From f39b4284bf6274793afe93d18203825252f09509 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Fri, 26 Jun 2026 15:07:50 +0200 Subject: [PATCH] Fix CVE-2026-55655 Fix MITM of X11 forwarding via abstract UNIX socket pre-binding Resolves: RHEL-185850 Signed-off-by: Zoltan Fridrich --- openssh-7.2p2-x11.patch | 11 ++++++----- openssh.spec | 3 +++ 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/openssh-7.2p2-x11.patch b/openssh-7.2p2-x11.patch index 6db16be..a605a41 100644 --- a/openssh-7.2p2-x11.patch +++ b/openssh-7.2p2-x11.patch @@ -32,7 +32,7 @@ diff --git a/channels.c b/channels.c return -1; } -@@ -5099,8 +5102,18 @@ +@@ -5099,8 +5102,19 @@ connect_local_xsocket(u_int dnr) { char buf[1024]; @@ -41,10 +41,11 @@ diff --git a/channels.c b/channels.c + int len, ret; + len = snprintf(buf + 1, sizeof (buf) - 1, _PATH_UNIX_X, dnr); +#ifdef linux -+ /* try abstract socket first */ -+ buf[0] = '\0'; -+ if ((ret = connect_local_xsocket_path(buf, len + 1)) >= 0) -+ return ret; ++ if (getenv("SSH_INSECURE_ABSTRACT_SOCKET_ENABLED") != NULL) { ++ buf[0] = '\0'; ++ if ((ret = connect_local_xsocket_path(buf, len + 1)) >= 0) ++ return ret; ++ } +#endif + if ((ret = connect_local_xsocket_path(buf + 1, len)) >= 0) + return ret; diff --git a/openssh.spec b/openssh.spec index 03f548c..64802e1 100644 --- a/openssh.spec +++ b/openssh.spec @@ -779,6 +779,9 @@ test -f %{sysconfig_anaconda} && \ - CVE-2026-55654: Fix heap out-of-bounds read during GSSAPI indicator cleanup due to missing NULL terminator Resolves: RHEL-185835 +- CVE-2026-55655: Fix MITM of X11 forwarding via abstract UNIX socket + pre-binding + Resolves: RHEL-185850 * Wed Apr 01 2026 Zoltan Fridrich - 9.9p1-8 - Fix static analysis issues