Fix CVE-2026-55653

Fix double free in openssh DH-GEX client path
during FIPS known-group validation that leads
to client-side denial of service

Resolves: RHEL-185775

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
Zoltan Fridrich 2026-06-29 16:46:18 +02:00
parent de0f190b31
commit 9eb205cba9
2 changed files with 12 additions and 6 deletions

View File

@ -116,17 +116,18 @@ diff -up openssh-7.9p1/kexgexc.c.fips openssh-7.9p1/kexgexc.c
#include <sys/types.h>
#include <openssl/dh.h>
@@ -118,6 +119,10 @@ input_kex_dh_gex_group(int type, u_int32
r = SSH_ERR_ALLOC_FAIL;
goto out;
@@ -115,6 +116,11 @@ input_kex_dh_gex_group(int type, u_int32
}
p = g = NULL; /* belong to kex->dh now */
+ if (FIPS_mode() && dh_is_known_group(kex->dh) == 0) {
+ r = SSH_ERR_INVALID_ARGUMENT;
+ goto out;
+ }
p = g = NULL; /* belong to kex->dh now */
+
/* generate and send 'e', client DH public key */
if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
goto out;
diff -up openssh-7.9p1/myproposal.h.fips openssh-7.9p1/myproposal.h
--- openssh-7.9p1/myproposal.h.fips 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/myproposal.h 2019-03-11 17:06:37.621878041 +0100

View File

@ -66,7 +66,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.0p1
%global openssh_rel 29
%global openssh_rel 30
%global pam_ssh_agent_ver 0.10.3
%global pam_ssh_agent_rel 7
@ -854,6 +854,11 @@ getent passwd sshd >/dev/null || \
%endif
%changelog
* Mon Jun 29 2026 Zoltan Fridrich <zfridric@redhat.com> - 8.0p1-30
- CVE-2026-55653: Fix double free in openssh DH-GEX client path during
FIPS known-group validation that leads to client-side denial of service
Resolves: RHEL-185775
* Mon Apr 13 2026 Zoltan Fridrich <zfridric@redhat.com> - 8.0p1-29
- CVE-2026-35385: Fix privilege escalation via scp legacy protocol
when not in preserving file mode