Add fix for CVE-2025-26465

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles err codes in specific conditions when verifying the host key. For an attack to be considered successful, attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high. In the patch: - Added error codes Signed-off-by: Lucas RAVAGNIER <[email protected]>
xcp-ng-rpms · Mar 7, 2025 · 5056a0f · 5056a0f
1 parent 6c42a6b
commit 5056a0f
Show file tree

Hide file tree

Showing 3 changed files with 162 additions and 1 deletion.
diff --git a/SOURCES/openssh-7.4p1-CVE-2025-26465-Don-t-reply-to-PING-in-preauth-phase-or-dur.patch b/SOURCES/openssh-7.4p1-CVE-2025-26465-Don-t-reply-to-PING-in-preauth-phase-or-dur.patch
@@ -0,0 +1,74 @@
+Backport notes:
+Drop comment on the original commit about last update.
+Adapt the patch to our version.
+
+Original commit:
+From 6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2 Mon Sep 17 00:00:00 2001
+From: "[email protected]" <[email protected]>
+Date: Tue, 18 Feb 2025 08:02:12 +0000
+Subject: [PATCH] upstream: Don't reply to PING in preauth phase or during KEX
+
+Reported by the Qualys Security Advisory team. ok markus@
+
+OpenBSD-Commit-ID: c656ac4abd1504389d1733d85152044b15830217
+Backported-by: Lucas Ravagnier <[email protected]>
+---
+ packet.c | 19 +++++++++++++++++++
+ ssh2.h   |  4 ++++
+ 2 files changed, 23 insertions(+)
+
+diff --git a/packet.c b/packet.c
+index 486f85157..9dea2cfc5 100644
+--- a/packet.c
++++ b/packet.c
+@@ -1950,6 +1950,8 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ 	u_int reason, seqnr;
+ 	int r;
+ 	u_char *msg;
++	const u_char *d;
++	size_t len;
+
+ 	for (;;) {
+ 		msg = NULL;
+@@ -2010,6 +2012,23 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ 				debug("Received SSH2_MSG_UNIMPLEMENTED for %u",
+ 				    seqnr);
+ 				break;
++				case SSH2_MSG_PING:
++				if ((r = sshpkt_get_string_direct(ssh, &d, &len)) != 0)
++					return r;
++				DBG(debug("Received SSH2_MSG_PING len %zu", len));
++				if (!ssh->state->after_authentication) {
++					DBG(debug("Won't reply to PING in preauth"));
++					break;
++				}
++				if (ssh_packet_is_rekeying(ssh)) {
++					DBG(debug("Won't reply to PING during KEX"));
++					break;
++				}
++				if ((r = sshpkt_start(ssh, SSH2_MSG_PONG)) != 0 ||
++			    	(r = sshpkt_put_string(ssh, d, len)) != 0 ||
++			    	(r = sshpkt_send(ssh)) != 0)
++					return r;
++				break;
+ 			default:
+ 				return 0;
+ 			}
+diff --git a/ssh2.h b/ssh2.h
+index f2e37c9..c24eb07 100644
+--- a/ssh2.h
++++ b/ssh2.h
+@@ -107,6 +107,10 @@
+ #define SSH2_MSG_KEX_ECDH_INIT				30
+ #define SSH2_MSG_KEX_ECDH_REPLY				31
+
++/* transport layer: OpenSSH extensions */
++#define SSH2_MSG_PING					    192
++#define SSH2_MSG_PONG					    193
++
+ /* user authentication: generic */
+
+ #define SSH2_MSG_USERAUTH_REQUEST			50
+-- 
+2.47.0
+
diff --git a/SOURCES/openssh-7.4p1-CVE-2025-26465-Fix-cases-where-error-codes-were-not-correc.patch b/SOURCES/openssh-7.4p1-CVE-2025-26465-Fix-cases-where-error-codes-were-not-correc.patch
@@ -0,0 +1,82 @@
+Backport notes:
+Drop comment on the original commit about last update.
+Adapt the patch to our version by adding r as return value.
+
+Original commit:
+From 0832aac79517611dd4de93ad0a83577994d9c907 Mon Sep 17 00:00:00 2001
+From: "[email protected]" <[email protected]>
+Date: Tue, 18 Feb 2025 08:02:48 +0000
+Subject: [PATCH] upstream: Fix cases where error codes were not correctly set
+
+Reported by the Qualys Security Advisory team. ok markus@
+
+OpenBSD-Commit-ID: 7bcd4ffe0fa1e27ff98d451fb9c22f5fae6e610d
+Backported-by: Lucas Ravagnier <[email protected]>
+---
+ krl.c         | 2 ++
+ sshconnect2.c | 7 +++++--
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/krl.c b/krl.c
+index e2efdf066..0d0f69534 100644
+--- a/krl.c
++++ b/krl.c
+@@ -647,6 +647,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
+ 			break;
+ 		case KRL_SECTION_CERT_SERIAL_BITMAP:
+ 			if (rs->lo - bitmap_start > INT_MAX) {
++				r = SSH_ERR_INVALID_FORMAT;
+ 				error("%s: insane bitmap gap", __func__);
+ 				goto out;
+ 			}
+@@ -947,6 +948,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
+ 		goto out;
+
+ 	if ((krl = ssh_krl_init()) == NULL) {
++		r = SSH_ERR_ALLOC_FAIL;
+ 		error("%s: alloc failed", __func__);
+ 		goto out;
+ 	}
+diff --git a/sshconnect2.c b/sshconnect2.c
+index a69c4da18..1ee6000ab 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -650,6 +650,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
+ 	u_int alen, blen;
+ 	char *pkalg, *fp;
+ 	u_char *pkblob;
++	int r = 0;
+
+ 	if (authctxt == NULL)
+ 		fatal("input_userauth_pk_ok: no authentication context");
+@@ -671,6 +672,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
+
+ 	if ((pktype = key_type_from_name(pkalg)) == KEY_UNSPEC) {
+ 		debug("unknown pkalg %s", pkalg);
++		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 	if ((key = key_from_blob(pkblob, blen)) == NULL) {
+@@ -681,6 +683,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
+ 		error("input_userauth_pk_ok: type mismatch "
+ 		    "for decoded key (received %d, expected %d)",
+ 		    key->type, pktype);
++		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
+@@ -707,9 +710,9 @@ done:
+ 	free(pkblob);
+
+ 	/* try another method if we did not send a packet */
+-	if (sent == 0)
++	if (r == 0 && sent == 0)
+ 		userauth(authctxt, NULL);
+-	return 0;
++	return r;
+ }
+
+ #ifdef GSSAPI
+-- 
+2.47.0
+
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
@@ -10,7 +10,7 @@
 %endif
 
