From 26e64529da721fefdba7ed0d648b3f4da2d65e2a Mon Sep 17 00:00:00 2001
From: sa-buc <zjl02254423@alibaba-inc.com>
Date: Wed, 20 Aug 2025 13:18:46 +0800
Subject: [PATCH] add patch to fix cve

---
 bugfix-for-cve-2024-39894.patch | 32 ++++++++++++++++++++++++++++++++
 bugfix-for-cve-2025-26466.patch | 33 +++++++++++++++++++++++++++++++++
 openssh.spec                    | 15 ++++++++++++++-
 3 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100644 bugfix-for-cve-2024-39894.patch
 create mode 100644 bugfix-for-cve-2025-26466.patch

diff --git a/bugfix-for-cve-2024-39894.patch b/bugfix-for-cve-2024-39894.patch
new file mode 100644
index 0000000..1f0203e
--- /dev/null
+++ b/bugfix-for-cve-2024-39894.patch
@@ -0,0 +1,32 @@
+From 146c420d29d055cc75c8606327a1cf8439fe3a08 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 1 Jul 2024 04:31:17 +0000
+Subject: upstream: when sending ObscureKeystrokeTiming chaff packets, we
+
+can't rely on channel_did_enqueue to tell that there is data to send. This
+flag indicates that the channels code enqueued a packet on _this_ ppoll()
+iteration, not that data was enqueued in _any_ ppoll() iteration in the
+timeslice. ok markus@
+
+OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
+---
+ clientloop.c | 5 ++++---
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/clientloop.c b/clientloop.c
+index 0b6f3c9b..8ed8b1c3 100644
+--- a/clientloop.c
++++ b/clientloop.c
+@@ -607,8 +607,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
+ 		if (timespeccmp(&now, &chaff_until, >=)) {
+ 			/* Stop if there have been no keystrokes for a while */
+ 			stop_reason = "chaff time expired";
+-		} else if (timespeccmp(&now, &next_interval, >=)) {
+-			/* Otherwise if we were due to send, then send chaff */
++		} else if (timespeccmp(&now, &next_interval, >=) &&
++		    !ssh_packet_have_data_to_write(ssh)) {
++			/* If due to send but have no data, then send chaff */
+ 			if (send_chaff(ssh))
+ 				nchaff++;
+ 		}
+
diff --git a/bugfix-for-cve-2025-26466.patch b/bugfix-for-cve-2025-26466.patch
new file mode 100644
index 0000000..0d6ce96
--- /dev/null
+++ b/bugfix-for-cve-2025-26466.patch
@@ -0,0 +1,33 @@
+From 927e2b9e1c2d083f08addfc2313594b425308367 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 18 Feb 2025 08:02:12 +0000
+Subject: [PATCH] upstream: Don't reply to PING in preauth phase or during KEX
+
+Reported by the Qualys Security Advisory team. ok markus@
+
+OpenBSD-Commit-ID: c656ac4abd1504389d1733d85152044b15830217
+---
+ packet.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/packet.c b/packet.c
+index 00ec509..5da9239 100644
+--- a/packet.c
++++ b/packet.c
+@@ -1812,6 +1812,14 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ 			if ((r = sshpkt_get_string_direct(ssh, &d, &len)) != 0)
+ 				return r;
+ 			DBG(debug("Received SSH2_MSG_PING len %zu", len));
++			if (!ssh->state->after_authentication) {
++				DBG(debug("Won't reply to PING in preauth"));
++				break;
++			}
++			if (ssh_packet_is_rekeying(ssh)) {
++				DBG(debug("Won't reply to PING during KEX"));
++				break;
++			}
+ 			if ((r = sshpkt_start(ssh, SSH2_MSG_PONG)) != 0 ||
+ 			    (r = sshpkt_put_string(ssh, d, len)) != 0 ||
+ 			    (r = sshpkt_send(ssh)) != 0)
+-- 
+2.47.3
diff --git a/openssh.spec b/openssh.spec
index aaf6f07..4b524dc 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -1,4 +1,4 @@
-%define anolis_release 2
+%define anolis_release 3
 
 %global WITH_SELINUX 1
 
@@ -231,6 +231,14 @@ Patch1019: bugfix-for-cve-2025-26465.patch
 # https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
 Patch1020: bugfix-for-cve-2024-6387.patch
 
+# CVE-2024-39894
+# https://github.com/linux-pam/linux-pam/commit/23393bef92c1e768eda329813d7af55481c6ca9f
+Patch1021: bugfix-for-cve-2024-39894.patch
+
+# CVE-2025-26466
+# https://github.com/openssh/openssh-portable/commit/6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2
+Patch1022: bugfix-for-cve-2025-26466.patch
+
 # https://github.com/openssh/openssh-portable/commit/81c1099d22b81ebfd20a334ce986c4f753b0db29
 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
 Requires: /sbin/nologin
@@ -449,6 +457,8 @@ popd
 %patch -P 1018 -p1
 %patch -P 1019 -p1
 %patch -P 1020 -p1
+%patch -P 1021 -p1
+%patch -P 1022 -p1
 
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -757,6 +767,9 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Tue Sep 2 2025 zjl02254423 <zjl02254423@libaba-inc.com> - 9.6p1-3
+- add patch to fix CVE-2024-39894,CVE-2025-26466
+
 * Tue Aug 19 2025 zjl02254423 <zjl02254423@libaba-inc.com> - 9.6p1-2
 - add patch to fix CVE-2024-6387
 
-- 
Gitee