openssh: fix CVE-2025-26465

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high. (From OE-Core rev: 60b5df194a5bea491489fdae2f32e33ffd21c9c7) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2025-03-05 16:14:39 +0000
committer: Steve Sakoman <steve@sakoman.com> 2025-03-15 06:40:07 -0700
commit: 3d975e8f01375976ba43c56a8dd7bdb7358c0553 (patch)
tree: 59f6da1b65b35834676b21dddcce05d01dee66cb
parent: 83fda1bb2e132569b08b0028e5624bfaaa9a2a43 (diff)
download: poky-3d975e8f01375976ba43c56a8dd7bdb7358c0553.tar.gz
2 files changed, 170 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2025-26465.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2025-26465.patch
new file mode 100644
index 0000000000..0a3cf1496b
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2025-26465.patch
@@ -0,0 +1,169 @@
+From 0832aac79517611dd4de93ad0a83577994d9c907 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 18 Feb 2025 08:02:48 +0000
+Subject: [PATCH] upstream: Fix cases where error codes were not correctly set
+Reported by the Qualys Security Advisory team. ok markus@
+OpenBSD-Commit-ID: 7bcd4ffe0fa1e27ff98d451fb9c22f5fae6e610d
+CVE: CVE-2025-26465
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/0832aac79517611dd4de93ad0a83577994d9c907]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ krl.c           | 4 +++-
+ ssh-agent.c     | 5 +++++
+ ssh-sk-client.c | 4 +++-
+ sshconnect2.c   | 5 ++++-
+ sshsig.c        | 1 +
+ 5 files changed, 16 insertions(+), 3 deletions(-)
+diff --git a/krl.c b/krl.c
+index e2efdf0..0d0f695 100644
+--- a/krl.c
+++ b/krl.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: krl.c,v 1.59 2023/07/17 05:22:30 djm Exp $ */
+/* $OpenBSD: krl.c,v 1.60 2025/02/18 08:02:48 djm Exp $ */
+ /*
+  * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
+  *
+@@ -674,6 +674,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
+                        break;
+                case KRL_SECTION_CERT_SERIAL_BITMAP:
+                        if (rs->lo - bitmap_start > INT_MAX) {
+                               r = SSH_ERR_INVALID_FORMAT;
+                                error_f("insane bitmap gap");
+                                goto out;
+                        }
+@@ -1059,6 +1060,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp)
+        }
+        if ((krl = ssh_krl_init()) == NULL) {
+               r = SSH_ERR_ALLOC_FAIL;
+                error_f("alloc failed");
+                goto out;
+        }
+diff --git a/ssh-agent.c b/ssh-agent.c
+index b6a3f48..2d2c6fc 100644
+--- a/ssh-agent.c
+++ b/ssh-agent.c
+@@ -1204,6 +1204,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
+            "restrict-destination-v00@openssh.com") == 0) {
+                if (*dcsp != NULL) {
+                        error_f("%s already set", ext_name);
+                       r = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
+                if ((r = sshbuf_froms(m, &b)) != 0) {
+@@ -1213,6 +1214,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
+                while (sshbuf_len(b) != 0) {
+                        if (*ndcsp >= AGENT_MAX_DEST_CONSTRAINTS) {
+                                error_f("too many %s constraints", ext_name);
+                               r = SSH_ERR_INVALID_FORMAT;
+                                goto out;
+                        }
+                        *dcsp = xrecallocarray(*dcsp, *ndcsp, *ndcsp + 1,
+@@ -1230,6 +1232,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
+                }
+                if (*certs != NULL) {
+                        error_f("%s already set", ext_name);
+                       r = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
+                if ((r = sshbuf_get_u8(m, &v)) != 0 ||
+@@ -1241,6 +1244,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
+                while (sshbuf_len(b) != 0) {
+                        if (*ncerts >= AGENT_MAX_EXT_CERTS) {
+                                error_f("too many %s constraints", ext_name);
+                               r = SSH_ERR_INVALID_FORMAT;
+                                goto out;
+                        }
+                        *certs = xrecallocarray(*certs, *ncerts, *ncerts + 1,
+@@ -1737,6 +1741,7 @@ process_ext_session_bind(SocketEntry *e)
+        /* record new key/sid */
+        if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) {
+                error_f("too many session IDs recorded");
+               r = -1;
+                goto out;
+        }
+        e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids,
+diff --git a/ssh-sk-client.c b/ssh-sk-client.c
+index 321fe53..06fad22 100644
+--- a/ssh-sk-client.c
+++ b/ssh-sk-client.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-sk-client.c,v 1.12 2022/01/14 03:34:00 djm Exp $ */
+/* $OpenBSD: ssh-sk-client.c,v 1.13 2025/02/18 08:02:48 djm Exp $ */
+ /*
+  * Copyright (c) 2019 Google LLC
+  *
+@@ -439,6 +439,7 @@ sshsk_load_resident(const char *provider_path, const char *device,
+                }
+                if ((srk = calloc(1, sizeof(*srk))) == NULL) {
+                        error_f("calloc failed");
+                       r = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                srk->key = key;
+@@ -450,6 +451,7 @@ sshsk_load_resident(const char *provider_path, const char *device,
+                if ((tmp = recallocarray(srks, nsrks, nsrks + 1,
+                    sizeof(*srks))) == NULL) {
+                        error_f("recallocarray keys failed");
+                       r = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                debug_f("srks[%zu]: %s %s uidlen %zu", nsrks,
+diff --git a/sshconnect2.c b/sshconnect2.c
+index fab1e36..a5f92f0 100644
+--- a/sshconnect2.c
+++ b/sshconnect2.c
+@@ -101,7 +101,7 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
+            options.required_rsa_size)) != 0)
+                fatal_r(r, "Bad server host key");
+        if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
+-           xxx_conn_info) == -1)
+           xxx_conn_info) != 0)
+                fatal("Host key verification failed.");
+        return 0;
+ }
+@@ -709,6 +709,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+        if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
+                debug_f("server sent unknown pkalg %s", pkalg);
+               r = SSH_ERR_INVALID_FORMAT;
+                goto done;
+        }
+        if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
+@@ -719,6 +720,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+                error("input_userauth_pk_ok: type mismatch "
+                    "for decoded key (received %d, expected %d)",
+                    key->type, pktype);
+               r = SSH_ERR_INVALID_FORMAT;
+                goto done;
+        }
+@@ -738,6 +740,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+                    SSH_FP_DEFAULT);
+                error_f("server replied with unknown key: %s %s",
+                    sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
+               r = SSH_ERR_INVALID_FORMAT;
+                goto done;
+        }
+        ident = format_identity(id);
+diff --git a/sshsig.c b/sshsig.c
+index d50d65f..1b7f40d 100644
+--- a/sshsig.c
+++ b/sshsig.c
+@@ -874,6 +874,7 @@ cert_filter_principals(const char *path, u_long linenum,
+        }
+        if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
+                error_f("buffer error");
+               r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        /* success */
+--
+2.40.0
diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
