diff --git a/SOURCES/openssh-7.4p1-CVE-2025-26465-Don-t-reply-to-PING-in-preauth-phase-or-dur.patch b/SOURCES/openssh-7.4p1-CVE-2025-26465-Don-t-reply-to-PING-in-preauth-phase-or-dur.patch new file mode 100644 index 0000000..0e257bd --- /dev/null +++ b/SOURCES/openssh-7.4p1-CVE-2025-26465-Don-t-reply-to-PING-in-preauth-phase-or-dur.patch @@ -0,0 +1,74 @@ +Backport notes: +Drop comment on the original commit about last update. +Adapt the patch to our version. + +Original commit: +From 6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Tue, 18 Feb 2025 08:02:12 +0000 +Subject: [PATCH] upstream: Don't reply to PING in preauth phase or during KEX + +Reported by the Qualys Security Advisory team. ok markus@ + +OpenBSD-Commit-ID: c656ac4abd1504389d1733d85152044b15830217 +Backported-by: Lucas Ravagnier +--- + packet.c | 19 +++++++++++++++++++ + ssh2.h | 4 ++++ + 2 files changed, 23 insertions(+) + +diff --git a/packet.c b/packet.c +index 486f85157..9dea2cfc5 100644 +--- a/packet.c ++++ b/packet.c +@@ -1950,6 +1950,8 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + u_int reason, seqnr; + int r; + u_char *msg; ++ const u_char *d; ++ size_t len; + + for (;;) { + msg = NULL; +@@ -2010,6 +2012,23 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + debug("Received SSH2_MSG_UNIMPLEMENTED for %u", + seqnr); + break; ++ case SSH2_MSG_PING: ++ if ((r = sshpkt_get_string_direct(ssh, &d, &len)) != 0) ++ return r; ++ DBG(debug("Received SSH2_MSG_PING len %zu", len)); ++ if (!ssh->state->after_authentication) { ++ DBG(debug("Won't reply to PING in preauth")); ++ break; ++ } ++ if (ssh_packet_is_rekeying(ssh)) { ++ DBG(debug("Won't reply to PING during KEX")); ++ break; ++ } ++ if ((r = sshpkt_start(ssh, SSH2_MSG_PONG)) != 0 || ++ (r = sshpkt_put_string(ssh, d, len)) != 0 || ++ (r = sshpkt_send(ssh)) != 0) ++ return r; ++ break; + default: + return 0; + } +diff --git a/ssh2.h b/ssh2.h +index f2e37c9..c24eb07 100644 +--- a/ssh2.h ++++ b/ssh2.h +@@ -107,6 +107,10 @@ + #define SSH2_MSG_KEX_ECDH_INIT 30 + #define SSH2_MSG_KEX_ECDH_REPLY 31 + ++/* transport layer: OpenSSH extensions */ ++#define SSH2_MSG_PING 192 ++#define SSH2_MSG_PONG 193 ++ + /* user authentication: generic */ + + #define SSH2_MSG_USERAUTH_REQUEST 50 +-- +2.47.0 + diff --git a/SOURCES/openssh-7.4p1-CVE-2025-26465-Fix-cases-where-error-codes-were-not-correc.patch b/SOURCES/openssh-7.4p1-CVE-2025-26465-Fix-cases-where-error-codes-were-not-correc.patch new file mode 100644 index 0000000..29f5d73 --- /dev/null +++ b/SOURCES/openssh-7.4p1-CVE-2025-26465-Fix-cases-where-error-codes-were-not-correc.patch @@ -0,0 +1,82 @@ +Backport notes: +Drop comment on the original commit about last update. +Adapt the patch to our version by adding r as return value. + +Original commit: +From 0832aac79517611dd4de93ad0a83577994d9c907 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Tue, 18 Feb 2025 08:02:48 +0000 +Subject: [PATCH] upstream: Fix cases where error codes were not correctly set + +Reported by the Qualys Security Advisory team. ok markus@ + +OpenBSD-Commit-ID: 7bcd4ffe0fa1e27ff98d451fb9c22f5fae6e610d +Backported-by: Lucas Ravagnier +--- + krl.c | 2 ++ + sshconnect2.c | 7 +++++-- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/krl.c b/krl.c +index e2efdf066..0d0f69534 100644 +--- a/krl.c ++++ b/krl.c +@@ -647,6 +647,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) + break; + case KRL_SECTION_CERT_SERIAL_BITMAP: + if (rs->lo - bitmap_start > INT_MAX) { ++ r = SSH_ERR_INVALID_FORMAT; + error("%s: insane bitmap gap", __func__); + goto out; + } +@@ -947,6 +948,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, + goto out; + + if ((krl = ssh_krl_init()) == NULL) { ++ r = SSH_ERR_ALLOC_FAIL; + error("%s: alloc failed", __func__); + goto out; + } +diff --git a/sshconnect2.c b/sshconnect2.c +index a69c4da18..1ee6000ab 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -650,6 +650,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) + u_int alen, blen; + char *pkalg, *fp; + u_char *pkblob; ++ int r = 0; + + if (authctxt == NULL) + fatal("input_userauth_pk_ok: no authentication context"); +@@ -671,6 +672,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) + + if ((pktype = key_type_from_name(pkalg)) == KEY_UNSPEC) { + debug("unknown pkalg %s", pkalg); ++ r = SSH_ERR_INVALID_FORMAT; + goto done; + } + if ((key = key_from_blob(pkblob, blen)) == NULL) { +@@ -681,6 +683,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) + error("input_userauth_pk_ok: type mismatch " + "for decoded key (received %d, expected %d)", + key->type, pktype); ++ r = SSH_ERR_INVALID_FORMAT; + goto done; + } + if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0], +@@ -707,9 +710,9 @@ done: + free(pkblob); + + /* try another method if we did not send a packet */ +- if (sent == 0) ++ if (r == 0 && sent == 0) + userauth(authctxt, NULL); +- return 0; ++ return r; + } + + #ifdef GSSAPI +-- +2.47.0 + diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec index abffaa2..4c57bc3 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec @@ -10,7 +10,7 @@ %endif # XCP-ng sub release number -%define xcpng_subrel 1 +%define xcpng_subrel 2 # OpenSSH privilege separation requires a user & group ID %define sshd_uid 74 @@ -176,6 +176,8 @@ Patch78: openssh-9.8p1-cve-2024-6387.patch # XCP-ng patches Patch1000: xcpng-harden-default-ciphers-and-algorithms.patch Patch1001: xcpng-disable-gssapiauth-in-sshd_config.patch +Patch1002: openssh-7.4p1-CVE-2025-26465-Don-t-reply-to-PING-in-preauth-phase-or-dur.patch +Patch1003: openssh-7.4p1-CVE-2025-26465-Fix-cases-where-error-codes-were-not-correc.patch License: BSD Group: Applications/Internet @@ -657,6 +659,9 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Fri Mar 07 2025 Lucas Ravagnier - 7.4p1-23.3.2 + 0.10.3-2.23.3.2 +- Fix CVE-2025-26465 - Fix cases where error codes were not correctly set + * Tue Nov 12 2024 Thierry Escande - 7.4p1-23.3.1 + 0.10.3-2.1 - Update to 7.4p1-23.3 + 0.10.3-2 - *** Upstream changelog ***