From a0b1bb3280d1a517de390e879f175c4f53d636e0 Mon Sep 17 00:00:00 2001 From: Qiumiao Zhang Date: Fri, 24 Oct 2025 10:37:05 +0000 Subject: [PATCH] fix CVE-2025-61984 CVE-2025-61985 (cherry picked from commit 69d19c611a84cd9ca28e837db976896698a41bc7) --- backport-fix-CVE-2025-61984.patch | 136 ++++++++++++++++++++++++++++++ backport-fix-CVE-2025-61985.patch | 44 ++++++++++ openssh.spec | 12 ++- 3 files changed, 191 insertions(+), 1 deletion(-) create mode 100644 backport-fix-CVE-2025-61984.patch create mode 100644 backport-fix-CVE-2025-61985.patch diff --git a/backport-fix-CVE-2025-61984.patch b/backport-fix-CVE-2025-61984.patch new file mode 100644 index 0000000..ea31029 --- /dev/null +++ b/backport-fix-CVE-2025-61984.patch @@ -0,0 +1,136 @@ +From 35d5917652106aede47621bb3f64044604164043 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Thu, 4 Sep 2025 00:29:09 +0000 +Subject: upstream: Improve rules for %-expansion of username. + +Usernames passed on the commandline will no longer be subject to +% expansion. Some tools invoke ssh with connection information +(i.e. usernames and host names) supplied from untrusted sources. +These may contain % expansion sequences which could yield +unexpected results. + +Since openssh-9.6, all usernames have been subject to validity +checking. This change tightens the validity checks by refusing +usernames that include control characters (again, these can cause +surprises when supplied adversarially). + +This change also relaxes the validity checks in one small way: +usernames supplied via the configuration file as literals (i.e. +include no % expansion characters) are not subject to these +validity checks. This allows usernames that contain arbitrary +characters to be used, but only via configuration files. This +is done on the basis that ssh's configuration is trusted. + +Pointed out by David Leadbeater, ok deraadt@ + +OpenBSD-Commit-ID: e2f0c871fbe664aba30607321575e7c7fc798362 +Conflict:Without feature "Allow %-token and environment variable +expansion in User" +Reference:https://anongit.mindrot.org/openssh.git/patch/?id=35d5917652106aede47621bb3f64044604164043 +--- + ssh.c | 34 ++++++++++++++++++++++++++-------- + 1 file changed, 26 insertions(+), 8 deletions(-) + +diff --git a/ssh.c b/ssh.c +index 914ea4d..41c8460 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -635,6 +635,8 @@ valid_ruser(const char *s) + if (*s == '-') + return 0; + for (i = 0; s[i] != 0; i++) { ++ if (iscntrl((u_char)s[i])) ++ return 0; + if (strchr("'`\";&<>|(){}", s[i]) != NULL) + return 0; + /* Disallow '-' after whitespace */ +@@ -656,6 +658,7 @@ main(int ac, char **av) + struct ssh *ssh = NULL; + int i, r, opt, exit_status, use_syslog, direct, timeout_ms; + int was_addr, config_test = 0, opt_terminated = 0, want_final_pass = 0; ++ int user_on_commandline = 0, user_was_default = 0; + char *p, *cp, *line, *argv0, *logfile, *host_arg; + char cname[NI_MAXHOST], thishost[NI_MAXHOST]; + struct stat st; +@@ -1006,8 +1009,10 @@ main(int ac, char **av) + } + break; + case 'l': +- if (options.user == NULL) +- options.user = optarg; ++ if (options.user == NULL) { ++ options.user = xstrdup(optarg); ++ user_on_commandline = 1; ++ } + break; + + case 'L': +@@ -1110,6 +1115,7 @@ main(int ac, char **av) + if (options.user == NULL) { + options.user = tuser; + tuser = NULL; ++ user_on_commandline = 1; + } + free(tuser); + if (options.port == -1 && tport != -1) +@@ -1124,6 +1130,7 @@ main(int ac, char **av) + if (options.user == NULL) { + options.user = p; + p = NULL; ++ user_on_commandline = 1; + } + *cp++ = '\0'; + host = xstrdup(cp); +@@ -1145,8 +1152,6 @@ main(int ac, char **av) + + if (!valid_hostname(host)) + fatal("hostname contains invalid characters"); +- if (options.user != NULL && !valid_ruser(options.user)) +- fatal("remote username contains invalid characters"); + host_arg = xstrdup(host); + + /* Initialize the command to execute on remote host. */ +@@ -1278,8 +1283,10 @@ main(int ac, char **av) + if (fill_default_options(&options) != 