index ea5face097..6ae4c81a42 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
           file://CVE-2024-39894.patch \
           file://0001-Fix-missing-header-for-systemd-notification.patch \
           file://CVE-2025-26466.patch \
+           file://CVE-2025-26465.patch \
           "
 SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c"
author	Archana Polampalli <archana.polampalli@windriver.com>	2025-03-05 16:14:39 +0000
committer	Steve Sakoman <steve@sakoman.com>	2025-03-15 06:40:07 -0700
commit	3d975e8f01375976ba43c56a8dd7bdb7358c0553 (patch)
tree	59f6da1b65b35834676b21dddcce05d01dee66cb
parent	83fda1bb2e132569b08b0028e5624bfaaa9a2a43 (diff)
download	poky-3d975e8f01375976ba43c56a8dd7bdb7358c0553.tar.gz

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2025-26465.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2025-26465.patch new file mode 100644 index 0000000000..0a3cf1496b --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2025-26465.patch
@@ -0,0 +1,169 @@
		1	From 0832aac79517611dd4de93ad0a83577994d9c907 Mon Sep 17 00:00:00 2001
		2	From: "djm@openbsd.org" <djm@openbsd.org>
		3	Date: Tue, 18 Feb 2025 08:02:48 +0000
		4	Subject: [PATCH] upstream: Fix cases where error codes were not correctly set
		5
		6	Reported by the Qualys Security Advisory team. ok markus@
		7
		8	OpenBSD-Commit-ID: 7bcd4ffe0fa1e27ff98d451fb9c22f5fae6e610d
		9
		10	CVE: CVE-2025-26465
		11
		12	Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/0832aac79517611dd4de93ad0a83577994d9c907]
		13
		14	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		15	---
		16	krl.c \| 4 +++-
		17	ssh-agent.c \| 5 +++++
		18	ssh-sk-client.c \| 4 +++-
		19	sshconnect2.c \| 5 ++++-
		20	sshsig.c \| 1 +
		21	5 files changed, 16 insertions(+), 3 deletions(-)
		22
		23	diff --git a/krl.c b/krl.c
		24	index e2efdf0..0d0f695 100644
		25	--- a/krl.c
		26	+++ b/krl.c
		27	@@ -1,4 +1,4 @@
		28	-/* $OpenBSD: krl.c,v 1.59 2023/07/17 05:22:30 djm Exp $ */
		29	+/* $OpenBSD: krl.c,v 1.60 2025/02/18 08:02:48 djm Exp $ */
		30	/*
		31	* Copyright (c) 2012 Damien Miller <djm@mindrot.org>
		32	*
		33	@@ -674,6 +674,7 @@ revoked_certs_generate(struct revoked_certs rc, struct sshbuf buf)
		34	break;
		35	case KRL_SECTION_CERT_SERIAL_BITMAP:
		36	if (rs->lo - bitmap_start > INT_MAX) {
		37	+ r = SSH_ERR_INVALID_FORMAT;
		38	error_f("insane bitmap gap");
		39	goto out;
		40	}
		41	@@ -1059,6 +1060,7 @@ ssh_krl_from_blob(struct sshbuf buf, struct ssh_krl *krlp)
		42	}
		43
		44	if ((krl = ssh_krl_init()) == NULL) {
		45	+ r = SSH_ERR_ALLOC_FAIL;
		46	error_f("alloc failed");
		47	goto out;
		48	}
		49	diff --git a/ssh-agent.c b/ssh-agent.c
		50	index b6a3f48..2d2c6fc 100644
		51	--- a/ssh-agent.c
		52	+++ b/ssh-agent.c
		53	@@ -1204,6 +1204,7 @@ parse_key_constraint_extension(struct sshbuf m, char *sk_providerp,
		54	"restrict-destination-v00@openssh.com") == 0) {
		55	if (*dcsp != NULL) {
		56	error_f("%s already set", ext_name);
		57	+ r = SSH_ERR_INVALID_FORMAT;
		58	goto out;
		59	}
		60	if ((r = sshbuf_froms(m, &b)) != 0) {
		61	@@ -1213,6 +1214,7 @@ parse_key_constraint_extension(struct sshbuf m, char *sk_providerp,
		62	while (sshbuf_len(b) != 0) {
		63	if (*ndcsp >= AGENT_MAX_DEST_CONSTRAINTS) {
		64	error_f("too many %s constraints", ext_name);
		65	+ r = SSH_ERR_INVALID_FORMAT;
		66	goto out;
		67	}
		68	dcsp = xrecallocarray(dcsp, ndcsp, ndcsp + 1,
		69	@@ -1230,6 +1232,7 @@ parse_key_constraint_extension(struct sshbuf m, char *sk_providerp,
		70	}
		71	if (*certs != NULL) {
		72	error_f("%s already set", ext_name);
		73	+ r = SSH_ERR_INVALID_FORMAT;
		74	goto out;
		75	}
		76	if ((r = sshbuf_get_u8(m, &v)) != 0 \|\|
		77	@@ -1241,6 +1244,7 @@ parse_key_constraint_extension(struct sshbuf m, char *sk_providerp,
		78	while (sshbuf_len(b) != 0) {
		79	if (*ncerts >= AGENT_MAX_EXT_CERTS) {
		80	error_f("too many %s constraints", ext_name);
		81	+ r = SSH_ERR_INVALID_FORMAT;
		82	goto out;
		83	}
		84	certs = xrecallocarray(certs, ncerts, ncerts + 1,
		85	@@ -1737,6 +1741,7 @@ process_ext_session_bind(SocketEntry *e)
		86	/* record new key/sid */
		87	if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) {
		88	error_f("too many session IDs recorded");
		89	+ r = -1;
		90	goto out;
		91	}
		92	e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids,
		93	diff --git a/ssh-sk-client.c b/ssh-sk-client.c
		94	index 321fe53..06fad22 100644
		95	--- a/ssh-sk-client.c
		96	+++ b/ssh-sk-client.c
		97	@@ -1,4 +1,4 @@
		98	-/* $OpenBSD: ssh-sk-client.c,v 1.12 2022/01/14 03:34:00 djm Exp $ */
		99	+/* $OpenBSD: ssh-sk-client.c,v 1.13 2025/02/18 08:02:48 djm Exp $ */
		100	/*
		101	* Copyright (c) 2019 Google LLC
		102	*
		103	@@ -439,6 +439,7 @@ sshsk_load_resident(const char provider_path, const char device,
		104	}
		105	if ((srk = calloc(1, sizeof(*srk))) == NULL) {
		106	error_f("calloc failed");
		107	+ r = SSH_ERR_ALLOC_FAIL;
		108	goto out;
		109	}
		110	srk->key = key;
		111	@@ -450,6 +451,7 @@ sshsk_load_resident(const char provider_path, const char device,
		112	if ((tmp = recallocarray(srks, nsrks, nsrks + 1,
		113	sizeof(*srks))) == NULL) {
		114	error_f("recallocarray keys failed");
		115	+ r = SSH_ERR_ALLOC_FAIL;
		116	goto out;
		117	}
		118	debug_f("srks[%zu]: %s %s uidlen %zu", nsrks,
		119	diff --git a/sshconnect2.c b/sshconnect2.c
		120	index fab1e36..a5f92f0 100644
		121	--- a/sshconnect2.c
		122	+++ b/sshconnect2.c
		123	@@ -101,7 +101,7 @@ verify_host_key_callback(struct sshkey hostkey, struct ssh ssh)
		124	options.required_rsa_size)) != 0)
		125	fatal_r(r, "Bad server host key");
		126	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
		127	- xxx_conn_info) == -1)
		128	+ xxx_conn_info) != 0)
		129	fatal("Host key verification failed.");
		130	return 0;
		131	}
		132	@@ -709,6 +709,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
		133
		134	if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
		135	debug_f("server sent unknown pkalg %s", pkalg);
		136	+ r = SSH_ERR_INVALID_FORMAT;
		137	goto done;
		138	}
		139	if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
		140	@@ -719,6 +720,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
		141	error("input_userauth_pk_ok: type mismatch "
		142	"for decoded key (received %d, expected %d)",
		143	key->type, pktype);
		144	+ r = SSH_ERR_INVALID_FORMAT;
		145	goto done;
		146	}
		147
		148	@@ -738,6 +740,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
		149	SSH_FP_DEFAULT);
		150	error_f("server replied with unknown key: %s %s",
		151	sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
		152	+ r = SSH_ERR_INVALID_FORMAT;
		153	goto done;
		154	}
		155	ident = format_identity(id);
		156	diff --git a/sshsig.c b/sshsig.c
		157	index d50d65f..1b7f40d 100644
		158	--- a/sshsig.c
		159	+++ b/sshsig.c
		160	@@ -874,6 +874,7 @@ cert_filter_principals(const char *path, u_long linenum,
		161	}
		162	if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
		163	error_f("buffer error");
		164	+ r = SSH_ERR_ALLOC_FAIL;
		165	goto out;
		166	}
		167	/* success */
		168	--
		169	2.40.0


diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb index ea5face097..6ae4c81a42 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
30	file://CVE-2024-39894.patch \	30	file://CVE-2024-39894.patch \
31	file://0001-Fix-missing-header-for-systemd-notification.patch \	31	file://0001-Fix-missing-header-for-systemd-notification.patch \
32	file://CVE-2025-26466.patch \	32	file://CVE-2025-26466.patch \
		33	file://CVE-2025-26465.patch \
33	"	34	"
34	SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c"	35	SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c"
35		36