From 7f2ed427781c6f74d228555711d59ee8a8658d7e Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Wed, 1 Apr 2026 16:04:15 +0200 Subject: [PATCH 1/9] Fix static analysis issues Resolves: RHEL-163365 Signed-off-by: Zoltan Fridrich --- openssh-6.7p1-coverity.patch | 161 +++++++++++++++++++++++++++++++++++ openssh.spec | 6 +- 2 files changed, 166 insertions(+), 1 deletion(-) diff --git a/openssh-6.7p1-coverity.patch b/openssh-6.7p1-coverity.patch index ffe0c69..276cc43 100644 --- a/openssh-6.7p1-coverity.patch +++ b/openssh-6.7p1-coverity.patch @@ -159,6 +159,46 @@ diff -up openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity openssh-8.7p1/openb diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c --- openssh-8.5p1/readconf.c.coverity 2021-03-24 12:03:33.778968131 +0100 +++ openssh-8.5p1/readconf.c 2021-03-24 12:03:33.785968180 +0100 +@@ -749,12 +749,12 @@ match_cfg_line(Options *options, const c + debug2("checking match for '%s' host %s originally %s", + full_line, host, original_host); + while ((attrib = argv_next(acp, avp)) != NULL) { +- attrib = oattrib = xstrdup(attrib); + /* Terminate on comment */ + if (*attrib == '#') { + argv_consume(acp); + break; + } ++ attrib = oattrib = xstrdup(attrib); + arg = criteria = NULL; + this_result = 1; + if ((negate = (attrib[0] == '!'))) +@@ -793,7 +793,7 @@ match_cfg_line(Options *options, const c + debug3("%.200s line %d: %smatched '%s'", + filename, linenum, + this_result ? "" : "not ", oattrib); +- continue; ++ goto next; + } + + /* Keep this list in sync with below */ +@@ -863,7 +863,7 @@ match_cfg_line(Options *options, const c + debug3("%.200s line %d: skipped exec " + "\"%.100s\"", filename, linenum, cmd); + free(cmd); +- continue; ++ goto next; + } + r = execute_in_shell(cmd); + if (r == -1) { +@@ -887,6 +887,7 @@ match_cfg_line(Options *options, const c + criteria == NULL ? "" : " \"", + criteria == NULL ? "" : criteria, + criteria == NULL ? "" : "\""); ++next: + free(criteria); + free(oattrib); + oattrib = attrib = NULL; @@ -1847,6 +1847,7 @@ parse_pubkey_algos: } else if (r != 0) { error("%.200s line %d: glob failed for %s.", @@ -170,6 +210,108 @@ diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c --- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100 +++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100 +@@ -1120,12 +1120,12 @@ match_cfg_line(const char *full_line, in + } + + while ((oattrib = argv_next(acp, avp)) != NULL) { +- attrib = xstrdup(oattrib); + /* Terminate on comment */ +- if (*attrib == '#') { ++ if (*oattrib == '#') { + argv_consume(acp); /* mark all arguments consumed */ + break; + } ++ attrib = xstrdup(oattrib); + arg = NULL; + attributes++; + /* Criterion "all" has no argument and must appear alone */ +@@ -1147,13 +1147,13 @@ match_cfg_line(const char *full_line, in + if (strcasecmp(attrib, "invalid-user") == 0) { + if (ci == NULL) { + result = 0; +- continue; ++ goto next; + } + if (ci->user_invalid == 0) + result = 0; + else + debug("matched invalid-user at line %d", line); +- continue; ++ goto next; + } + + /* Keep this list in sync with below */ +@@ -1179,7 +1179,7 @@ match_cfg_line(const char *full_line, in + if (strcasecmp(attrib, "user") == 0) { + if (ci == NULL || (ci->test && ci->user == NULL)) { + result = 0; +- continue; ++ goto next; + } + if (ci->user == NULL) + match_test_missing_fatal("User", "user"); +@@ -1191,7 +1191,7 @@ match_cfg_line(const char *full_line, in + } else if (strcasecmp(attrib, "group") == 0) { + if (ci == NULL || (ci->test && ci->user == NULL)) { + result = 0; +- continue; ++ goto next; + } + if (ci->user == NULL) + match_test_missing_fatal("Group", "user"); +@@ -1205,7 +1205,7 @@ match_cfg_line(const char *full_line, in + } else if (strcasecmp(attrib, "host") == 0) { + if (ci == NULL || (ci->test && ci->host == NULL)) { + result = 0; +- continue; ++ goto next; + } + if (ci->host == NULL) + match_test_missing_fatal("Host", "host"); +@@ -1220,7 +1220,7 @@ match_cfg_line(const char *full_line, in + fatal("Invalid Match address argument " + "'%s' at line %d", arg, line); + result = 0; +- continue; ++ goto next; + } + if (ci->address == NULL) + match_test_missing_fatal("Address", "addr"); +@@ -1244,7 +1244,7 @@ match_cfg_line(const char *full_line, in + "argument '%s' at line %d", arg, + line); + result = 0; +- continue; ++ goto next; + } + if (ci->laddress == NULL) + match_test_missing_fatal("LocalAddress", +@@ -1272,7 +1272,7 @@ match_cfg_line(const char *full_line, in + } + if (ci == NULL || (ci->test && ci->lport == -1)) { + result = 0; +- continue; ++ goto next; + } + if (ci->lport == 0) + match_test_missing_fatal("LocalPort", "lport"); +@@ -1286,7 +1286,7 @@ match_cfg_line(const char *full_line, in + } else if (strcasecmp(attrib, "rdomain") == 0) { + if (ci == NULL || (ci->test && ci->rdomain == NULL)) { + result = 0; +- continue; ++ goto next; + } + if (ci->rdomain == NULL) + match_test_missing_fatal("RDomain", "rdomain"); +@@ -1300,6 +1300,7 @@ match_cfg_line(const char *full_line, in + result = -1; + goto out; + } ++next: + free(attrib); + attrib = NULL; + } @@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions if (*activep && *charptr == NULL) { *charptr = tilde_expand_filename(arg, getuid()); @@ -246,3 +388,22 @@ diff -up openssh-8.5p1/ssh-keygen.c.coverity