 # XCP-ng sub release number
-%define xcpng_subrel 1
+%define xcpng_subrel 2
 
 # OpenSSH privilege separation requires a user & group ID
 %define sshd_uid    74
@@ -176,6 +176,8 @@ Patch78: openssh-9.8p1-cve-2024-6387.patch
 # XCP-ng patches
 Patch1000: xcpng-harden-default-ciphers-and-algorithms.patch
 Patch1001: xcpng-disable-gssapiauth-in-sshd_config.patch
+Patch1002: openssh-7.4p1-CVE-2025-26465-Don-t-reply-to-PING-in-preauth-phase-or-dur.patch
+Patch1003: openssh-7.4p1-CVE-2025-26465-Fix-cases-where-error-codes-were-not-correc.patch
 
 License: BSD
 Group: Applications/Internet
@@ -657,6 +659,9 @@ getent passwd sshd >/dev/null || \
 %endif
 
 %changelog
+* Fri Mar 07 2025 Lucas Ravagnier <[email protected]> - 7.4p1-23.3.2 + 0.10.3-2.23.3.2
+- Fix CVE-2025-26465 - Fix cases where error codes were not correctly set
+
 * Mon Aug 12 2024 Samuel Verschelde <[email protected]> - 7.4p1-23.3.1 + 0.10.3-2.23.3.1
 - Sync with 7.4p1-23.3 + 0.10.3-2.23.3
 - *** Upstream changelog ***