0) + cleanup_exit(255); + +- if (options.user == NULL) ++ if (options.user == NULL) { ++ user_was_default = 1; + options.user = xstrdup(pw->pw_name); ++ } + + /* + * If ProxyJump option specified, then construct a ProxyCommand now. +@@ -1417,14 +1424,25 @@ main(int ac, char **av) + (unsigned long long)pw->pw_uid); + cinfo->keyalias = xstrdup(options.host_key_alias ? + options.host_key_alias : host_arg); +- cinfo->conn_hash_hex = ssh_connection_hash(cinfo->thishost, host, +- cinfo->portstr, options.user); + cinfo->host_arg = xstrdup(host_arg); + cinfo->remhost = xstrdup(host); +- cinfo->remuser = xstrdup(options.user); + cinfo->homedir = xstrdup(pw->pw_dir); + cinfo->locuser = xstrdup(pw->pw_name); + ++ /* ++ * Usernames specified on the commandline or expanded from the ++ * configuration file must be validated. ++ * Conversely, usernames from getpwnam(3) or specified as literals ++ * via configuration (i.e. not expanded) are not subject to validation. ++ */ ++ if ((user_on_commandline) && ++ !valid_ruser(options.user)) ++ fatal("remote username contains invalid characters"); ++ ++ /* Now User is expanded, store it and calculate hash. */ ++ cinfo->remuser = xstrdup(options.user); ++ cinfo->conn_hash_hex = ssh_connection_hash(cinfo->thishost, host, ++ cinfo->portstr, options.user); + /* + * Expand tokens in arguments. NB. LocalCommand is expanded later, + * after port-forwarding is set up, so it may pick up any local +-- +2.33.0 + diff --git a/backport-fix-CVE-2025-61985.patch b/backport-fix-CVE-2025-61985.patch new file mode 100644 index 0000000..ab72191 --- /dev/null +++ b/backport-fix-CVE-2025-61985.patch @@ -0,0 +1,44 @@ +From 43b3bff47bb029f2299bacb6a36057981b39fdb0 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Thu, 4 Sep 2025 00:30:06 +0000 +Subject: upstream: don't allow \0 characters in url-encoded strings. + +Suggested by David Leadbeater, ok deraadt@ + +OpenBSD-Commit-ID: c92196cef0f970ceabc1e8007a80b01e9b7cd49c +Conflict:add check srclen +Reference:https://anongit.mindrot.org/openssh.git/patch/?id=43b3bff47bb029f2299bacb6a36057981b39fdb0 +--- + misc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/misc.c b/misc.c +index 581b214..1907f02 100644 +--- a/misc.c ++++ b/misc.c +@@ -931,6 +931,10 @@ urldecode(const char *src) + { + char *ret, *dst; + int ch; ++ size_t srclen; ++ ++ if ((srclen = strlen(src)) >= SIZE_MAX) ++ return NULL; + + ret = xmalloc(strlen(src) + 1); + for (dst = ret; *src != '\0'; src++) { +@@ -939,9 +943,10 @@ urldecode(const char *src) + *dst++ = ' '; + break; + case '%': ++ /* note: don't allow \0 characters */ + if (!isxdigit((unsigned char)src[1]) || + !isxdigit((unsigned char)src[2]) || +- (ch = hexchar(src + 1)) == -1) { ++ (ch = hexchar(src + 1)) == -1 || ch == 0) { + free(ret); + return NULL; + } +-- +2.33.0 + diff --git a/openssh.spec b/openssh.spec index 28b32e6..e9d4fd4 100644 --- a/openssh.spec +++ b/openssh.spec @@ -6,7 +6,7 @@ %{?no_gtk2:%global gtk2 0} %global sshd_uid 74 -%global openssh_release 36 +%global openssh_release 37 Name: openssh Version: 8.8p1 @@ -136,6 +136,8 @@ Patch106: backport-fix-CVE-2024-6409.patch Patch107: backport-upstream-Set-OPENSSL_BIN-from-OpenSSL-directory.patch Patch108: backport-CVE-2025-26465-Don-t-reply-to-PING-in-preauth-phase-or-during-KEX.patch Patch109: backport-upstream_CVE-2025-32728.patch +Patch110: backport-fix-CVE-2025-61984.patch +Patch111: backport-fix-CVE-2025-61985.patch Requires: /sbin/nologin Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 @@ -322,6 +324,8 @@ popd %patch107 -p1 %patch108 -p1 %patch109 -p1 +%patch110 -p1 +%patch111 -p1 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 @@ -528,6 +532,12 @@ getent passwd sshd >/dev/null || \ %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %changelog +* Fri Oct 24 2025 zhangbinqin - 8.8p1-37 +- Type:CVE +- CVE:CVE-2025-61984 CVE-2025-61985 +- SUG:NA +- DESC:fix CVE-2025-61984 CVE-2025-61985 + * Fri Aug 1 2025 zhangbinqin - 8.8p1-36 - Type:bugfix - CVE:NA -- Gitee