openssh-8.5p1/ssh-keygen.c } else { if (strncasecmp(cp, "key:", 4) == 0) { cp += 4; +diff --color -ruNp a/sshd.c b/sshd.c +--- a/sshd.c 2026-04-01 14:29:14.186736233 +0200 ++++ b/sshd.c 2026-04-01 14:36:59.136881819 +0200 +@@ -1079,6 +1079,7 @@ server_accept_loop(int *sock_in, int *so + send_rexec_state(config_s[0], cfg); + close(config_s[0]); + free(pfd); ++ free(startup_pollfd); + return; + } + +@@ -1111,6 +1112,7 @@ server_accept_loop(int *sock_in, int *so + log_stderr); + close(config_s[0]); + free(pfd); ++ free(startup_pollfd); + return; + } + diff --git a/openssh.spec b/openssh.spec index b5329f8..3b3ed29 100644 --- a/openssh.spec +++ b/openssh.spec @@ -43,7 +43,7 @@ Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: 24%{?dist} +Release: 25%{?dist} URL: http://www.openssh.com/portable.html Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc @@ -719,6 +719,10 @@ test -f %{sysconfig_anaconda} && \ %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so %changelog +* Wed Apr 01 2026 Zoltan Fridrich - 9.9p1-25 +- Fix static analysis issues + Resolves: RHEL-163365 + * Fri Mar 27 2026 Zoltan Fridrich - 9.9p1-24 - Fix typo in SPDX license name Resolves: RHEL-161464 From 27f5b6826ecdb562b31e29f8f6253c3259eb9bae Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Thu, 2 Apr 2026 16:47:11 +0200 Subject: [PATCH 2/9] Ssh should refuse connection when mlkem kex is specified in FIPS Resolves: RHEL-155178 Signed-off-by: Zoltan Fridrich --- ...ssh-9.9p1-fill-default-options-error.patch | 24 +++++++++++++++++++ openssh.spec | 5 ++++ 2 files changed, 29 insertions(+) create mode 100644 openssh-9.9p1-fill-default-options-error.patch diff --git a/openssh-9.9p1-fill-default-options-error.patch b/openssh-9.9p1-fill-default-options-error.patch new file mode 100644 index 0000000..4b80504 --- /dev/null +++ b/openssh-9.9p1-fill-default-options-error.patch @@ -0,0 +1,24 @@ +diff --color -ruNp a/readconf.c b/readconf.c +--- a/readconf.c 2026-04-02 15:36:49.624394836 +0200 ++++ b/readconf.c 2026-04-02 15:43:15.115047190 +0200 +@@ -2779,7 +2779,7 @@ fill_default_options(Options * options) + { + char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig; + char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig; +- int ret = 0, r; ++ int ret = 0; + + if (options->forward_agent == -1) + options->forward_agent = 0; +@@ -2989,9 +2989,9 @@ fill_default_options(Options * options) + KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig); + #define ASSEMBLE(what, defaults, all) \ + do { \ +- if ((r = kex_assemble_names(&options->what, \ ++ if ((ret = kex_assemble_names(&options->what, \ + defaults, all)) != 0) { \ +- error_fr(r, "%s", #what); \ ++ error_fr(ret, "%s", #what); \ + goto fail; \ + } \ + } while (0) diff --git a/openssh.spec b/openssh.spec index 3b3ed29..a82b443 100644 --- a/openssh.spec +++ b/openssh.spec @@ -237,6 +237,8 @@ Patch1037: openssh-9.9p1-first-match-wins.patch # upstream eddd1d2daa64a6ab1a915ca88436fa41aede44d4 # upstream bc328144f149af07139a0f2c1329018cd85b86b7 Patch1038: openssh-9.9p1-maxstartups-mistracking.patch +# https://github.com/openssh/openssh-portable/pull/649 +Patch1039: openssh-9.9p1-fill-default-options-error.patch License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND snprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant Requires: /sbin/nologin @@ -439,6 +441,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0} %patch -P 1036 -p1 -b .gssapi-s4u %patch -P 1037 -p1 -b .first-match-wins %patch -P 1038 -p1 -b .maxstartups-mistracking +%patch -P 1039 -p1 -b .fill-default-options-error %patch -P 100 -p1 -b .coverity @@ -722,6 +725,8 @@ test -f %{sysconfig_anaconda} && \ * Wed Apr 01 2026 Zoltan Fridrich - 9.9p1-25 - Fix static analysis issues Resolves: RHEL-163365 +- Ssh should refuse connection when mlkem kex is specified in FIPS + Resolves: RHEL-155178 * Fri Mar 27 2026 Zoltan Fridrich - 9.9p1-24 - Fix typo in SPDX license name From 4ca20e1c2ca4bd99636ab9ea57aa8ea4f30cd360 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Tue, 7 Apr 2026 16:32:00 +0200 Subject: [PATCH 3/9] Fix CVE-2026-35385 Fix privilege escalation via scp legacy protocol when not in preserving file mode Resolves: RHEL-164740 Signed-off-by: Zoltan Fridrich --- openssh-9.9p1-scp-clear-setuid.patch | 15 +++++++++++++++ openssh.spec | 6 ++++++ 2 files changed, 21 insertions(+) create mode 100644 openssh-9.9p1-scp-clear-setuid.patch diff --git a/openssh-9.9p1-scp-clear-setuid.patch b/openssh-9.9p1-scp-clear-setuid.patch new file mode 100644 index 0000000..1a848a1 --- /dev/null +++ b/openssh-9.9p1-scp-clear-setuid.patch @@ -0,0 +1,15 @@ +diff --color -ruNp a/scp.c b/scp.c +--- a/scp.c 2026-04-07 15:54:11.193730842 +0200 ++++ b/scp.c 2026-04-07 15:55:52.529425481 +0200 +@@ -1705,8 +1705,10 @@ sink(int argc, char **argv, const char * + + setimes = targisdir = 0; + mask = umask(0); +- if (!pflag) ++ if (!pflag) { ++ mask |= 07000; + (void) umask(mask); ++ } + if (argc != 1) { + run_err("ambiguous target"); + exit(1); diff --git a/openssh.spec b/openssh.spec index a82b443..00708a9 100644 --- a/openssh.spec +++ b/openssh.spec @@ -239,6 +239,8 @@ Patch1037: openssh-9.9p1-first-match-wins.patch Patch1038: openssh-9.9p1-maxstartups-mistracking.patch # https://github.com/openssh/openssh-portable/pull/649 Patch1039: