 2026 10:39:41 +0200
Subject: [PATCH] Fix CVE-2026-35388

Add connection multiplexing confirmation for proxy-mode
multiplexing sessions

Resolves: RHEL-166251

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
 openssh-9.9p1-mux-askpass-check.patch | 20 ++++++++++++++++++++
 openssh.spec                          |  6 ++++++
 2 files changed, 26 insertions(+)
 create mode 100644 openssh-9.9p1-mux-askpass-check.patch

diff --git a/openssh-9.9p1-mux-askpass-check.patch b/openssh-9.9p1-mux-askpass-check.patch
new file mode 100644
index 0000000..2176243
--- /dev/null
+++ b/openssh-9.9p1-mux-askpass-check.patch
@@ -0,0 +1,20 @@
+diff --color -ruNp a/mux.c b/mux.c
+--- a/mux.c	2024-09-20 00:20:48.000000000 +0200
++++ b/mux.c	2026-04-09 15:02:36.016198814 +0200
+@@ -1137,6 +1137,16 @@ mux_master_process_proxy(struct ssh *ssh
+ 
+ 	debug_f("channel %d: proxy request", c->self);
+ 
++	if (options.control_master == SSHCTL_MASTER_ASK ||
++	    options.control_master == SSHCTL_MASTER_AUTO_ASK) {
++		if (!ask_permission("Allow multiplex proxy connection?")) {
++			debug2_f("proxy refused by user");
++			reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
++			    "Permission denied");
++			return 0;
++		}
++	}
++
+ 	c->mux_rcb = channel_proxy_downstream;
+ 	if ((r = sshbuf_put_u32(reply, MUX_S_PROXY)) != 0 ||
+ 	    (r = sshbuf_put_u32(reply, rid)) != 0)
diff --git a/openssh.spec b/openssh.spec
index 122ce9c..1624478 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -251,6 +251,8 @@ Patch1039: openssh-9.9p1-compat-mlkem.patch
 Patch1040: openssh-9.9p1-fill-default-options-error.patch
 # upstream 487e8ac146f7d6616f65c125d5edb210519b833a
 Patch1041: openssh-9.9p1-scp-clear-setuid.patch
+# upstream c805b97b67c774e0bf922ffb29dfbcda9d7b5add
+Patch1042: openssh-9.9p1-mux-askpass-check.patch
 
 License: BSD
 Requires: /sbin/nologin
@@ -466,6 +468,7 @@ popd
 %patch1039 -p1 -b .skip-mlkem-when-na
 %patch1040 -p1 -b .fill-default-options-error
 %patch1041 -p1 -b .scp-clear-setuid
+%patch1042 -p1 -b .mux-askpass-check
 
 %patch100 -p1 -b .coverity
 
@@ -764,6 +767,9 @@ test -f %{sysconfig_anaconda} && \
 - CVE-2026-35385: Fix privilege escalation via scp legacy protocol
   when not in preserving file mode
   Resolves: RHEL-164754
+- CVE-2026-35388: Add connection multiplexing confirmation for proxy-mode
+  multiplexing sessions
+  Resolves: RHEL-166251
 
 * Thu Mar 26 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-7 + 0.10.4-9
 - Version bump