Fix CVE-2026-55653
Fix double free in openssh DH-GEX client path during FIPS known-group validation that leads to client-side denial of service Resolves: RHEL-185775 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
parent
de0f190b31
commit
9eb205cba9
@ -116,17 +116,18 @@ diff -up openssh-7.9p1/kexgexc.c.fips openssh-7.9p1/kexgexc.c
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/dh.h>
|
||||
@@ -118,6 +119,10 @@ input_kex_dh_gex_group(int type, u_int32
|
||||
r = SSH_ERR_ALLOC_FAIL;
|
||||
goto out;
|
||||
@@ -115,6 +116,11 @@ input_kex_dh_gex_group(int type, u_int32
|
||||
}
|
||||
p = g = NULL; /* belong to kex->dh now */
|
||||
|
||||
+ if (FIPS_mode() && dh_is_known_group(kex->dh) == 0) {
|
||||
+ r = SSH_ERR_INVALID_ARGUMENT;
|
||||
+ goto out;
|
||||
+ }
|
||||
p = g = NULL; /* belong to kex->dh now */
|
||||
|
||||
+
|
||||
/* generate and send 'e', client DH public key */
|
||||
if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
|
||||
goto out;
|
||||
diff -up openssh-7.9p1/myproposal.h.fips openssh-7.9p1/myproposal.h
|
||||
--- openssh-7.9p1/myproposal.h.fips 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/myproposal.h 2019-03-11 17:06:37.621878041 +0100
|
||||
|
||||
@ -66,7 +66,7 @@
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%global openssh_ver 8.0p1
|
||||
%global openssh_rel 29
|
||||
%global openssh_rel 30
|
||||
%global pam_ssh_agent_ver 0.10.3
|
||||
%global pam_ssh_agent_rel 7
|
||||
|
||||
@ -854,6 +854,11 @@ getent passwd sshd >/dev/null || \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jun 29 2026 Zoltan Fridrich <zfridric@redhat.com> - 8.0p1-30
|
||||
- CVE-2026-55653: Fix double free in openssh DH-GEX client path during
|
||||
FIPS known-group validation that leads to client-side denial of service
|
||||
Resolves: RHEL-185775
|
||||
|
||||
* Mon Apr 13 2026 Zoltan Fridrich <zfridric@redhat.com> - 8.0p1-29
|
||||
- CVE-2026-35385: Fix privilege escalation via scp legacy protocol
|
||||
when not in preserving file mode
|
||||
|
||||
Loading…
Reference in New Issue
Block a user