diff --git a/SPECS/openssh/CVE-2026-35387.patch b/SPECS/openssh/CVE-2026-35387.patch new file mode 100644 index 00000000000..8b421d8d5ba --- /dev/null +++ b/SPECS/openssh/CVE-2026-35387.patch @@ -0,0 +1,170 @@ +From 6b2d525ff958ca55008a0728839be558f83d5f61 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Mon, 15 Jun 2026 06:47:26 +0000 +Subject: [PATCH] upstream: correctly match ECDSA signature algorithms against + allowlists + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/openssh/openssh-portable/commit/fd1c7e131f331942d20f42f31e79912d570081fa.patch +--- + auth2-hostbased.c | 7 ++++--- + auth2-pubkey.c | 7 ++++--- + auth2-pubkeyfile.c | 24 ++++++++++++++---------- + sshconnect2.c | 26 +++++++++++++++++--------- + 4 files changed, 39 insertions(+), 25 deletions(-) + +diff --git a/auth2-hostbased.c b/auth2-hostbased.c +index 4022d92..cdf862f 100644 +--- a/auth2-hostbased.c ++++ b/auth2-hostbased.c +@@ -96,9 +96,10 @@ userauth_hostbased(struct ssh *ssh, const char *method) + error_f("cannot decode key: %s", pkalg); + goto done; + } +- if (key->type != pktype) { +- error_f("type mismatch for decoded key " +- "(received %d, expected %d)", key->type, pktype); ++ if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA && ++ sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) { ++ error_f("key type mismatch for decoded key " ++ "(received %s, expected %s)", sshkey_ssh_name(key), pkalg); + goto done; + } + if (match_pattern_list(pkalg, options.hostbased_accepted_algos, 0) != 1) { +diff --git a/auth2-pubkey.c b/auth2-pubkey.c +index 2a108ea..44090a4 100644 +--- a/auth2-pubkey.c ++++ b/auth2-pubkey.c +@@ -149,9 +149,10 @@ userauth_pubkey(struct ssh *ssh, const char *method) + error_f("cannot decode key: %s", pkalg); + goto done; + } +- if (key->type != pktype) { +- error_f("type mismatch for decoded key " +- "(received %d, expected %d)", key->type, pktype); ++ if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA && ++ sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) { ++ error_f("key type mismatch for decoded key " ++ "(received %s, expected %s)", sshkey_ssh_name(key), pkalg); + goto done; + } + if (auth2_key_already_used(authctxt, key)) { +diff --git a/auth2-pubkeyfile.c b/auth2-pubkeyfile.c +index 556550a..22117ad 100644 +--- a/auth2-pubkeyfile.c ++++ b/auth2-pubkeyfile.c +@@ -50,6 +50,7 @@ + #include "authfile.h" + #include "match.h" + #include "ssherr.h" ++#include "xmalloc.h" + + int + auth_authorise_keyopts(struct passwd *pw, struct sshauthopt *opts, +@@ -146,20 +147,23 @@ auth_authorise_keyopts(struct passwd *pw, struct sshauthopt *opts, + static int + match_principals_option(const char *principal_list, struct sshkey_cert *cert) + { +- char *result; ++ char *list, *olist, *entry; + u_int i; + +- /* XXX percent_expand() sequences for authorized_principals? */ +- +- for (i = 0; i < cert->nprincipals; i++) { +- if ((result = match_list(cert->principals[i], +- principal_list, NULL)) != NULL) { +- debug3("matched principal from key options \"%.100s\"", +- result); +- free(result); +- return 1; ++ olist = list = xstrdup(principal_list); ++ for (;;) { ++ if ((entry = strsep(&list, ",")) == NULL || *entry == \0\) ++ break; ++ for (i = 0; i < cert->nprincipals; i++) { ++ if (strcmp(entry, cert->principals[i]) == 0) { ++ debug3("matched principal from key options \"%.100s\"", ++ entry); ++ free(olist); ++ return 1; ++ } + } + } ++ free(olist); + return 0; + } + +diff --git a/sshconnect2.c b/sshconnect2.c +index 42e6cac..ec85246 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -89,6 +89,7 @@ extern Options options; + static char *xxx_host; + static struct sockaddr *xxx_hostaddr; + static const struct ssh_conn_info *xxx_conn_info; ++static int key_type_allowed(struct sshkey *, const char *); + + static int + verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) +@@ -98,6 +99,10 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) + if ((r = sshkey_check_rsa_length(hostkey, + options.required_rsa_size)) != 0) + fatal_r(r, "Bad server host key"); ++ if (!key_type_allowed(hostkey, options.hostkeyalgorithms)) { ++ fatal("Server host key %s not in HostKeyAlgorithms", ++ sshkey_ssh_name(hostkey)); ++ } + if (verify_host_key(xxx_host, xxx_hostaddr, hostkey, + xxx_conn_info) != 0) + fatal("Host key verification failed."); +@@ -1597,34 +1602,37 @@ load_identity_file(Identity *id) + } + + static int +-key_type_allowed_by_config(struct sshkey *key) ++key_type_allowed(struct sshkey *key, const char *allowlist) + { +- if (match_pattern_list(sshkey_ssh_name(key), +- options.pubkey_accepted_algos, 0) == 1) ++ if (match_pattern_list(sshkey_ssh_name(key), allowlist, 0) == 1) + return 1; + + /* RSA keys/certs might be allowed by alternate signature types */ + switch (key->type) { + case KEY_RSA: +- if (match_pattern_list("rsa-sha2-512", +- options.pubkey_accepted_algos, 0) == 1) ++ if (match_pattern_list("rsa-sha2-512", allowlist, 0) == 1) + return 1; +- if (match_pattern_list("rsa-sha2-256", +- options.pubkey_accepted_algos, 0) == 1) ++ if (match_pattern_list("rsa-sha2-256", allowlist, 0) == 1) + return 1; + break; + case KEY_RSA_CERT: + if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", +- options.pubkey_accepted_algos, 0) == 1) ++ allowlist, 0) == 1) + return 1; + if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", +- options.pubkey_accepted_algos, 0) == 1) ++ allowlist, 0) == 1) + return 1; + break; + } + return 0; + } + ++static int ++key_type_allowed_by_config(struct sshkey *key) ++{ ++ return key_type_allowed(key, options.pubkey_accepted_algos); ++} ++ + /* obtain a list of keys from the agent */ + static int + get_agent_identities(struct ssh *ssh, int *agent_fdp, +-- +2.45.4 + diff --git a/SPECS/openssh/openssh.spec b/SPECS/openssh/openssh.spec index 9572637cbb6..3a28c6c52a3 100644 --- a/SPECS/openssh/openssh.spec +++ b/SPECS/openssh/openssh.spec @@ -47,6 +47,7 @@ Patch407: CVE-2026-35414.patch # The tests fail with the following error: # dlsym(sk_api_version) failed: (...)/sk-dummy.so: undefined symbol: sk_api_version Patch965: openssh-8.2p1-visibility.patch +Patch966: CVE-2026-35387.patch BuildRequires: audit-devel BuildRequires: autoconf @@ -108,6 +109,7 @@ The module is most useful for su and sudo service stacks. %prep %setup -q -a 3 +%patch 966 -p1 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} %patch -P 300 -p2 -b .psaa-build