[8.3] - Add fix for CVE-2025-26465 #7
Conversation
|
Scratch Build: https://koji.xcp-ng.org/taskinfo?taskID=77232 |
|
|
||
| /* try another method if we did not send a packet */ | ||
| - if (sent == 0) | ||
| + if (r == 0 && sent == 0) |
There was a problem hiding this comment.
This change is part of commit cecee2d607 (client: switch to sshbuf API)
There was a problem hiding this comment.
Certainly, but the goal is not to integrate the entire commit, but to integrate only the patch, in this case it was necessary to adapt it so that it works correctly in relation to our code
LucienLassalle
force-pushed
the
8.3-CVE-2025-26465
branch
2 times, most recently
from
51650a6 to
ebd3161
Compare
|
Scratch Build: https://koji.xcp-ng.org/taskinfo?taskID=78977 |
A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles err codes in specific conditions when verifying the host key. For an attack to be considered successful, attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high. In the patch: - Added error codes Signed-off-by: Lucas RAVAGNIER <[email protected]>
LucienLassalle
force-pushed
the
8.3-CVE-2025-26465
branch
from
ebd3161 to
5056a0f
Compare
| + (r = sshpkt_put_string(ssh, d, len)) != 0 || | ||
| + (r = sshpkt_send(ssh)) != 0) | ||
| + return r; | ||
| + break; |
There was a problem hiding this comment.
The block for case SSH2_MSG_PING: is part of a bigger change dce6d80 (Introduce a transport-level ping facility)
I would recommend to drop this part since you're bringing only part of dce6d80.
There was a problem hiding this comment.
I understand, but this code is part of the fix for the two CVEs reported by Qualys.
Without this code, I'm afraid that CVE-2025-26466 will be exploitable (DoS on Openssh). @bleader what do you think?
There was a problem hiding this comment.
Your patch backports a small part of dce6d80 that implements transport level ping messages SSH2_MSG_PING
and SSH2_MSG_PONG.
So either you backport this entire patch (and then the CVE fix will make sense) or you drop the part of CVE that is concerned. It cannot be half way.
A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server.
This issue occurs due to how OpenSSH mishandles err codes in specific conditions when verifying the host key.
For an attack to be considered successful, attacker needs to manage to exhaust the client's memory resource first,
turning the attack complexity high.
In the patch: