openssh: fix CVE-2025-61984

ssh in OpenSSH before 10.1 allows control characters in usernames that
originate from certain possibly untrusted sources, potentially leading
to code execution when a ProxyCommand is used. The untrusted sources
are the command line and %-sequence expansion of a configuration file.

Note:
openssh does not support variable expansion until 10.0, so backport
adapts for this.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-61984

Upstream-Status: Backport from https://github.com/openssh/openssh-portable/commit/35d5917652106aede47621bb3f64044604164043

(From OE-Core rev: 7ca0c7a4d17c707658669e255689ecd4183c7e9b)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

2 files changed, 99 insertions, 0 deletions

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch
new file mode 100644
index 0000000000..aee237e507
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch
@@ -0,0 +1,98 @@
+From 35d5917652106aede47621bb3f64044604164043 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 4 Sep 2025 00:29:09 +0000
+Subject: [PATCH] upstream: Improve rules for %-expansion of username.
+
+Usernames passed on the commandline will no longer be subject to
+% expansion. Some tools invoke ssh with connection information
+(i.e. usernames and host names) supplied from untrusted sources.
+These may contain % expansion sequences which could yield
+unexpected results.
+
+Since openssh-9.6, all usernames have been subject to validity
+checking. This change tightens the validity checks by refusing
+usernames that include control characters (again, these can cause
+surprises when supplied adversarially).
+
+This change also relaxes the validity checks in one small way:
+usernames supplied via the configuration file as literals (i.e.
+include no % expansion characters) are not subject to these
+validity checks. This allows usernames that contain arbitrary
+characters to be used, but only via configuration files. This
+is done on the basis that ssh's configuration is trusted.
+
+Pointed out by David Leadbeater, ok deraadt@
+
+OpenBSD-Commit-ID: e2f0c871fbe664aba30607321575e7c7fc798362
+
+CVE: CVE-2025-61984
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/35d5917652106aede47621bb3f64044604164043]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ ssh.c | 11 +++++++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/ssh.c b/ssh.c
+index 82ed15f..d4e2040 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -634,6 +634,8 @@ valid_ruser(const char *s)
+        if (*s == '-')
+                return 0;
+        for (i = 0; s[i] != 0; i++) {
++               if (iscntrl((u_char)s[i]))
++                       return 0;
+                if (strchr("'`\";&<>|(){}", s[i]) != NULL)
+                        return 0;
+                /* Disallow '-' after whitespace */
+@@ -655,6 +657,7 @@ main(int ac, char **av)
+        struct ssh *ssh = NULL;
+        int i, r, opt, exit_status, use_syslog, direct, timeout_ms;
+        int was_addr, config_test = 0, opt_terminated = 0, want_final_pass = 0;
++       int user_on_commandline = 0, user_was_default = 0, user_expanded = 0;
+        char *p, *cp, *line, *argv0, *logfile, *host_arg;
+        char cname[NI_MAXHOST], thishost[NI_MAXHOST];
+        struct stat st;
+@@ -995,8 +998,10 @@ main(int ac, char **av)
+                        }
+                        break;
+                case 'l':
+-                       if (options.user == NULL)
++                       if (options.user == NULL) {
+                                options.user = optarg;
++                               user_on_commandline = 1;
++                       }
+                        break;
+ 
+                case 'L':
+@@ -1099,6 +1104,7 @@ main(int ac, char **av)
+                        if (options.user == NULL) {
+                                options.user = tuser;
+                                tuser = NULL;
++                               user_on_commandline = 1;
+                        }
+                        free(tuser);
+                        if (options.port == -1 && tport != -1)
+@@ -1113,6 +1119,7 @@ main(int ac, char **av)
+                                if (options.user == NULL) {
+                                        options.user = p;
+                                        p = NULL;
++                                       user_on_commandline = 1;
+                                }
+                                *cp++ = '\0';
+                                host = xstrdup(cp);
+@@ -1265,8 +1272,10 @@ main(int ac, char **av)
+        if (fill_default_options(&options) != 0)
+                cleanup_exit(255);
+ 
+-       if (options.user == NULL)
++       if (options.user == NULL) {
++               user_was_default = 1;
+                options.user = xstrdup(pw->pw_name);
++       }
+ 
+        /*
+         * If ProxyJump option specified, then construct a ProxyCommand now.
+-- 
+2.50.1
+
diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
index 780ece8999..6ba85712b3 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
@@ -40,6 +40,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://CVE-2025-26465.patch \
            file://CVE-2025-32728.patch \
            file://CVE-2025-61985.patch \
+           file://CVE-2025-61984.patch \
            "
 SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"