diff mbox series

[Walnascar,4/5] openssh: fix CVE-2025-32728

Message ID 20250509102228.3422688-4-archana.polampalli@windriver.com
State Under Review
Delegated to: Steve Sakoman
Headers show
Series [Walnascar,1/5] perlcross: 1.6 -> 1.6.2 | expand

Commit Message

Polampalli, Archana May 9, 2025, 10:22 a.m. UTC 
From: Archana Polampalli <archana.polampalli@windriver.com>

In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the
documentation stating that it disables X11 and agent forwarding.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
 .../openssh/openssh/CVE-2025-32728.patch      | 43 +++++++++++++++++++
 .../openssh/openssh_9.9p2.bb                  |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2025-32728.patch

Comments

Steve Sakoman May 9, 2025, 4:04 p.m. UTC | #1 
Hi Archana,

You'll need to send this patch for the master branch before I can take
it for walnascar.

Thanks!

Steve

On Fri, May 9, 2025 at 3:22 AM Polampalli, Archana via
lists.openembedded.org
<archana.polampalli=windriver.com@lists.openembedded.org> wrote:
>
> From: Archana Polampalli <archana.polampalli@windriver.com>
>
> In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the
> documentation stating that it disables X11 and agent forwarding.
>
> Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
> ---
>  .../openssh/openssh/CVE-2025-32728.patch      | 43 +++++++++++++++++++
>  .../openssh/openssh_9.9p2.bb                  |  1 +
>  2 files changed, 44 insertions(+)
>  create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2025-32728.patch
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2025-32728.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2025-32728.patch
> new file mode 100644
> index 0000000000..db47947b42
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2025-32728.patch
> @@ -0,0 +1,43 @@
> +From fc86875e6acb36401dfc1dfb6b628a9d1460f367 Mon Sep 17 00:00:00 2001
> +From: "djm@openbsd.org" <djm@openbsd.org>
> +Date: Wed, 9 Apr 2025 07:00:03 +0000
> +Subject: [PATCH] upstream: Fix logic error in DisableForwarding option. This
> + option
> +
> +was documented as disabling X11 and agent forwarding but it failed to do so.
> +Spotted by Tim Rice.
> +
> +OpenBSD-Commit-ID: fffc89195968f7eedd2fc57f0b1f1ef3193f5ed1
> +
> +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367]
> +CVE: CVE-2025-32728
> +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
> +---
> + session.c | 5 +++--
> + 1 file changed, 3 insertions(+), 2 deletions(-)
> +
> +diff --git a/session.c b/session.c
> +index aa342e8..eb932b8 100644
> +--- a/session.c
> ++++ b/session.c
> +@@ -2191,7 +2191,8 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
> +       if ((r = sshpkt_get_end(ssh)) != 0)
> +               sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
> +       if (!auth_opts->permit_agent_forwarding_flag ||
> +-          !options.allow_agent_forwarding) {
> ++          !options.allow_agent_forwarding ||
> ++          options.disable_forwarding) {
> +               debug_f("agent forwarding disabled");
> +               return 0;
> +       }
> +@@ -2586,7 +2587,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
> +               ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
> +               return 0;
> +       }
> +-      if (!options.x11_forwarding) {
> ++      if (!options.x11_forwarding || options.disable_forwarding) {
> +               debug("X11 forwarding disabled in server configuration file.");
> +               return 0;
> +       }
> +--
> +2.25.1
> diff --git a/meta/recipes-connectivity/openssh/openssh_9.9p2.bb b/meta/recipes-connectivity/openssh/openssh_9.9p2.bb
> index 5191725796..8d3ea4d632 100644
> --- a/meta/recipes-connectivity/openssh/openssh_9.9p2.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_9.9p2.bb
> @@ -25,6 +25,7 @@ SRC_URI = "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.ta
>             file://sshd_check_keys \
>             file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
>             file://0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch \
> +           file://CVE-2025-32728.patch \
>             "
>  SRC_URI[sha256sum] = "91aadb603e08cc285eddf965e1199d02585fa94d994d6cae5b41e1721e215673"
>
> --
> 2.40.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#216195): https://lists.openembedded.org/g/openembedded-core/message/216195
> Mute This Topic: https://lists.openembedded.org/mt/112896255/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
diff mbox series

Patch

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2025-32728.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2025-32728.patch
new file mode 100644
index 0000000000..db47947b42
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2025-32728.patch
@@ -0,0 +1,43 @@ 
+From fc86875e6acb36401dfc1dfb6b628a9d1460f367 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 9 Apr 2025 07:00:03 +0000
+Subject: [PATCH] upstream: Fix logic error in DisableForwarding option. This
+ option
+
+was documented as disabling X11 and agent forwarding but it failed to do so.
+Spotted by Tim Rice.
+
+OpenBSD-Commit-ID: fffc89195968f7eedd2fc57f0b1f1ef3193f5ed1
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367]
+CVE: CVE-2025-32728
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ session.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/session.c b/session.c
+index aa342e8..eb932b8 100644
+--- a/session.c
++++ b/session.c
+@@ -2191,7 +2191,8 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
+	if ((r = sshpkt_get_end(ssh)) != 0)
+		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
+	if (!auth_opts->permit_agent_forwarding_flag ||
+-	    !options.allow_agent_forwarding) {
++	    !options.allow_agent_forwarding ||
++	    options.disable_forwarding) {
+		debug_f("agent forwarding disabled");
+		return 0;
+	}
+@@ -2586,7 +2587,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
+		ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
+		return 0;
+	}
+-	if (!options.x11_forwarding) {
++	if (!options.x11_forwarding || options.disable_forwarding) {
+		debug("X11 forwarding disabled in server configuration file.");
+		return 0;
+	}
+--
+2.25.1
diff --git a/meta/recipes-connectivity/openssh/openssh_9.9p2.bb b/meta/recipes-connectivity/openssh/openssh_9.9p2.bb
index 5191725796..8d3ea4d632 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.9p2.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.9p2.bb
@@ -25,6 +25,7 @@  SRC_URI = "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.ta
            file://sshd_check_keys \
            file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
            file://0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch \
+           file://CVE-2025-32728.patch \
            "
 SRC_URI[sha256sum] = "91aadb603e08cc285eddf965e1199d02585fa94d994d6cae5b41e1721e215673"