openssh-9.9p1-fill-default-options-error.patch +# upstream 487e8ac146f7d6616f65c125d5edb210519b833a +Patch1040: openssh-9.9p1-scp-clear-setuid.patch License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND snprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant Requires: /sbin/nologin @@ -442,6 +444,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0} %patch -P 1037 -p1 -b .first-match-wins %patch -P 1038 -p1 -b .maxstartups-mistracking %patch -P 1039 -p1 -b .fill-default-options-error +%patch -P 1040 -p1 -b .scp-clear-setuid %patch -P 100 -p1 -b .coverity @@ -727,6 +730,9 @@ test -f %{sysconfig_anaconda} && \ Resolves: RHEL-163365 - Ssh should refuse connection when mlkem kex is specified in FIPS Resolves: RHEL-155178 +- CVE-2026-35385: Fix privilege escalation via scp legacy protocol + when not in preserving file mode + Resolves: RHEL-164740 * Fri Mar 27 2026 Zoltan Fridrich - 9.9p1-24 - Fix typo in SPDX license name From b39c465ad23f2779e1c0ca9eaeb35bb2c5252384 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Fri, 10 Apr 2026 13:05:15 +0200 Subject: [PATCH 4/9] Fix CVE-2026-35388 Add connection multiplexing confirmation for proxy-mode multiplexing sessions Resolves: RHEL-166239 Signed-off-by: Zoltan Fridrich --- openssh-9.9p1-mux-askpass-check.patch | 20 ++++++++++++++++++++ openssh.spec | 6 ++++++ 2 files changed, 26 insertions(+) create mode 100644 openssh-9.9p1-mux-askpass-check.patch diff --git a/openssh-9.9p1-mux-askpass-check.patch b/openssh-9.9p1-mux-askpass-check.patch new file mode 100644 index 0000000..2176243 --- /dev/null +++ b/openssh-9.9p1-mux-askpass-check.patch @@ -0,0 +1,20 @@ +diff --color -ruNp a/mux.c b/mux.c +--- a/mux.c 2024-09-20 00:20:48.000000000 +0200 ++++ b/mux.c 2026-04-09 15:02:36.016198814 +0200 +@@ -1137,6 +1137,16 @@ mux_master_process_proxy(struct ssh *ssh + + debug_f("channel %d: proxy request", c->self); + ++ if (options.control_master == SSHCTL_MASTER_ASK || ++ options.control_master == SSHCTL_MASTER_AUTO_ASK) { ++ if (!ask_permission("Allow multiplex proxy connection?")) { ++ debug2_f("proxy refused by user"); ++ reply_error(reply, MUX_S_PERMISSION_DENIED, rid, ++ "Permission denied"); ++ return 0; ++ } ++ } ++ + c->mux_rcb = channel_proxy_downstream; + if ((r = sshbuf_put_u32(reply, MUX_S_PROXY)) != 0 || + (r = sshbuf_put_u32(reply, rid)) != 0) diff --git a/openssh.spec b/openssh.spec index 00708a9..fb297ac 100644 --- a/openssh.spec +++ b/openssh.spec @@ -241,6 +241,8 @@ Patch1038: openssh-9.9p1-maxstartups-mistracking.patch Patch1039: openssh-9.9p1-fill-default-options-error.patch # upstream 487e8ac146f7d6616f65c125d5edb210519b833a Patch1040: openssh-9.9p1-scp-clear-setuid.patch +# upstream c805b97b67c774e0bf922ffb29dfbcda9d7b5add +Patch1041: openssh-9.9p1-mux-askpass-check.patch License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND snprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant Requires: /sbin/nologin @@ -445,6 +447,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0} %patch -P 1038 -p1 -b .maxstartups-mistracking %patch -P 1039 -p1 -b .fill-default-options-error %patch -P 1040 -p1 -b .scp-clear-setuid +%patch -P 1041 -p1 -b .mux-askpass-check %patch -P 100 -p1 -b .coverity @@ -733,6 +736,9 @@ test -f %{sysconfig_anaconda} && \ - CVE-2026-35385: Fix privilege escalation via scp legacy protocol when not in preserving file mode Resolves: RHEL-164740 +- CVE-2026-35388: Add connection multiplexing confirmation for proxy-mode + multiplexing sessions + Resolves: RHEL-166239 * Fri Mar 27 2026 Zoltan Fridrich - 9.9p1-24 - Fix typo in SPDX license name From 418d6a85bef78bdecf1529764f20e9a134c0313f Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Fri, 10 Apr 2026 13:09:18 +0200 Subject: [PATCH 5/9] Fix CVE-2026-35387 Fix incomplete application of PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard to ECDSA keys Resolves: RHEL-166223 Signed-off-by: Zoltan Fridrich --- ...h-9.9p1-ecdsa-incomplete-application.patch | 103 ++++++++++++++++++ openssh.spec | 6 + 2 files changed, 109 insertions(+) create mode 100644 openssh-9.9p1-ecdsa-incomplete-application.patch diff --git a/openssh-9.9p1-ecdsa-incomplete-application.patch b/openssh-9.9p1-ecdsa-incomplete-application.patch new file mode 100644 index 0000000..3b93ca4 --- /dev/null +++ b/openssh-9.9p1-ecdsa-incomplete-application.patch @@ -0,0 +1,103 @@ +diff --color -ruNp a/auth2-hostbased.c b/auth2-hostbased.c +--- a/auth2-hostbased.c 2026-04-09 13:22:28.114045749 +0200 ++++ b/auth2-hostbased.c 2026-04-09 14:34:44.876393822 +0200 +@@ -96,9 +96,10 @@ userauth_hostbased(struct ssh *ssh, cons + error_f("cannot decode key: %s", pkalg); + goto done; + } +- if (key->type != pktype) { +- error_f("type mismatch for decoded key " +- "(received %d, expected %d)", key->type, pktype); ++ if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA && ++ sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) { ++ error_f("key type mismatch for decoded key " ++ "(received %s, expected %s)", sshkey_ssh_name(key), pkalg); + goto done; + } + if (match_pattern_list(pkalg, options.hostbased_accepted_algos, 0) != 1) { +diff --color -ruNp a/auth2-pubkey.c b/auth2-pubkey.c +--- a/auth2-pubkey.c 2026-04-09 13:22:28.157194118 +0200 ++++ b/auth2-pubkey.c 2026-04-09 14:35:48.997689347 +0200 +@@ -152,9 +152,10 @@ userauth_pubkey(struct ssh *ssh, const c + error_f("cannot decode key: %s", pkalg); + goto done; + } +- if (key->type != pktype) { +- error_f("type mismatch for decoded key " +- "(received %d, expected %d)", key->type, pktype); ++ if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA && ++ sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) { ++ error_f("key type mismatch for decoded key " ++ "(received %s, expected %s)", sshkey_ssh_name(key), pkalg); + goto done; + } + if (auth2_key_already_used(authctxt, key)) { +diff --color -ruNp a/sshconnect2.c b/sshconnect2.c +--- a/sshconnect2.c 2026-04-09 13:22:28.193412553 +0200 ++++ b/sshconnect2.c 2026-04-09 14:42:37.644945762 +0200 +@@ -91,6 +91,7 @@ extern Options options; + static char *xxx_host; + static struct sockaddr *xxx_hostaddr; + static const struct ssh_conn_info *xxx_conn_info; ++static int key_type_allowed(struct sshkey *, const char *); + + static int + verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) +@@ -100,6 +101,10 @@ verify_host_key_callback(struct sshkey * + if ((r = sshkey_check_rsa_length(hostkey, + options.required_rsa_size)) != 0) + fatal_r(r, "Bad server host key"); ++ if (!key_type_allowed(hostkey, options.hostkeyalgorithms)) { ++ fatal("Server host key %s not in HostKeyAlgorithms", ++ sshkey_ssh_name(hostkey)); ++ } + if (verify_host_key(xxx_host, xxx_hostaddr, hostkey, + xxx_conn_info) != 0) + fatal("Host key verification failed."); +@@ -1776,34 +1781,37 @@ load_identity_file(Identity *id) + } + + static int +-key_type_allowed_by_config(struct sshkey *key) ++key_type_allowed(struct sshkey *key, const char *allowlist) + { +- if (match_pattern_list(sshkey_ssh_name(key), +- options.pubkey_accepted_algos, 0) == 1) ++ if (match_pattern_list(sshkey_ssh_name(key), allowlist, 0) == 1) + return 1; + + /* RSA keys/certs might be allowed by alternate signature types */ + switch (key->type) { + case KEY_RSA: +- if (match_pattern_list("rsa-sha2-512", +- options.pubkey_accepted_algos, 0) == 1) ++ if (match_pattern_list("rsa-sha2-512", allowlist, 0) == 1) + return 1; +- if (match_pattern_list("rsa-sha2-256", +- options.pubkey_accepted_algos, 0) == 1) ++ if (match_pattern_list("rsa-sha2-256", allowlist, 0) == 1) + return 1; + break; + case KEY_RSA_CERT: + if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", +- options.pubkey_accepted_algos, 0) == 1) ++ allowlist, 0) == 1) + return 1; + if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", +- options.pubkey_accepted_algos, 0) == 1) ++ allowlist, 0) == 1) + return 1; + break; + } + return 0; + } + ++static int ++key_type_allowed_by_config(struct sshkey *key) ++{ ++ return key_type_allowed(key, options.pubkey_accepted_algos); ++} ++ + /* obtain a list of keys from the agent */ + static int + get_agent_identities(struct ssh *ssh, int *agent_fdp, diff --git a/openssh.spec b/openssh.spec index fb297ac..1eff43c 100644 --- a/openssh.spec +++ b/openssh.spec @@ -243,6 +243,8 @@ Patch1039: openssh-9.9p1-fill-default-options-error.patch Patch1040: openssh-9.9p1-scp-clear-setuid.patch # upstream c805b97b67c774e0bf922ffb29dfbcda9d7b5add Patch1041: openssh-9.9p1-mux-askpass-check.patch +# upstream fd1c7e131f331942d20f42f31e79912d570081fa +Patch1042: openssh-9.9p1-ecdsa-incomplete-application.patch License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND snprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant Requires: /sbin/nologin @@ -448,6 +450,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0} %patch -P 1039 -p1 -b .fill-default-options-error %patch -P 1040 -p1 -b .scp-clear-setuid %patch -P 1041 -p1 -b .mux-askpass-check +%patch -P 1042 -p1 -b .ecdsa-incomplete-application %patch -P 100 -p1 -b .coverity @@ -739,6 +742,9 @@ test -f %{sysconfig_anaconda} && \ - CVE-2026-35388: Add connection multiplexing confirmation for proxy-mode multiplexing sessions Resolves: RHEL-166239 +- CVE-2026-35387: Fix incomplete application of PubkeyAcceptedAlgorithms + and HostbasedAcceptedAlgorithms with regard to ECDSA keys + Resolves: RHEL-166223 * Fri Mar 27 2026 Zoltan Fridrich - 9.9p1-24 - Fix typo in SPDX license name From 88128fdefa2d32fe20997512ac03d1216a1d659c Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Fri, 10 Apr 2026 13:19:44 +0200 Subject: [PATCH 6/9] Fix CVE-2026-35414 Fix mishandling of authorized_keys principals option Resolves: RHEL-166191 Signed-off-by: Zoltan Fridrich --- ...p1-authorized-keys-principles-option.patch | 45 +++++++++++++++++++ openssh.spec | 5 +++ 2 files changed, 50 insertions(+) create mode 100644 openssh-9.9p1-authorized-keys-principles-option.patch diff --git a/openssh-9.9p1-authorized-keys-principles-option.patch b/openssh-9.9p1-authorized-keys-principles-option.patch new file mode 100644 index 0000000..9bdd199 --- /dev/null +++ b/openssh-9.9p1-authorized-keys-principles-option.patch @@ -0,0 +1,45 @@ +diff --color -ruNp a/auth2-pubkeyfile.c b/auth2-pubkeyfile.c +--- a/auth2-pubkeyfile.c 2024-09-20 00:20:48.000000000 +0200 ++++ b/auth2-pubkeyfile.c 2026-04-09 14:38:41.697178612 +0200 +@@ -50,6 +50,7 @@ + #include "authfile.h" + #include "match.h" + #include "ssherr.h" ++#include "xmalloc.h" + + int + auth_authorise_keyopts(struct passwd *pw, struct sshauthopt *opts, +@@ -146,20 +147,23 @@ auth_authorise_keyopts(struct passwd *pw + static int + match_principals_option(const char *principal_list, struct sshkey_cert *cert) + { +- char *result; ++ char *list, *olist, *entry; + u_int i; + +- /* XXX percent_expand() sequences for authorized_principals? */ +- +- for (i = 0; i < cert->nprincipals; i++) { +- if ((result = match_list(cert->principals[i], +- principal_list, NULL)) != NULL) { +- debug3("matched principal from key options \"%.100s\"", +- result); +- free(result); +- return 1; ++ olist = list = xstrdup(principal_list); ++ for (;;) { ++ if ((entry = strsep(&list, ",")) == NULL || *entry == '\0') ++ break; ++ for (i = 0; i < cert->nprincipals; i++) { ++ if (strcmp(entry, cert->principals[i]) == 0) { ++ debug3("matched principal from key i" ++ "options \"%.100s\"", entry); ++ free(olist); ++ return 1; ++ } + } + } ++ free(olist); + return 0; + } + diff --git a/openssh.spec b/openssh.spec index 1eff43c..b95a957 100644 --- a/openssh.spec +++ b/openssh.spec @@ -245,6 +245,8 @@ Patch1040: openssh-9.9p1-scp-clear-setuid.patch Patch1041: openssh-9.9p1-mux-askpass-check.patch # upstream fd1c7e131f331942d20f42f31e79912d570081fa Patch1042: openssh-9.9p1-ecdsa-incomplete-application.patch +# upstream fd1c7e131f331942d20f42f31e79912d570081fa +Patch1043: openssh-9.9p1-authorized-keys-principles-option.patch License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND snprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant Requires: /sbin/nologin @@ -451,6 +453,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0} %patch -P 1040 -p1 -b .scp-clear-setuid %patch -P 1041 -p1 -b .mux-askpass-check %patch -P 1042 -p1 -b .ecdsa-incomplete-application +%patch -P 1043 -p1 -b .authorized-keys-principles-option %patch -P 100 -p1 -b .coverity @@ -745,6 +748,8 @@ test -f %{sysconfig_anaconda} && \ - CVE-2026-35387: Fix incomplete application of PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard to ECDSA keys Resolves: RHEL-166223 +- CVE-2026-35414: Fix mishandling of authorized_keys principals option + Resolves: RHEL-166191 * Fri Mar 27 2026 Zoltan Fridrich - 9.9p1-24 - Fix typo in SPDX license name From 8edc05030d0eb62aa5ff41128645744cdf44323e Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Fri, 10 Apr 2026 16:20:30 +0200 Subject: [PATCH 7/9] Fix CVE-2026-35386 Add validation rules to usernames and hostnames set for ProxyJump/-J on the commandline Resolves: RHEL-166207 Signed-off-by: Zoltan Fridrich --- ...1-proxyjump-username-validity-checks.patch | 402 ++++++++++++++++++ openssh.spec | 9 + 2 files changed, 411 insertions(+) create mode 100644 openssh-9.9p1-proxyjump-username-validity-checks.patch diff --git a/openssh-9.9p1-proxyjump-username-validity-checks.patch b/openssh-9.9p1-proxyjump-username-validity-checks.patch new file mode 100644 index 0000000..c6ee415 --- /dev/null +++ b/openssh-9.9p1-proxyjump-username-validity-checks.patch @@ -0,0 +1,402 @@ +diff --color -ruNp a/readconf.c b/readconf.c +--- a/readconf.c 2026-04-10 15:42:50.693725820 +0200 ++++ b/readconf.c 2026-04-10 15:49:57.441110287 +0200 +@@ -1533,9 +1533,6 @@ parse_char_array: + + case oProxyCommand: + charptr = &options->proxy_command; +- /* Ignore ProxyCommand if ProxyJump already specified */ +- if (options->jump_host != NULL) +- charptr = &options->jump_host; /* Skip below */ + parse_command: + if (str == NULL) { + error("%.200s line %d: Missing argument.", +@@ -1556,7 +1553,7 @@ parse_command: + } + len = strspn(str, WHITESPACE "="); + /* XXX use argv? */ +- if (parse_jump(str + len, options, *activep) == -1) { ++ if (parse_jump(str + len, options, cmdline, *activep) == -1) { + error("%.200s line %d: Invalid ProxyJump \"%s\"", + filename, linenum, str + len); + goto out; +@@ -3370,65 +3367,116 @@ parse_forward(struct Forward *fwd, const + } + + int +-parse_jump(const char *s, Options *o, int active) ++ssh_valid_hostname(const char *s) + { +- char *orig, *sdup, *cp; +- char *host = NULL, *user = NULL; +- int r, ret = -1, port = -1, first; ++ size_t i; + +- active &= o->proxy_command == NULL && o->jump_host == NULL; ++ if (*s == '-') ++ return 0; ++ for (i = 0; s[i] != 0; i++) { ++ if (strchr("'`\"$\\;&<>|(){},", s[i]) != NULL || ++ isspace((u_char)s[i]) || iscntrl((u_char)s[i])) ++ return 0; ++ } ++ return 1; ++} + +- orig = sdup = xstrdup(s); ++int ++ssh_valid_ruser(const char *s) ++{ ++ size_t i; ++ ++ if (*s == '-') ++ return 0; ++ for (i = 0; s[i] != 0; i++) { ++ if (iscntrl((u_char)s[i])) ++ return 0; ++ if (strchr("'`\";&<>|(){}", s[i]) != NULL) ++ return 0; ++ /* Disallow '-' after whitespace */ ++ if (isspace((u_char)s[i]) && s[i + 1] == '-') ++ return 0; ++ /* Disallow \ in last position */ ++ if (s[i] == '\\' && s[i + 1] == '\0') ++ return 0; ++ } ++ return 1; ++} ++ ++int ++parse_jump(const char *s, Options *o, int strict, int active) ++{ ++ char *orig = NULL, *sdup = NULL, *cp; ++ char *tmp_user = NULL, *tmp_host = NULL, *host = NULL, *user = NULL; ++ int r, ret = -1, tmp_port = -1, port = -1, first = 1; ++ ++ if (strcasecmp(s, "none") == 0) { ++ if (active && o->jump_host == NULL) { ++ o->jump_host = xstrdup("none"); ++ o->jump_port = 0; ++ } ++ return 0; ++ } + +- /* Remove comment and trailing whitespace */ ++ orig = xstrdup(s); + if ((cp = strchr(orig, '#')) != NULL) + *cp = '\0'; + rtrim(orig); + +- first = active; ++ active &= o->proxy_command == NULL && o->jump_host == NULL; ++ sdup = xstrdup(orig); + do { +- if (strcasecmp(s, "none") == 0) +- break; ++ /* Work backwards through string */ + if ((cp = strrchr(sdup, ',')) == NULL) + cp = sdup; /* last */ + else + *cp++ = '\0'; + +- if (first) { +- /* First argument and configuration is active */ +- r = parse_ssh_uri(cp, &user, &host, &port); +- if (r == -1 || (r == 1 && +- parse_user_host_port(cp, &user, &host, &port) != 0)) ++ r = parse_ssh_uri(cp, &tmp_user, &tmp_host, &tmp_port); ++ if (r == -1 || (r == 1 && parse_user_host_port(cp, ++ &tmp_user, &tmp_host, &tmp_port) != 0)) ++ goto out; /* error already logged */ ++ if (strict) { ++ if (!ssh_valid_hostname(tmp_host)) { ++ error_f("invalid hostname \"%s\"", tmp_host); + goto out; +- } else { +- /* Subsequent argument or inactive configuration */ +- r = parse_ssh_uri(cp, NULL, NULL, NULL); +- if (r == -1 || (r == 1 && +- parse_user_host_port(cp, NULL, NULL, NULL) != 0)) ++ } ++ if (tmp_user != NULL && !ssh_valid_ruser(tmp_user)) { ++ error_f("invalid username \"%s\"", tmp_user); + goto out; ++ } ++ } ++ if (first) { ++ user = tmp_user; ++ host = tmp_host; ++ port = tmp_port; ++ tmp_user = tmp_host = NULL; /* transferred */ + } + first = 0; /* only check syntax for subsequent hosts */ ++ free(tmp_user); ++ free(tmp_host); ++ tmp_user = tmp_host = NULL; ++ tmp_port = -1; + } while (cp != sdup); ++ + /* success */ + if (active) { +- if (strcasecmp(s, "none") == 0) { +- o->jump_host = xstrdup("none"); +- o->jump_port = 0; +- } else { +- o->jump_user = user; +- o->jump_host = host; +- o->jump_port = port; +- o->proxy_command = xstrdup("none"); +- user = host = NULL; +- if ((cp = strrchr(s, ',')) != NULL && cp != s) { +- o->jump_extra = xstrdup(s); +- o->jump_extra[cp - s] = '\0'; +- } ++ o->jump_user = user; ++ o->jump_host = host; ++ o->jump_port = port; ++ o->proxy_command = xstrdup("none"); ++ user = host = NULL; /* transferred */ ++ if (orig != NULL && (cp = strrchr(orig, ',')) != NULL) { ++ o->jump_extra = xstrdup(orig); ++ o->jump_extra[cp - orig] = '\0'; + } + } + ret = 0; + out: + free(orig); ++ free(sdup); ++ free(tmp_user); ++ free(tmp_host); + free(user); + free(host); + return ret; +diff --color -ruNp a/readconf.h b/readconf.h +--- a/readconf.h 2026-04-10 15:42:50.470697714 +0200 ++++ b/readconf.h 2026-04-10 15:49:57.442110306 +0200 +@@ -249,7 +249,9 @@ int process_config_line(Options *, stru + int read_config_file(const char *, struct passwd *, const char *, + const char *, Options *, int, int *); + int parse_forward(struct Forward *, const char *, int, int); +-int parse_jump(const char *, Options *, int); ++int ssh_valid_hostname(const char *); ++int ssh_valid_ruser(const char *); ++int parse_jump(const char *, Options *, int, int); + int parse_ssh_uri(const char *, char **, char **, int *); + int default_ssh_port(void); + int option_clear_or_none(const char *); +diff --color -ruNp a/regress/Makefile b/regress/Makefile +--- a/regress/Makefile 2026-04-10 15:42:50.533815702 +0200 ++++ b/regress/Makefile 2026-04-10 16:07:30.566094450 +0200 +@@ -111,7 +111,8 @@ LTESTS= connect \ + agent-pkcs11-restrict \ + agent-pkcs11-cert \ + penalty \ +- penalty-expire ++ penalty-expire \ ++ proxyjump + + INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers + INTEROP_TESTS+= dropbear-ciphers dropbear-kex +diff --color -ruNp a/regress/proxyjump.sh b/regress/proxyjump.sh +--- a/regress/proxyjump.sh 1970-01-01 01:00:00.000000000 +0100 ++++ b/regress/proxyjump.sh 2026-04-10 16:07:55.225958206 +0200 +@@ -0,0 +1,102 @@ ++# $OpenBSD: proxyjump.sh,v 1.1 2026/03/30 07:19:02 djm Exp $ ++# Placed in the Public Domain. ++ ++tid="proxyjump" ++ ++# Parsing tests ++verbose "basic parsing" ++for jspec in \ ++ "jump1" \ ++ "user@jump1" \ ++ "jump1:2222" \ ++ "user@jump1:2222" \ ++ "jump1,jump2" \ ++ "user1@jump1:2221,user2@jump2:2222" \ ++ "ssh://user@host:2223" \ ++ ; do ++ case "$jspec" in ++ "jump1") expected="jump1" ;; ++ "user@jump1") expected="user@jump1" ;; ++ "jump1:2222") expected="jump1:2222" ;; ++ "user@jump1:2222") expected="user@jump1:2222" ;; ++ "jump1,jump2") expected="jump1,jump2" ;; ++ "user1@jump1:2221,user2@jump2:2222") ++ expected="user1@jump1:2221,user2@jump2:2222" ;; ++ "ssh://user@host:2223") expected="user@host:2223" ;; ++ esac ++ f=`${SSH} -GF /dev/null -oProxyJump="$jspec" somehost | \ ++ awk '/^proxyjump /{print $2}'` ++ if [ "$f" != "$expected" ]; then ++ fail "ProxyJump $jspec: expected $expected, got $f" ++ fi ++ f=`${SSH} -GF /dev/null -J "$jspec" somehost | \ ++ awk '/^proxyjump /{print $2}'` ++ if [ "$f" != "$expected" ]; then ++ fail "ssh -J $jspec: expected $expected, got $f" ++ fi ++done ++ ++verbose "precedence" ++f=`${SSH} -GF /dev/null -oProxyJump=none -oProxyJump=jump1 somehost | \ ++ grep "^proxyjump "` ++if [ -n "$f" ]; then ++ fail "ProxyJump=none first did not win" ++fi ++f=`${SSH} -GF /dev/null -oProxyJump=jump -oProxyCommand=foo somehost | \ ++ grep "^proxyjump "` ++if [ "$f" != "proxyjump jump" ]; then ++ fail "ProxyJump first did not win over ProxyCommand" ++fi ++f=`${SSH} -GF /dev/null -oProxyCommand=foo -oProxyJump=jump somehost | \ ++ grep "^proxycommand "` ++if [ "$f" != "proxycommand foo" ]; then ++ fail "ProxyCommand first did not win over ProxyJump" ++fi ++ ++verbose "command-line -J invalid