Fix CVE-2026-55655

Fix MITM of X11 forwarding via abstract UNIX socket pre-binding

Resolves: RHEL-185855

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
Zoltan Fridrich 2026-06-29 17:19:17 +02:00
parent 9eb205cba9
commit f5884ebcc6
2 changed files with 9 additions and 5 deletions

View File

@ -30,7 +30,7 @@ diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c
return -1;
}
@@ -4012,8 +4015,18 @@ static int
@@ -4668,8 +4671,19 @@ static int
connect_local_xsocket(u_int dnr)
{
char buf[1024];
@ -39,10 +39,11 @@ diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c
+ int len, ret;
+ len = snprintf(buf + 1, sizeof (buf) - 1, _PATH_UNIX_X, dnr);
+#ifdef linux
+ /* try abstract socket first */
+ buf[0] = '\0';
+ if ((ret = connect_local_xsocket_path(buf, len + 1)) >= 0)
+ return ret;
+ if (getenv("SSH_INSECURE_ABSTRACT_SOCKET_ENABLED") != NULL) {
+ buf[0] = '\0';
+ if ((ret = connect_local_xsocket_path(buf, len + 1)) >= 0)
+ return ret;
+ }
+#endif
+ if ((ret = connect_local_xsocket_path(buf + 1, len)) >= 0)
+ return ret;

View File

@ -858,6 +858,9 @@ getent passwd sshd >/dev/null || \
- CVE-2026-55653: Fix double free in openssh DH-GEX client path during
FIPS known-group validation that leads to client-side denial of service
Resolves: RHEL-185775
- CVE-2026-55655: Fix MITM of X11 forwarding via abstract UNIX socket
pre-binding
Resolves: RHEL-185855
* Mon Apr 13 2026 Zoltan Fridrich <zfridric@redhat.com> - 8.0p1-29
- CVE-2026-35385: Fix privilege escalation via scp legacy protocol