2 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch
new file mode 100644
index 0000000000..aee237e507
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch
@@ -0,0 +1,98 @@
+From 35d5917652106aede47621bb3f64044604164043 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 4 Sep 2025 00:29:09 +0000
+Subject: [PATCH] upstream: Improve rules for %-expansion of username.
+Usernames passed on the commandline will no longer be subject to
+% expansion. Some tools invoke ssh with connection information
+(i.e. usernames and host names) supplied from untrusted sources.
+These may contain % expansion sequences which could yield
+unexpected results.
+Since openssh-9.6, all usernames have been subject to validity
+checking. This change tightens the validity checks by refusing
+usernames that include control characters (again, these can cause
+surprises when supplied adversarially).
+This change also relaxes the validity checks in one small way:
+usernames supplied via the configuration file as literals (i.e.
+include no % expansion characters) are not subject to these
+validity checks. This allows usernames that contain arbitrary
+characters to be used, but only via configuration files. This
+is done on the basis that ssh's configuration is trusted.
+Pointed out by David Leadbeater, ok deraadt@
+OpenBSD-Commit-ID: e2f0c871fbe664aba30607321575e7c7fc798362
+CVE: CVE-2025-61984
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/35d5917652106aede47621bb3f64044604164043]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ ssh.c | 11 +++++++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+diff --git a/ssh.c b/ssh.c
+index 82ed15f..d4e2040 100644
+--- a/ssh.c
+++ b/ssh.c
+@@ -634,6 +634,8 @@ valid_ruser(const char *s)
+        if (*s == '-')
+                return 0;
+        for (i = 0; s[i] != 0; i++) {
+               if (iscntrl((u_char)s[i]))
+                       return 0;
+                if (strchr("'`\";&<>|(){}", s[i]) != NULL)
+                        return 0;
+                /* Disallow '-' after whitespace */
+@@ -655,6 +657,7 @@ main(int ac, char **av)
+        struct ssh *ssh = NULL;
+        int i, r, opt, exit_status, use_syslog, direct, timeout_ms;
+        int was_addr, config_test = 0, opt_terminated = 0, want_final_pass = 0;
+       int user_on_commandline = 0, user_was_default = 0, user_expanded = 0;
+        char *p, *cp, *line, *argv0, *logfile, *host_arg;
+        char cname[NI_MAXHOST], thishost[NI_MAXHOST];
+        struct stat st;
+@@ -995,8 +998,10 @@ main(int ac, char **av)
+                        }
+                        break;
+                case 'l':
+-                       if (options.user == NULL)
+                       if (options.user == NULL) {
+                                options.user = optarg;
+                               user_on_commandline = 1;
+                       }
+                        break;
+ 
+                case 'L':
+@@ -1099,6 +1104,7 @@ main(int ac, char **av)
+                        if (options.user == NULL) {
+                                options.user = tuser;
+                                tuser = NULL;
+                               user_on_commandline = 1;
+                        }
+                        free(tuser);
+                        if (options.port == -1 && tport != -1)
+@@ -1113,6 +1119,7 @@ main(int ac, char **av)
+                                if (options.user == NULL) {
+                                        options.user = p;
+                                        p = NULL;
+                                       user_on_commandline = 1;
+                                }
+                                *cp++ = '\0';
+                                host = xstrdup(cp);
+@@ -1265,8 +1272,10 @@ main(int ac, char **av)
+        if (fill_default_options(&options) != 0)
+                cleanup_exit(255);
+ 
+-       if (options.user == NULL)
+       if (options.user == NULL) {
+               user_was_default = 1;
+                options.user = xstrdup(pw->pw_name);
+       }
+ 
+        /*
+         * If ProxyJump option specified, then construct a ProxyCommand now.
+-- 
+2.50.1
diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
index 780ece8999..6ba85712b3 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
@@ -40,6 +40,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
           file://CVE-2025-26465.patch \
           file://CVE-2025-32728.patch \
           file://CVE-2025-61985.patch \
+           file://CVE-2025-61984.patch \
           "
 SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch new file mode 100644 index 0000000000..aee237e507 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch
@@ -0,0 +1,98 @@
		1	From 35d5917652106aede47621bb3f64044604164043 Mon Sep 17 00:00:00 2001
		2	From: "djm@openbsd.org" <djm@openbsd.org>
		3	Date: Thu, 4 Sep 2025 00:29:09 +0000
		4	Subject: [PATCH] upstream: Improve rules for %-expansion of username.
		5
		6	Usernames passed on the commandline will no longer be subject to
		7	% expansion. Some tools invoke ssh with connection information
		8	(i.e. usernames and host names) supplied from untrusted sources.