characters" ++cp $OBJ/ssh_config $OBJ/ssh_config.orig ++for jspec in \ ++ "host;with;semicolon" \ ++ "host'with'quote" \ ++ "host\`with\`backtick" \ ++ "host\$with\$dollar" \ ++ "host(with)brace" \ ++ "user;with;semicolon@host" \ ++ "user'with'quote@host" \ ++ "user\`with\`backtick@host" \ ++ "user(with)brace@host" ; do ++ ${SSH} -GF /dev/null -J "$jspec" somehost >/dev/null 2>&1 ++ if [ $? -ne 255 ]; then ++ fail "ssh -J \"$jspec\" was not rejected" ++ fi ++ ${SSH} -GF /dev/null -oProxyJump="$jspec" somehost >/dev/null 2>&1 ++ if [ $? -ne 255 ]; then ++ fail "ssh -oProxyJump=\"$jspec\" was not rejected" ++ fi ++done ++# Special characters should be accepted in the config though. ++echo "ProxyJump user;with;semicolon@host;with;semicolon" >> $OBJ/ssh_config ++f=`${SSH} -GF $OBJ/ssh_config somehost | grep "^proxyjump "` ++if [ "$f" != "proxyjump user;with;semicolon@host;with;semicolon" ]; then ++ fail "ProxyJump did not allow special characters in config: $f" ++fi ++ ++verbose "functional test" ++# Use different names to avoid the loop detection in ssh.c ++grep -iv HostKeyAlias $OBJ/ssh_config.orig > $OBJ/ssh_config ++cat << _EOF >> $OBJ/ssh_config ++Host jump-host ++ HostkeyAlias jump-host ++Host target-host ++ HostkeyAlias target-host ++_EOF ++cp $OBJ/known_hosts $OBJ/known_hosts.orig ++sed 's/^[^ ]* /jump-host /' < $OBJ/known_hosts.orig > $OBJ/known_hosts ++sed 's/^[^ ]* /target-host /' < $OBJ/known_hosts.orig >> $OBJ/known_hosts ++start_sshd ++ ++verbose "functional ProxyJump" ++res=`${REAL_SSH} -F $OBJ/ssh_config -J jump-host target-host echo "SUCCESS" 2>/dev/null` ++if [ "$res" != "SUCCESS" ]; then ++ fail "functional test failed: expected SUCCESS, got $res" ++fi +diff --color -ruNp a/ssh.c b/ssh.c +--- a/ssh.c 2026-04-10 15:42:50.657913189 +0200 ++++ b/ssh.c 2026-04-10 16:04:07.489047966 +0200 +@@ -639,43 +639,6 @@ ssh_conn_info_free(struct ssh_conn_info + free(cinfo); + } + +-static int +-valid_hostname(const char *s) +-{ +- size_t i; +- +- if (*s == '-') +- return 0; +- for (i = 0; s[i] != 0; i++) { +- if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL || +- isspace((u_char)s[i]) || iscntrl((u_char)s[i])) +- return 0; +- } +- return 1; +-} +- +-static int +-valid_ruser(const char *s) +-{ +- size_t i; +- +- if (*s == '-') +- return 0; +- for (i = 0; s[i] != 0; i++) { +- if (iscntrl((u_char)s[i])) +- return 0; +- if (strchr("'`\";&<>|(){}", s[i]) != NULL) +- return 0; +- /* Disallow '-' after whitespace */ +- if (isspace((u_char)s[i]) && s[i + 1] == '-') +- return 0; +- /* Disallow \ in last position */ +- if (s[i] == '\\' && s[i + 1] == '\0') +- return 0; +- } +- return 1; +-} +- + /* + * Main program for the ssh client. + */ +@@ -931,9 +894,9 @@ main(int ac, char **av) + } + if (options.proxy_command != NULL) + fatal("Cannot specify -J with ProxyCommand"); +- if (parse_jump(optarg, &options, 1) == -1) ++ if (parse_jump(optarg, &options, 1, 1) == -1) ++ + fatal("Invalid -J argument"); +- options.proxy_command = xstrdup("none"); + break; + case 't': + if (options.request_tty == REQUEST_TTY_YES) +@@ -1183,10 +1146,15 @@ main(int ac, char **av) + if (!host) + usage(); + +- if (!valid_hostname(host)) +- fatal("hostname contains invalid characters"); +- if (options.user != NULL && !valid_ruser(options.user)) ++ /* ++ * Validate commandline-specified values that end up in %tokens ++ * before they are used in config parsing. ++ */ ++ if (options.user != NULL && !ssh_valid_ruser(options.user)) + fatal("remote username contains invalid characters"); ++ if (!ssh_valid_hostname(host)) ++ fatal("hostname contains invalid characters"); ++ + options.host_arg = xstrdup(host); + + /* Initialize the command to execute on remote host. */ +@@ -1347,7 +1315,8 @@ main(int ac, char **av) + sshbin = "ssh"; + + /* Consistency check */ +- if (options.proxy_command != NULL) ++ if (options.proxy_command != NULL && ++ strcasecmp(options.proxy_command, "none") != 0) + fatal("inconsistent options: ProxyCommand+ProxyJump"); + /* Never use FD passing for ProxyJump */ + options.proxy_use_fdpass = 0; +@@ -1467,7 +1436,7 @@ main(int ac, char **av) + cinfo->jmphost = xstrdup(options.jump_host == NULL ? + "" : options.jump_host); + +- if (user_on_commandline && !valid_ruser(options.user)) ++ if (user_on_commandline && !ssh_valid_ruser(options.user)) + fatal("remote username contains invalid characters"); + + cinfo->conn_hash_hex = ssh_connection_hash(cinfo->thishost, diff --git a/openssh.spec b/openssh.spec index b95a957..afb4332 100644 --- a/openssh.spec +++ b/openssh.spec @@ -247,6 +247,11 @@ Patch1041: openssh-9.9p1-mux-askpass-check.patch Patch1042: openssh-9.9p1-ecdsa-incomplete-application.patch # upstream fd1c7e131f331942d20f42f31e79912d570081fa Patch1043: openssh-9.9p1-authorized-keys-principles-option.patch +# upstream 76685c9b09a66435cd2ad8373246adf1c53976d3 +# upstream 0a0ef4515361143cad21afa072319823854c1cf6 +# upstream 607bd871ec029e9aa22e632a22547250f3cae223 +# upstream 1340d3fa8e4bb122906a82159c4c9b91584d65ce +Patch1044: openssh-9.9p1-proxyjump-username-validity-checks.patch License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND snprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant Requires: /sbin/nologin @@ -454,6 +459,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0} %patch -P 1041 -p1 -b .mux-askpass-check %patch -P 1042 -p1 -b .ecdsa-incomplete-application %patch -P 1043 -p1 -b .authorized-keys-principles-option +%patch -P 1044 -p1 -b .proxyjump-username-validity-checks %patch -P 100 -p1 -b .coverity @@ -750,6 +756,9 @@ test -f %{sysconfig_anaconda} && \ Resolves: RHEL-166223 - CVE-2026-35414: Fix mishandling of authorized_keys principals option Resolves: RHEL-166191 +- CVE-2026-35386: Add validation rules to usernames and hostnames + set for ProxyJump/-J on the commandline + Resolves: RHEL-166207 * Fri Mar 27 2026 Zoltan Fridrich - 9.9p1-24 - Fix typo in SPDX license name From b35a30acc761b4393bbffd3d0cedbf4a70bb9272 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Tue, 14 Apr 2026 16:19:58 +0200 Subject: [PATCH 8/9] Improve keytab detection when obtaining Kerberos tickets on behalf of user on SSH authentication Related: RHEL-92932 --- openssh-9.9p1-gssapi-s4u.patch | 39 ++++++++++++++++++++++++++++++---- openssh.spec | 6 +++++- 2 files changed, 40 insertions(+), 5 deletions(-) diff --git a/openssh-9.9p1-gssapi-s4u.patch b/openssh-9.9p1-gssapi-s4u.patch index 4dd3a09..5364704 100644 --- a/openssh-9.9p1-gssapi-s4u.patch +++ b/openssh-9.9p1-gssapi-s4u.patch @@ -55,7 +55,7 @@ diff --color -ruNp a/gss-serv.c b/gss-serv.c ssh_gssapi_mech gssapi_null_mech = { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL, NULL}; -@@ -486,26 +486,351 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g +@@ -486,26 +486,382 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g return (ctx->major); } @@ -184,12 +184,43 @@ diff --color -ruNp a/gss-serv.c b/gss-serv.c + (unsigned)getuid(), (unsigned)geteuid(), lname); +#ifdef HAVE_GSS_ACQUIRE_CRED_FROM + { ++# if defined(KRB5) ++ /* ++ * Resolve the keytab path: krb5_kt_default_name respects ++ * KRB5_KTNAME and krb5.conf default_keytab_name. ++ */ ++ char keytab_name[MAXPATHLEN]; ++ krb5_context tmp_ctx; ++ ++ ++ keytab_name[0] = '\0'; ++ if (krb5_init_context(&tmp_ctx) == 0) { ++ (void)krb5_kt_default_name(tmp_ctx, keytab_name, ++ sizeof(keytab_name)); ++ krb5_free_context(tmp_ctx); ++ } ++ if (keytab_name[0] == '\0') ++ strlcpy(keytab_name, "FILE:/etc/krb5.keytab", ++ sizeof(keytab_name)); ++ /* ++ * client_keytab lets GSSAPI do AS-REQ to obtain a TGT for the ++ * host principal (initiator role needed for S4U2Self). ++ * keytab covers the acceptor role. ++ * ccache: MEMORY: keeps the resulting TGT volatile. ++ */ + gss_key_value_element_desc store_elements[] = { -+ { "client_keytab", "/etc/krb5.keytab" }, -+ { "keytab", "/etc/krb5.keytab" }, -+ { "ccache", "MEMORY:" }, ++ { "client_keytab", keytab_name }, ++ { "keytab", keytab_name }, ++ { "ccache", "MEMORY:" }, + }; + const gss_key_value_set_desc cred_store = { 3, store_elements }; ++# else ++ gss_key_value_element_desc store_elements[] = { ++ { "ccache", "MEMORY:" }, ++ }; ++ const gss_key_value_set_desc cred_store = { 1, store_elements }; ++# endif ++ + + major = gss_acquire_cred_from(&minor, host_name, lifetime, + oidset, GSS_C_BOTH, &cred_store, &host_creds, NULL, NULL); diff --git a/openssh.spec b/openssh.spec index afb4332..650998a 100644 --- a/openssh.spec +++ b/openssh.spec @@ -43,7 +43,7 @@ Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: 25%{?dist} +Release: 26%{?dist} URL: http://www.openssh.com/portable.html Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc @@ -740,6 +740,10 @@ test -f %{sysconfig_anaconda} && \ %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so %changelog +* Tue Apr 14 2026 Dmitry Belyavskiy - 9.9p1-26 +- Improve keytab detection when obtaining Kerberos tickets on behalf of user on SSH authentication + Related: RHEL-92932 + * Wed Apr 01 2026 Zoltan Fridrich - 9.9p1-25 - Fix static analysis issues Resolves: RHEL-163365 From 125c748cc93b84fb92dfec4b91cee0076b658ffe Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Tue, 14 Apr 2026 16:24:03 +0200 Subject: [PATCH 9/9] Add missing NULL check for server key generation in ML-KEM hybrids Resolves: RHEL-168106 --- openssh-10.0-mlkem-nist.patch | 2 +- openssh.spec | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/openssh-10.0-mlkem-nist.patch b/openssh-10.0-mlkem-nist.patch index 22b8ec6..cb873c6 100644 --- a/openssh-10.0-mlkem-nist.patch +++ b/openssh-10.0-mlkem-nist.patch @@ -676,7 +676,7 @@ index 670049dcd..463d18771 100644 + /* generate ECDH key pair, store server pubkey after ciphertext */ + server_key = nist_pkey_keygen(server_key_len); + -+ if ((r = get_uncompressed_ec_pubkey(server_key, server_pub, server_key_len) != 0) || ++ if ((server_key == NULL) || (r = get_uncompressed_ec_pubkey(server_key, server_pub, server_key_len) != 0) || + (r = sshbuf_put(buf, secret, sizeof(secret))) != 0 || + (r = sshbuf_put(server_blob, enc_out, enc_out_len) != 0)|| + (r = sshbuf_put(server_blob, server_pub, server_key_len)) != 0) diff --git a/openssh.spec b/openssh.spec index 650998a..cbb2de7 100644 --- a/openssh.spec +++ b/openssh.spec @@ -743,6 +743,8 @@ test -f %{sysconfig_anaconda} && \ * Tue Apr 14 2026 Dmitry Belyavskiy - 9.9p1-26 - Improve keytab detection when obtaining Kerberos tickets on behalf of user on SSH authentication Related: RHEL-92932 +- Add missing NULL check for server key generation in ML-KEM hybrids + Resolves: RHEL-168106 * Wed Apr 01 2026 Zoltan Fridrich - 9.9p1-25 - Fix static analysis issues