-
Solar Designer authored
- Fix CVE-2025-26465 and minor bugs found by Qualys and Rocky Linux while searching the source code for similar error patterns
Solar Designer authored- Fix CVE-2025-26465 and minor bugs found by Qualys and Rocky Linux while searching the source code for similar error patterns
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
openssh-8.7p1-qualys-rocky-retval.patch 3.65 KiB
diff -urp openssh-8.7p1-43.el9-tree.orig/krl.c openssh-8.7p1-43.el9-tree.qualys-retval/krl.c
--- openssh-8.7p1-43.el9-tree.orig/krl.c 2025-02-14 00:31:18.634510910 +0000
+++ openssh-8.7p1-43.el9-tree.qualys-retval/krl.c 2025-02-21 02:48:23.080972135 +0000
@@ -674,6 +674,7 @@ revoked_certs_generate(struct revoked_ce
break;
case KRL_SECTION_CERT_SERIAL_BITMAP:
if (rs->lo - bitmap_start > INT_MAX) {
+ r = SSH_ERR_INVALID_FORMAT;
error_f("insane bitmap gap");
goto out;
}
@@ -1008,6 +1009,7 @@ ssh_krl_from_blob(struct sshbuf *buf, st
goto out;
if ((krl = ssh_krl_init()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
error_f("alloc failed");
goto out;
}
diff -urp openssh-8.7p1-43.el9-tree.orig/ssh-agent.c openssh-8.7p1-43.el9-tree.qualys-retval/ssh-agent.c
--- openssh-8.7p1-43.el9-tree.orig/ssh-agent.c 2025-02-14 00:31:18.653510894 +0000
+++ openssh-8.7p1-43.el9-tree.qualys-retval/ssh-agent.c 2025-02-21 04:01:32.677160367 +0000
@@ -700,6 +700,8 @@ process_add_identity(SocketEntry *e)
if ((r = sshkey_private_deserialize(e->request, &k)) != 0 ||
k == NULL ||
(r = sshbuf_get_cstring(e->request, &comment, NULL)) != 0) {
+ if (!r) /* k == NULL */
+ r = SSH_ERR_INTERNAL_ERROR;
error_fr(r, "parse");
goto out;
}
diff -urp openssh-8.7p1-43.el9-tree.orig/sshconnect2.c openssh-8.7p1-43.el9-tree.qualys-retval/sshconnect2.c
--- openssh-8.7p1-43.el9-tree.orig/sshconnect2.c 2025-02-14 00:31:18.743510817 +0000
+++ openssh-8.7p1-43.el9-tree.qualys-retval/sshconnect2.c 2025-02-21 02:48:30.464965775 +0000
@@ -102,7 +102,7 @@ verify_host_key_callback(struct sshkey *
options.required_rsa_size)) != 0)
fatal_r(r, "Bad server host key");
if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
- xxx_conn_info) == -1)
+ xxx_conn_info) != 0)
fatal("Host key verification failed.");
return 0;
}
@@ -811,6 +811,7 @@ input_userauth_pk_ok(int type, u_int32_t
if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
debug_f("server sent unknown pkalg %s", pkalg);
+ r = SSH_ERR_INVALID_FORMAT;
goto done;
}
if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
@@ -821,6 +822,7 @@ input_userauth_pk_ok(int type, u_int32_t
error("input_userauth_pk_ok: type mismatch "
"for decoded key (received %d, expected %d)",
key->type, pktype);
+ r = SSH_ERR_INVALID_FORMAT;
goto done;
}
@@ -840,6 +842,7 @@ input_userauth_pk_ok(int type, u_int32_t
SSH_FP_DEFAULT);
error_f("server replied with unknown key: %s %s",
sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
+ r = SSH_ERR_INVALID_FORMAT;
goto done;
}
ident = format_identity(id);
diff -urp openssh-8.7p1-43.el9-tree.orig/sshsig.c openssh-8.7p1-43.el9-tree.qualys-retval/sshsig.c
--- openssh-8.7p1-43.el9-tree.orig/sshsig.c 2025-02-14 00:31:18.658510889 +0000
+++ openssh-8.7p1-43.el9-tree.qualys-retval/sshsig.c 2025-02-21 02:48:30.465965774 +0000@@ -971,6 +971,7 @@ cert_filter_principals(const char *path,
}
if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
error_f("buffer error");
+ r = SSH_ERR_ALLOC_FAIL;
goto out;
}
/* success */
diff -urp openssh-8.7p1-43.el9-tree.orig/ssh-sk-client.c openssh-8.7p1-43.el9-tree.qualys-retval/ssh-sk-client.c
--- openssh-8.7p1-43.el9-tree.orig/ssh-sk-client.c 2021-08-20 04:03:49.000000000 +0000
+++ openssh-8.7p1-43.el9-tree.qualys-retval/ssh-sk-client.c 2025-02-21 02:48:30.462965777 +0000
@@ -419,6 +419,7 @@ sshsk_load_resident(const char *provider
if ((tmp = recallocarray(keys, nkeys, nkeys + 1,
sizeof(*keys))) == NULL) {
error_f("recallocarray keys failed");
+ r = SSH_ERR_ALLOC_FAIL;
goto out;
}
debug_f("keys[%zu]: %s %s", nkeys, sshkey_type(key),