From 23eab0eecf4c61514c50324bd478050dca63ad50 Mon Sep 17 00:00:00 2001
From: Solar Designer <solar@openwall.com>
Date: Fri, 21 Feb 2025 05:20:31 +0100
Subject: [PATCH] 8.7p1-43.el9_5.security.0.11

- Fix CVE-2025-26465 and minor bugs found by Qualys and Rocky Linux while
  searching the source code for similar error patterns
---
 .../openssh-8.7p1-qualys-rocky-retval.patch   | 89 +++++++++++++++++++
 ...8.7p1-rocky-krb5-ssh_asprintf_append.patch | 20 +++++
 SPECS/openssh.spec                            | 10 ++-
 3 files changed, 118 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/openssh-8.7p1-qualys-rocky-retval.patch
 create mode 100644 SOURCES/openssh-8.7p1-rocky-krb5-ssh_asprintf_append.patch

diff --git a/SOURCES/openssh-8.7p1-qualys-rocky-retval.patch b/SOURCES/openssh-8.7p1-qualys-rocky-retval.patch
new file mode 100644
index 0000000..12b0da0
--- /dev/null
+++ b/SOURCES/openssh-8.7p1-qualys-rocky-retval.patch
@@ -0,0 +1,89 @@
+diff -urp openssh-8.7p1-43.el9-tree.orig/krl.c openssh-8.7p1-43.el9-tree.qualys-retval/krl.c
+--- openssh-8.7p1-43.el9-tree.orig/krl.c	2025-02-14 00:31:18.634510910 +0000
++++ openssh-8.7p1-43.el9-tree.qualys-retval/krl.c	2025-02-21 02:48:23.080972135 +0000
+@@ -674,6 +674,7 @@ revoked_certs_generate(struct revoked_ce
+ 			break;
+ 		case KRL_SECTION_CERT_SERIAL_BITMAP:
+ 			if (rs->lo - bitmap_start > INT_MAX) {
++				r = SSH_ERR_INVALID_FORMAT;
+ 				error_f("insane bitmap gap");
+ 				goto out;
+ 			}
+@@ -1008,6 +1009,7 @@ ssh_krl_from_blob(struct sshbuf *buf, st
+ 		goto out;
+ 
+ 	if ((krl = ssh_krl_init()) == NULL) {
++		r = SSH_ERR_ALLOC_FAIL;
+ 		error_f("alloc failed");
+ 		goto out;
+ 	}
+diff -urp openssh-8.7p1-43.el9-tree.orig/ssh-agent.c openssh-8.7p1-43.el9-tree.qualys-retval/ssh-agent.c
+--- openssh-8.7p1-43.el9-tree.orig/ssh-agent.c	2025-02-14 00:31:18.653510894 +0000
++++ openssh-8.7p1-43.el9-tree.qualys-retval/ssh-agent.c	2025-02-21 04:01:32.677160367 +0000
+@@ -700,6 +700,8 @@ process_add_identity(SocketEntry *e)
+ 	if ((r = sshkey_private_deserialize(e->request, &k)) != 0 ||
+ 	    k == NULL ||
+ 	    (r = sshbuf_get_cstring(e->request, &comment, NULL)) != 0) {
++		if (!r) /* k == NULL */
++			r = SSH_ERR_INTERNAL_ERROR;
+ 		error_fr(r, "parse");
+ 		goto out;
+ 	}
+diff -urp openssh-8.7p1-43.el9-tree.orig/sshconnect2.c openssh-8.7p1-43.el9-tree.qualys-retval/sshconnect2.c
+--- openssh-8.7p1-43.el9-tree.orig/sshconnect2.c	2025-02-14 00:31:18.743510817 +0000
++++ openssh-8.7p1-43.el9-tree.qualys-retval/sshconnect2.c	2025-02-21 02:48:30.464965775 +0000
+@@ -102,7 +102,7 @@ verify_host_key_callback(struct sshkey *
+ 	    options.required_rsa_size)) != 0)
+ 		fatal_r(r, "Bad server host key");
+ 	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
+-	    xxx_conn_info) == -1)
++	    xxx_conn_info) != 0)
+ 		fatal("Host key verification failed.");
+ 	return 0;
+ }
+@@ -811,6 +811,7 @@ input_userauth_pk_ok(int type, u_int32_t
+ 
+ 	if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
+ 		debug_f("server sent unknown pkalg %s", pkalg);
++		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 	if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
+@@ -821,6 +822,7 @@ input_userauth_pk_ok(int type, u_int32_t
+ 		error("input_userauth_pk_ok: type mismatch "
+ 		    "for decoded key (received %d, expected %d)",
+ 		    key->type, pktype);
++		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 
+@@ -840,6 +842,7 @@ input_userauth_pk_ok(int type, u_int32_t
+ 		    SSH_FP_DEFAULT);
+ 		error_f("server replied with unknown key: %s %s",
+ 		    sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
++		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 	ident = format_identity(id);
+diff -urp openssh-8.7p1-43.el9-tree.orig/sshsig.c openssh-8.7p1-43.el9-tree.qualys-retval/sshsig.c
+--- openssh-8.7p1-43.el9-tree.orig/sshsig.c	2025-02-14 00:31:18.658510889 +0000
++++ openssh-8.7p1-43.el9-tree.qualys-retval/sshsig.c	2025-02-21 02:48:30.465965774 +0000
+@@ -971,6 +971,7 @@ cert_filter_principals(const char *path,
+ 	}
+ 	if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
+ 		error_f("buffer error");
++		r = SSH_ERR_ALLOC_FAIL;
+ 		goto out;
+ 	}
+ 	/* success */
+diff -urp openssh-8.7p1-43.el9-tree.orig/ssh-sk-client.c openssh-8.7p1-43.el9-tree.qualys-retval/ssh-sk-client.c
+--- openssh-8.7p1-43.el9-tree.orig/ssh-sk-client.c	2021-08-20 04:03:49.000000000 +0000
++++ openssh-8.7p1-43.el9-tree.qualys-retval/ssh-sk-client.c	2025-02-21 02:48:30.462965777 +0000
+@@ -419,6 +419,7 @@ sshsk_load_resident(const char *provider
+ 		if ((tmp = recallocarray(keys, nkeys, nkeys + 1,
+ 		    sizeof(*keys))) == NULL) {
+ 			error_f("recallocarray keys failed");
++			r = SSH_ERR_ALLOC_FAIL;
+ 			goto out;
+ 		}
+ 		debug_f("keys[%zu]: %s %s", nkeys, sshkey_type(key),
diff --git a/SOURCES/openssh-8.7p1-rocky-krb5-ssh_asprintf_append.patch b/SOURCES/openssh-8.7p1-rocky-krb5-ssh_asprintf_append.patch
new file mode 100644
index 0000000..8e079ad
--- /dev/null
+++ b/SOURCES/openssh-8.7p1-rocky-krb5-ssh_asprintf_append.patch
@@ -0,0 +1,20 @@
+diff -urp openssh-8.7p1-43.el9-tree.orig/auth-krb5.c openssh-8.7p1-43.el9-tree.krb5-ssh_asprintf_append/auth-krb5.c
+--- openssh-8.7p1-43.el9-tree.orig/auth-krb5.c	2025-02-14 00:31:18.629510914 +0000
++++ openssh-8.7p1-43.el9-tree.krb5-ssh_asprintf_append/auth-krb5.c	2025-02-21 03:37:13.106465704 +0000
+@@ -309,13 +309,14 @@ ssh_asprintf_append(char **dsc, const ch
+ 	i = vasprintf(&src, fmt, ap);
+ 	va_end(ap);
+ 
+-	if (i == -1 || src == NULL)
++	if (i == -1)
+ 		return -1;
+ 
+ 	old = *dsc;
+ 
+ 	i = asprintf(dsc, "%s%s", *dsc, src);
+-	if (i == -1 || src == NULL) {
++	if (i == -1) {
++		*dsc = old;
+ 		free(src);
+ 		return -1;
+ 	}
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
index cf71d52..e3ae39b 100644
--- a/SPECS/openssh.spec
+++ b/SPECS/openssh.spec
@@ -50,7 +50,7 @@
 %global openssh_rel 43
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 5
-%global security_rel 0.10
+%global security_rel 0.11
 
