diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2026-35386-1.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2026-35386-1.patch new file mode 100644 index 0000000000..a4b81bf407 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2026-35386-1.patch @@ -0,0 +1,65 @@ +From 96968048d6bb9a3183882b7af0630895bd4e7059 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Thu, 2 Apr 2026 07:50:55 +0000 +Subject: [PATCH] upstream: move username validity check for usernames + specified on +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +the commandline to earlier in main(), specifically before some contexts where +a username with shell characters might be expanded by a %u directive in +ssh_config. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We continue to recommend against using untrusted input on +the SSH commandline. Mitigations like this are not 100% +guarantees of safety because we can't control every +combination of user shell and configuration where they are +used. + +Reported by Florian Kohnhäuser + +OpenBSD-Commit-ID: 25ef72223f5ccf1c38d307ae77c23c03f59acc55 + +Backport notes: The upstream commit uses renamed functions +(ssh_valid_hostname, ssh_valid_ruser) that don't exist in 9.6p1. +Adapted to use the existing function names (valid_hostname, valid_ruser). + +CVE: CVE-2026-35386 +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/76685c9b09a66435cd2ad8373246adf1c53976d3] + +Signed-off-by: Adarsh Jagadish Kamini +--- + ssh.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/ssh.c b/ssh.c +index 9c49f98a8..951da74fa 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh.c,v 1.599 2023/12/18 14:47:44 djm Exp $ */ ++/* $OpenBSD: ssh.c,v 1.630 2026/04/02 07:50:55 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -1160,10 +1160,14 @@ main(int ac, char **av) + if (!host) + usage(); + +- if (!valid_hostname(host)) +- fatal("hostname contains invalid characters"); ++ /* ++ * Validate commandline-specified values that end up in %tokens ++ * before they are used in config parsing. ++ */ + if (options.user != NULL && !valid_ruser(options.user)) + fatal("remote username contains invalid characters"); ++ if (!valid_hostname(host)) ++ fatal("hostname contains invalid characters"); + options.host_arg = xstrdup(host); + + /* Initialize the command to execute on remote host. */ diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb index 1cdd888ccb..98176a971b 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb @@ -34,6 +34,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://CVE-2025-32728.patch \ file://CVE-2025-61985.patch \ file://CVE-2025-61984.patch \ + file://CVE-2026-35386-1.patch \ " SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c"