CVE-2025-61985: Reject URL-strings with NULL characters
Resolves: RHEL-133960 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
parent
b31035999d
commit
9b2158d190
24
openssh-9.9p1-reject-null-char-in-url-string.patch
Normal file
24
openssh-9.9p1-reject-null-char-in-url-string.patch
Normal file
@ -0,0 +1,24 @@
|
||||
diff --color -ruNp a/misc.c b/misc.c
|
||||
--- a/misc.c 2025-12-03 16:19:11.255135131 +0100
|
||||
+++ b/misc.c 2025-12-03 16:21:53.769590836 +0100
|
||||
@@ -998,7 +998,7 @@ urldecode(const char *src)
|
||||
size_t srclen;
|
||||
|
||||
if ((srclen = strlen(src)) >= SIZE_MAX)
|
||||
- fatal_f("input too large");
|
||||
+ return NULL;
|
||||
ret = xmalloc(srclen + 1);
|
||||
for (dst = ret; *src != '\0'; src++) {
|
||||
switch (*src) {
|
||||
@@ -1006,9 +1006,10 @@ urldecode(const char *src)
|
||||
*dst++ = ' ';
|
||||
break;
|
||||
case '%':
|
||||
+ /* note: don't allow \0 characters */
|
||||
if (!isxdigit((unsigned char)src[1]) ||
|
||||
!isxdigit((unsigned char)src[2]) ||
|
||||
- (ch = hexchar(src + 1)) == -1) {
|
||||
+ (ch = hexchar(src + 1)) == -1 || ch == 0) {
|
||||
free(ret);
|
||||
return NULL;
|
||||
}
|
||||
@ -242,6 +242,8 @@ Patch1035: openssh-9.9p1-scp-traversing.patch
|
||||
Patch1036: openssh-9.9p1-canonical-match-user.patch
|
||||
# upstream 35d5917652106aede47621bb3f64044604164043
|
||||
Patch1037: openssh-9.9p1-reject-cntrl-chars-in-username.patch
|
||||
# upstream 43b3bff47bb029f2299bacb6a36057981b39fdb0
|
||||
Patch1038: openssh-9.9p1-reject-null-char-in-url-string.patch
|
||||
|
||||
License: BSD
|
||||
Requires: /sbin/nologin
|
||||
@ -455,6 +457,7 @@ popd
|
||||
%patch1035 -p1 -b .scp-traversing
|
||||
%patch1036 -p1 -b .canonical-match-user
|
||||
%patch1037 -p1 -b .reject-cntrl-chars-in-username
|
||||
%patch1038 -p1 -b .reject-null-char-in-url-string
|
||||
|
||||
autoreconf
|
||||
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||
@ -748,6 +751,8 @@ test -f %{sysconfig_anaconda} && \
|
||||
Resolves: RHEL-127624
|
||||
- CVE-2025-61984: Reject usernames with control characters
|
||||
Resolves: RHEL-133959
|
||||
- CVE-2025-61985: Reject URL-strings with NULL characters
|
||||
Resolves: RHEL-133960
|
||||
|
||||
* Mon Oct 27 2025 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-2
|
||||
- Fix implicit destination path selection when source path ends with ".."
|
||||
|
||||
Loading…
Reference in New Issue
Block a user