Fix CVE-2026-35387

Fix incomplete application of PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard to ECDSA keys Resolves: RHEL-166235 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2026-04-14 10:42:30 +02:00 · 2026-04-14 10:42:30 +02:00 · 99fe8be9db
commit 99fe8be9db
parent 543ad4010f
2 changed files with 109 additions and 0 deletions
--- a/openssh-9.9p1-ecdsa-incomplete-application.patch
+++ b/openssh-9.9p1-ecdsa-incomplete-application.patch
@ -0,0 +1,103 @@
+diff --color -ruNp a/auth2-hostbased.c b/auth2-hostbased.c
+--- a/auth2-hostbased.c	2026-04-09 13:22:28.114045749 +0200
+++ b/auth2-hostbased.c	2026-04-09 14:34:44.876393822 +0200
+@@ -96,9 +96,10 @@ userauth_hostbased(struct ssh *ssh, cons
+ 		error_f("cannot decode key: %s", pkalg);
+ 		goto done;
+ 	}
+-	if (key->type != pktype) {
+-		error_f("type mismatch for decoded key "
+-		    "(received %d, expected %d)", key->type, pktype);
+	if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA &&
+	    sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) {
+		error_f("key type mismatch for decoded key "
+		    "(received %s, expected %s)", sshkey_ssh_name(key), pkalg);
+ 		goto done;
+ 	}
+ 	if (match_pattern_list(pkalg, options.hostbased_accepted_algos, 0) != 1) {
+diff --color -ruNp a/auth2-pubkey.c b/auth2-pubkey.c
+--- a/auth2-pubkey.c	2026-04-09 13:22:28.157194118 +0200
+++ b/auth2-pubkey.c	2026-04-09 14:35:48.997689347 +0200
+@@ -152,9 +152,10 @@ userauth_pubkey(struct ssh *ssh, const c
+ 		error_f("cannot decode key: %s", pkalg);
+ 		goto done;
+ 	}
+-	if (key->type != pktype) {
+-		error_f("type mismatch for decoded key "
+-		    "(received %d, expected %d)", key->type, pktype);
+	if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA &&
+	    sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) {
+		error_f("key type mismatch for decoded key "
+		    "(received %s, expected %s)", sshkey_ssh_name(key), pkalg);
+ 		goto done;
+ 	}
+ 	if (auth2_key_already_used(authctxt, key)) {
+diff --color -ruNp a/sshconnect2.c b/sshconnect2.c
+--- a/sshconnect2.c	2026-04-09 13:22:28.193412553 +0200
+++ b/sshconnect2.c	2026-04-09 14:42:37.644945762 +0200
+@@ -91,6 +91,7 @@ extern Options options;
+ static char *xxx_host;
+ static struct sockaddr *xxx_hostaddr;
+ static const struct ssh_conn_info *xxx_conn_info;
+static int key_type_allowed(struct sshkey *, const char *);
+ 
+ static int
+ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
+@@ -100,6 +101,10 @@ verify_host_key_callback(struct sshkey *
+ 	if ((r = sshkey_check_rsa_length(hostkey,
+ 	    options.required_rsa_size)) != 0)
+ 		fatal_r(r, "Bad server host key");
+	if (!key_type_allowed(hostkey, options.hostkeyalgorithms)) {
+		fatal("Server host key %s not in HostKeyAlgorithms",
+		    sshkey_ssh_name(hostkey));
+	}
+ 	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
+ 	    xxx_conn_info) != 0)
+ 		fatal("Host key verification failed.");
+@@ -1776,34 +1781,37 @@ load_identity_file(Identity *id)
+ }
+ 
+ static int
+-key_type_allowed_by_config(struct sshkey *key)
+key_type_allowed(struct sshkey *key, const char *allowlist)
+ {
+-	if (match_pattern_list(sshkey_ssh_name(key),
+-	    options.pubkey_accepted_algos, 0) == 1)
+	if (match_pattern_list(sshkey_ssh_name(key), allowlist, 0) == 1)
+ 		return 1;
+ 
+ 	/* RSA keys/certs might be allowed by alternate signature types */
+ 	switch (key->type) {
+ 	case KEY_RSA:
+-		if (match_pattern_list("rsa-sha2-512",
+-		    options.pubkey_accepted_algos, 0) == 1)
+		if (match_pattern_list("rsa-sha2-512", allowlist, 0) == 1)
+ 			return 1;
+-		if (match_pattern_list("rsa-sha2-256",
+-		    options.pubkey_accepted_algos, 0) == 1)
+		if (match_pattern_list("rsa-sha2-256", allowlist, 0) == 1)
+ 			return 1;
+ 		break;
+ 	case KEY_RSA_CERT:
+ 		if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
+-		    options.pubkey_accepted_algos, 0) == 1)
+		    allowlist, 0) == 1)
+ 			return 1;
+ 		if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
+-		    options.pubkey_accepted_algos, 0) == 1)
+		    allowlist, 0) == 1)
+ 			return 1;
+ 		break;
+ 	}
+ 	return 0;
+ }
+ 
+static int
+key_type_allowed_by_config(struct sshkey *key)
+{
+	return key_type_allowed(key, options.pubkey_accepted_algos);
+}
+
+ /* obtain a list of keys from the agent */
+ static int
+ get_agent_identities(struct ssh *ssh, int *agent_fdp,
--- a/openssh.spec
+++ b/openssh.spec
@ -253,6 +253,8 @@ Patch1040: openssh-9.9p1-fill-default-options-error.patch
 Patch1041: openssh-9.9p1-scp-clear-setuid.patch
 # upstream c805b97b67c774e0bf922ffb29dfbcda9d7b5add
 Patch1042: openssh-9.9p1-mux-askpass-check.patch
+# upstream fd1c7e131f331942d20f42f31e79912d570081fa
+Patch1043: openssh-9.9p1-ecdsa-incomplete-application.patch

 License: BSD
 Requires: /sbin/nologin
@ -469,6 +471,7 @@ popd
 %patch1040 -p1 -b .fill-default-options-error
 %patch1041 -p1 -b .scp-clear-setuid
 %patch1042 -p1 -b .mux-askpass-check
+%patch1043 -p1 -b .ecdsa-incomplete-application

 %patch100 -p1 -b .coverity

@ -770,6 +773,9 @@ test -f %{sysconfig_anaconda} && \
 - CVE-2026-35388: Add connection multiplexing confirmation for proxy-mode
  multiplexing sessions
  Resolves: RHEL-166251
+- CVE-2026-35387: Fix incomplete application of PubkeyAcceptedAlgorithms
+  and HostbasedAcceptedAlgorithms with regard to ECDSA keys
+  Resolves: RHEL-166235

 * Thu Mar 26 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-7 + 0.10.4-9
 - Version bump