[8.3] - Add fix for CVE-2025-26465

SOURCES/openssh-7.4p1-CVE-2025-26465-Don-t-reply-to-PING-in-preauth-phase-or-dur.patch

@@ -0,0 +1,74 @@
+Backport notes:
+Drop comment on the original commit about last update.
+Adapt the patch to our version.
+
+Original commit:
+From 6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2 Mon Sep 17 00:00:00 2001
+From: "[email protected]" <[email protected]>
+Date: Tue, 18 Feb 2025 08:02:12 +0000
+Subject: [PATCH] upstream: Don't reply to PING in preauth phase or during KEX
+
+Reported by the Qualys Security Advisory team. ok markus@
+
+OpenBSD-Commit-ID: c656ac4abd1504389d1733d85152044b15830217
+Backported-by: Lucas Ravagnier <[email protected]>
+---
+ packet.c | 19 +++++++++++++++++++
+ ssh2.h   |  4 ++++
+ 2 files changed, 23 insertions(+)
+
+diff --git a/packet.c b/packet.c
+index 486f85157..9dea2cfc5 100644
+--- a/packet.c
++++ b/packet.c
+@@ -1950,6 +1950,8 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ 	u_int reason, seqnr;
+ 	int r;
+ 	u_char *msg;
++	const u_char *d;
++	size_t len;
+
+ 	for (;;) {
+ 		msg = NULL;
+@@ -2010,6 +2012,23 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ 				debug("Received SSH2_MSG_UNIMPLEMENTED for %u",
+ 				    seqnr);
+ 				break;
++				case SSH2_MSG_PING:
++				if ((r = sshpkt_get_string_direct(ssh, &d, &len)) != 0)
++					return r;
++				DBG(debug("Received SSH2_MSG_PING len %zu", len));
++				if (!ssh->state->after_authentication) {
++					DBG(debug("Won't reply to PING in preauth"));
++					break;
++				}
++				if (ssh_packet_is_rekeying(ssh)) {
++					DBG(debug("Won't reply to PING during KEX"));
++					break;
++				}
++				if ((r = sshpkt_start(ssh, SSH2_MSG_PONG)) != 0 ||
++			    	(r = sshpkt_put_string(ssh, d, len)) != 0 ||
++			    	(r = sshpkt_send(ssh)) != 0)
++					return r;
++				break;
+ 			default:
+ 				return 0;
+ 			}
+diff --git a/ssh2.h b/ssh2.h
+index f2e37c9..c24eb07 100644
+--- a/ssh2.h
++++ b/ssh2.h
+@@ -107,6 +107,10 @@
+ #define SSH2_MSG_KEX_ECDH_INIT				30
+ #define SSH2_MSG_KEX_ECDH_REPLY				31
+
++/* transport layer: OpenSSH extensions */
++#define SSH2_MSG_PING					    192
++#define SSH2_MSG_PONG					    193
++
+ /* user authentication: generic */
+
+ #define SSH2_MSG_USERAUTH_REQUEST			50
+-- 
+2.47.0
+

SOURCES/openssh-7.4p1-CVE-2025-26465-Fix-cases-where-error-codes-were-not-correc.patch

@@ -0,0 +1,82 @@
+Backport notes:
+Drop comment on the original commit about last update.
+Adapt the patch to our version by adding r as return value.
+
+Original commit:
+From 0832aac79517611dd4de93ad0a83577994d9c907 Mon Sep 17 00:00:00 2001
+From: "[email protected]" <[email protected]>
+Date: Tue, 18 Feb 2025 08:02:48 +0000
+Subject: [PATCH] upstream: Fix cases where error codes were not correctly set
+
+Reported by the Qualys Security Advisory team. ok markus@
+
+OpenBSD-Commit-ID: 7bcd4ffe0fa1e27ff98d451fb9c22f5fae6e610d
+Backported-by: Lucas Ravagnier <[email protected]>
+---
+ krl.c         | 2 ++
+ sshconnect2.c | 7 +++++--
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/krl.c b/krl.c
+index e2efdf066..0d0f69534 100644
+--- a/krl.c
++++ b/krl.c
+@@ -647,6 +647,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
+ 			break;
+ 		case KRL_SECTION_CERT_SERIAL_BITMAP:
+ 			if (rs->lo - bitmap_start > INT_MAX) {
++				r = SSH_ERR_INVALID_FORMAT;
+ 				error("%s: insane bitmap gap", __func__);
+ 				goto out;
+ 			}
+@@ -947,6 +948,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
+ 		goto out;
+
+ 	if ((krl = ssh_krl_init()) == NULL) {
++		r = SSH_ERR_ALLOC_FAIL;
+ 		error("%s: alloc failed", __func__);
+ 		goto out;
+ 	}
+diff --git a/sshconnect2.c b/sshconnect2.c
+index a69c4da18..1ee6000ab 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -650,6 +650,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
+ 	u_int alen, blen;
+ 	char *pkalg, *fp;
+ 	u_char *pkblob;
++	int r = 0;
+
+ 	if (authctxt == NULL)
+ 		fatal("input_userauth_pk_ok: no authentication context");
+@@ -671,6 +672,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
+
+ 	if ((pktype = key_type_from_name(pkalg)) == KEY_UNSPEC) {
+ 		debug("unknown pkalg %s", pkalg);
++		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 	if ((key = key_from_blob(pkblob, blen)) == NULL) {
+@@ -681,6 +683,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
+ 		error("input_userauth_pk_ok: type mismatch "
+ 		    "for decoded key (received %d, expected %d)",
+ 		    key->type, pktype);
++		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
+@@ -707,9 +710,9 @@ done:
+ 	free(pkblob);
+
+ 	/* try another method if we did not send a packet */
+-	if (sent == 0)
++	if (r == 0 && sent == 0)
+ 		userauth(authctxt, NULL);
+-	return 0;
++	return r;
+ }
+
+ #ifdef GSSAPI
+-- 
+2.47.0
+

SPECS/openssh.spec

@@ -10,7 +10,7 @@
 %endif
 
 # XCP-ng sub release number
-%define xcpng_subrel 1
+%define xcpng_subrel 2
 
 # OpenSSH privilege separation requires a user & group ID
 %define sshd_uid    74
@@ -176,6 +176,8 @@ Patch78: openssh-9.8p1-cve-2024-6387.patch
 # XCP-ng patches
 Patch1000: xcpng-harden-default-ciphers-and-algorithms.patch
 Patch1001: xcpng-disable-gssapiauth-in-sshd_config.patch
+Patch1002: openssh-7.4p1-CVE-2025-26465-Don-t-reply-to-PING-in-preauth-phase-or-dur.patch
+Patch1003: openssh-7.4p1-CVE-2025-26465-Fix-cases-where-error-codes-were-not-correc.patch
 
 License: BSD
 Group: Applications/Internet
@@ -657,6 +659,9 @@ getent passwd sshd >/dev/null || \
 %endif
 
 %changelog
+* Fri Mar 07 2025 Lucas Ravagnier <[email protected]> - 7.4p1-23.3.2 + 0.10.3-2.23.3.2
+- Fix CVE-2025-26465 - Fix cases where error codes were not correctly set
+
 * Mon Aug 12 2024 Samuel Verschelde <[email protected]> - 7.4p1-23.3.1 + 0.10.3-2.23.3.1
 - Sync with 7.4p1-23.3 + 0.10.3-2.23.3
 - *** Upstream changelog ***