Skip to content

[AutoPR- Security] Patch openssh for CVE-2026-35387 [LOW] #17718

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
azurelinux-security wants to merge 1 commit into
base: 3.0-dev
Choose a base branch
from
+172 −0
Draft

[AutoPR- Security] Patch openssh for CVE-2026-35387 [LOW] #17718

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
170 changes: 170 additions & 0 deletions SPECS/openssh/CVE-2026-35387.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,170 @@
From 6b2d525ff958ca55008a0728839be558f83d5f61 Mon Sep 17 00:00:00 2001
From: AllSpark <allspark@microsoft.com>
Date: Mon, 15 Jun 2026 06:47:26 +0000
Subject: [PATCH] upstream: correctly match ECDSA signature algorithms against
allowlists

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: AI Backport of https://github.com/openssh/openssh-portable/commit/fd1c7e131f331942d20f42f31e79912d570081fa.patch
---
auth2-hostbased.c | 7 ++++---
auth2-pubkey.c | 7 ++++---
auth2-pubkeyfile.c | 24 ++++++++++++++----------
sshconnect2.c | 26 +++++++++++++++++---------
4 files changed, 39 insertions(+), 25 deletions(-)

diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index 4022d92..cdf862f 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -96,9 +96,10 @@ userauth_hostbased(struct ssh *ssh, const char *method)
error_f("cannot decode key: %s", pkalg);
goto done;
}
- if (key->type != pktype) {
- error_f("type mismatch for decoded key "
- "(received %d, expected %d)", key->type, pktype);
+ if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA &&
+ sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) {
+ error_f("key type mismatch for decoded key "
+ "(received %s, expected %s)", sshkey_ssh_name(key), pkalg);
goto done;
}
if (match_pattern_list(pkalg, options.hostbased_accepted_algos, 0) != 1) {
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 2a108ea..44090a4 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -149,9 +149,10 @@ userauth_pubkey(struct ssh *ssh, const char *method)
error_f("cannot decode key: %s", pkalg);
goto done;
}
- if (key->type != pktype) {
- error_f("type mismatch for decoded key "
- "(received %d, expected %d)", key->type, pktype);
+ if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA &&
+ sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) {
+ error_f("key type mismatch for decoded key "
+ "(received %s, expected %s)", sshkey_ssh_name(key), pkalg);
goto done;
}
if (auth2_key_already_used(authctxt, key)) {
diff --git a/auth2-pubkeyfile.c b/auth2-pubkeyfile.c
index 556550a..22117ad 100644
--- a/auth2-pubkeyfile.c
+++ b/auth2-pubkeyfile.c
@@ -50,6 +50,7 @@
#include "authfile.h"
#include "match.h"
#include "ssherr.h"
+#include "xmalloc.h"

int
auth_authorise_keyopts(struct passwd *pw, struct sshauthopt *opts,
@@ -146,20 +147,23 @@ auth_authorise_keyopts(struct passwd *pw, struct sshauthopt *opts,
static int
match_principals_option(const char *principal_list, struct sshkey_cert *cert)
{
- char *result;
+ char *list, *olist, *entry;
u_int i;

- /* XXX percent_expand() sequences for authorized_principals? */
-
- for (i = 0; i < cert->nprincipals; i++) {
- if ((result = match_list(cert->principals[i],
- principal_list, NULL)) != NULL) {
- debug3("matched principal from key options \"%.100s\"",
- result);
- free(result);
- return 1;
+ olist = list = xstrdup(principal_list);
+ for (;;) {
+ if ((entry = strsep(&list, ",")) == NULL || *entry == \0\)
+ break;
+ for (i = 0; i < cert->nprincipals; i++) {
+ if (strcmp(entry, cert->principals[i]) == 0) {
+ debug3("matched principal from key options \"%.100s\"",
+ entry);
+ free(olist);
+ return 1;
+ }
}
}
+ free(olist);
return 0;
}

diff --git a/sshconnect2.c b/sshconnect2.c
index 42e6cac..ec85246 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -89,6 +89,7 @@ extern Options options;
static char *xxx_host;
static struct sockaddr *xxx_hostaddr;
static const struct ssh_conn_info *xxx_conn_info;
+static int key_type_allowed(struct sshkey *, const char *);

static int
verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
@@ -98,6 +99,10 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
if ((r = sshkey_check_rsa_length(hostkey,
options.required_rsa_size)) != 0)
fatal_r(r, "Bad server host key");
+ if (!key_type_allowed(hostkey, options.hostkeyalgorithms)) {
+ fatal("Server host key %s not in HostKeyAlgorithms",
+ sshkey_ssh_name(hostkey));
+ }
if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
xxx_conn_info) != 0)
fatal("Host key verification failed.");
@@ -1597,34 +1602,37 @@ load_identity_file(Identity *id)
}

static int
-key_type_allowed_by_config(struct sshkey *key)
+key_type_allowed(struct sshkey *key, const char *allowlist)
{
- if (match_pattern_list(sshkey_ssh_name(key),
- options.pubkey_accepted_algos, 0) == 1)
+ if (match_pattern_list(sshkey_ssh_name(key), allowlist, 0) == 1)
return 1;

/* RSA keys/certs might be allowed by alternate signature types */
switch (key->type) {
case KEY_RSA:
- if (match_pattern_list("rsa-sha2-512",
- options.pubkey_accepted_algos, 0) == 1)
+ if (match_pattern_list("rsa-sha2-512", allowlist, 0) == 1)
return 1;
- if (match_pattern_list("rsa-sha2-256",
- options.pubkey_accepted_algos, 0) == 1)
+ if (match_pattern_list("rsa-sha2-256", allowlist, 0) == 1)
return 1;
break;
case KEY_RSA_CERT:
if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
- options.pubkey_accepted_algos, 0) == 1)
+ allowlist, 0) == 1)
return 1;
if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
- options.pubkey_accepted_algos, 0) == 1)
+ allowlist, 0) == 1)
return 1;
break;
}
return 0;
}

+static int
+key_type_allowed_by_config(struct sshkey *key)
+{
+ return key_type_allowed(key, options.pubkey_accepted_algos);
+}
+
/* obtain a list of keys from the agent */
static int
get_agent_identities(struct ssh *ssh, int *agent_fdp,
--
2.45.4

2 changes: 2 additions & 0 deletions SPECS/openssh/openssh.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ Patch407: CVE-2026-35414.patch
# The tests fail with the following error:
# dlsym(sk_api_version) failed: (...)/sk-dummy.so: undefined symbol: sk_api_version
Patch965: openssh-8.2p1-visibility.patch
Patch966: CVE-2026-35387.patch

BuildRequires: audit-devel
BuildRequires: autoconf
Expand Down Expand Up @@ -108,6 +109,7 @@ The module is most useful for su and sudo service stacks.

%prep
%setup -q -a 3
%patch 966 -p1

pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
%patch -P 300 -p2 -b .psaa-build
Expand Down
Loading