Fix CVE-2026-55655

Fix MITM of X11 forwarding via abstract UNIX socket pre-binding

Resolves: RHEL-185850

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
Zoltan Fridrich 2026-06-26 15:07:50 +02:00
parent 5d6c77dc9c
commit f39b4284bf
2 changed files with 9 additions and 5 deletions

View File

@ -32,7 +32,7 @@ diff --git a/channels.c b/channels.c
return -1;
}
@@ -5099,8 +5102,18 @@
@@ -5099,8 +5102,19 @@
connect_local_xsocket(u_int dnr)
{
char buf[1024];
@ -41,10 +41,11 @@ diff --git a/channels.c b/channels.c
+ int len, ret;
+ len = snprintf(buf + 1, sizeof (buf) - 1, _PATH_UNIX_X, dnr);
+#ifdef linux
+ /* try abstract socket first */
+ buf[0] = '\0';
+ if ((ret = connect_local_xsocket_path(buf, len + 1)) >= 0)
+ return ret;
+ if (getenv("SSH_INSECURE_ABSTRACT_SOCKET_ENABLED") != NULL) {
+ buf[0] = '\0';
+ if ((ret = connect_local_xsocket_path(buf, len + 1)) >= 0)
+ return ret;
+ }
+#endif
+ if ((ret = connect_local_xsocket_path(buf + 1, len)) >= 0)
+ return ret;

View File

@ -779,6 +779,9 @@ test -f %{sysconfig_anaconda} && \
- CVE-2026-55654: Fix heap out-of-bounds read during GSSAPI indicator
cleanup due to missing NULL terminator
Resolves: RHEL-185835
- CVE-2026-55655: Fix MITM of X11 forwarding via abstract UNIX socket
pre-binding
Resolves: RHEL-185850
* Wed Apr 01 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-8
- Fix static analysis issues