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
@@ -297,6 +297,8 @@ Patch1021: openssh-9.8p1-upstream-cve-2024-6387.patch
 
 Patch9000: openssh-8.7p1-rocky-systemd.patch
 Patch9001: openssh-8.7p1-rocky-no-gssapi.patch
+Patch9002: openssh-8.7p1-qualys-rocky-retval.patch
+Patch9003: openssh-8.7p1-rocky-krb5-ssh_asprintf_append.patch
 
 License: BSD
 Requires: /sbin/nologin
@@ -529,6 +531,8 @@ popd
 %if ! %{kerberos5}
 %patch9001 -p1 -b .rocky-no-gssapi
 %endif
+%patch9002 -p1 -b .qualys-rocky-retval
+%patch9003 -p1 -b .rocky-krb5-ssh_asprintf_append
 
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -816,6 +820,10 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Fri Feb 21 2025 Solar Designer <solar@openwall.com> 8.7p1-43.el9_5.security.0.11
+- Fix CVE-2025-26465 and minor bugs found by Qualys and Rocky Linux while
+  searching the source code for similar error patterns
+
 * Thu Nov 21 2024 Solar Designer <solar@openwall.com> 8.7p1-43.el9_5.security.0.10
 - Rebase on 8.7p1-43
 
-- 
GitLab