CVE-2025-61985: Reject URL-strings with NULL characters

Resolves: RHEL-128390 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2025-12-10 13:04:07 +01:00 · 2025-12-10 13:04:07 +01:00 · 560bccf766
commit 560bccf766
parent 662102c4a8
2 changed files with 20 additions and 0 deletions
--- a/openssh-8.7p1-reject-null-char-in-url-string.patch
+++ b/openssh-8.7p1-reject-null-char-in-url-string.patch
@ -0,0 +1,15 @@
+diff --color -ruNp a/misc.c b/misc.c
+--- a/misc.c	2025-12-09 17:16:21.637368818 +0100
+++ b/misc.c	2025-12-09 17:48:22.679192853 +0100
+@@ -936,9 +936,10 @@ urldecode(const char *src)
+ 			*dst++ = ' ';
+ 			break;
+ 		case '%':
+			/* note: don't allow \0 characters */
+ 			if (!isxdigit((unsigned char)src[1]) ||
+ 			    !isxdigit((unsigned char)src[2]) ||
+-			    (ch = hexchar(src + 1)) == -1) {
+			    (ch = hexchar(src + 1)) == -1 || ch == 0) {
+ 				free(ret);
+ 				return NULL;
+ 			}
--- a/openssh.spec
+++ b/openssh.spec
@ -298,6 +298,8 @@ Patch1021: openssh-8.0p1-upstream-ignore-SIGPIPE.patch
 Patch1022: openssh-8.0p1-CVE-2025-26465.patch
 # upstream 35d5917652106aede47621bb3f64044604164043
 Patch1023: openssh-8.0p1-reject-cntrl-chars-in-username.patch
+# upstream 43b3bff47bb029f2299bacb6a36057981b39fdb0
+Patch1024: openssh-8.7p1-reject-null-char-in-url-string.patch

 License: BSD
 Group: Applications/Internet
@ -548,6 +550,7 @@ popd
 %patch1021 -p1 -b .ignore-SIGPIPE
 %patch1022 -p2 -b .cve-2025-26465
 %patch1023 -p1 -b .reject-cntrl-chars-in-username
+%patch1024 -p1 -b .reject-null-char-in-url-string

 autoreconf
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@ -836,6 +839,8 @@ getent passwd sshd >/dev/null || \
 * Wed Dec 10 2025 Zoltan Fridrich <zfridric@redhat.com> - 8.0p1-27
 - CVE-2025-61984: Reject usernames with control characters
  Resolves: RHEL-128400
+- CVE-2025-61985: Reject URL-strings with NULL characters
+  Resolves: RHEL-128390

 * Wed Aug 20 2025 Antonio Vieiro <avieirov@redhat.com> - 8.0p1-26
 - Fix missing invalid error code checks in OpenSSH. It prevents