		9	These may contain % expansion sequences which could yield
		10	unexpected results.
		11
		12	Since openssh-9.6, all usernames have been subject to validity
		13	checking. This change tightens the validity checks by refusing
		14	usernames that include control characters (again, these can cause
		15	surprises when supplied adversarially).
		16
		17	This change also relaxes the validity checks in one small way:
		18	usernames supplied via the configuration file as literals (i.e.
		19	include no % expansion characters) are not subject to these
		20	validity checks. This allows usernames that contain arbitrary
		21	characters to be used, but only via configuration files. This
		22	is done on the basis that ssh's configuration is trusted.
		23
		24	Pointed out by David Leadbeater, ok deraadt@
		25
		26	OpenBSD-Commit-ID: e2f0c871fbe664aba30607321575e7c7fc798362
		27
		28	CVE: CVE-2025-61984
		29	Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/35d5917652106aede47621bb3f64044604164043]
		30	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		31	---
		32	ssh.c \| 11 +++++++++++++++--
		33	1 file changed, 11 insertions(+), 2 deletions(-)
		34
		35	diff --git a/ssh.c b/ssh.c
		36	index 82ed15f..d4e2040 100644
		37	--- a/ssh.c
		38	+++ b/ssh.c
		39	@@ -634,6 +634,8 @@ valid_ruser(const char *s)
		40	if (*s == '-')
		41	return 0;
		42	for (i = 0; s[i] != 0; i++) {
		43	+ if (iscntrl((u_char)s[i]))
		44	+ return 0;
		45	if (strchr("'`\";&<>\|(){}", s[i]) != NULL)
		46	return 0;
		47	/* Disallow '-' after whitespace */
		48	@@ -655,6 +657,7 @@ main(int ac, char **av)
		49	struct ssh *ssh = NULL;
		50	int i, r, opt, exit_status, use_syslog, direct, timeout_ms;
		51	int was_addr, config_test = 0, opt_terminated = 0, want_final_pass = 0;
		52	+ int user_on_commandline = 0, user_was_default = 0, user_expanded = 0;
		53	char p, cp, line, argv0, logfile, host_arg;
		54	char cname[NI_MAXHOST], thishost[NI_MAXHOST];
		55	struct stat st;
		56	@@ -995,8 +998,10 @@ main(int ac, char **av)
		57	}
		58	break;
		59	case 'l':
		60	- if (options.user == NULL)
		61	+ if (options.user == NULL) {
		62	options.user = optarg;
		63	+ user_on_commandline = 1;
		64	+ }
		65	break;
		66
		67	case 'L':
		68	@@ -1099,6 +1104,7 @@ main(int ac, char **av)
		69	if (options.user == NULL) {
		70	options.user = tuser;
		71	tuser = NULL;
		72	+ user_on_commandline = 1;
		73	}
		74	free(tuser);
		75	if (options.port == -1 && tport != -1)
		76	@@ -1113,6 +1119,7 @@ main(int ac, char **av)
		77	if (options.user == NULL) {
		78	options.user = p;
		79	p = NULL;
		80	+ user_on_commandline = 1;
		81	}
		82	*cp++ = '\0';
		83	host = xstrdup(cp);
		84	@@ -1265,8 +1272,10 @@ main(int ac, char **av)
		85	if (fill_default_options(&options) != 0)
		86	cleanup_exit(255);
		87
		88	- if (options.user == NULL)
		89	+ if (options.user == NULL) {
		90	+ user_was_default = 1;
		91	options.user = xstrdup(pw->pw_name);
		92	+ }
		93
		94	/*
		95	* If ProxyJump option specified, then construct a ProxyCommand now.
		96	--
		97	2.50.1
		98


diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb index 780ece8999..6ba85712b3 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
@@ -40,6 +40,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
40	file://CVE-2025-26465.patch \	40	file://CVE-2025-26465.patch \
41	file://CVE-2025-32728.patch \	41	file://CVE-2025-32728.patch \
42	file://CVE-2025-61985.patch \	42	file://CVE-2025-61985.patch \
		43	file://CVE-2025-61984.patch \
43	"	44	"
44	SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"	45	SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"
45		46