Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2026-06-02 19:47:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.1937 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh" Tue Jun 2 19:47:02 2026 rev:206 rq:1356620 version:10.3p1 Changes: -------- +++ only whitespace diff in changes, re-diffing --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2026-05-21 18:27:24.630736707 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.1937/openssh.changes 2026-06-02 19:47:26.661440631 +0200 @@ -1,0 +2,15 @@ +Mon Jun 1 16:53:15 UTC 2026 - Antonio Larrosa <[email protected]> + +- Update patch to fix a possible information disclosure or denial + of service due to uninitialized variables in gssapi patches + (CVE-2026-3497, bsc#1259642) : + * openssh-8.0p1-gssapi-keyex.patch + +------------------------------------------------------------------- +Wed May 20 12:47:00 UTC 2026 - Antonio Larrosa <[email protected]> + +- Add patch to fix a potential issue when validating mac or ciphers + (bsc#1264568): + * fix-mac-validation-strsep-logic-bug.patch + +------------------------------------------------------------------- @@ -94,2 +109,2 @@ - multiplexing sessions (i.e. "ssh -O proxy ..."). Reported by - Michalis Vasileiadis. + multiplexing sessions (i.e. "ssh -O proxy ...") (CVE-2026-35388, + bsc#1261441). Reported by Michalis Vasileiadis. New: ---- fix-mac-validation-strsep-logic-bug.patch ----------(New B)---------- New:/work/SRC/openSUSE:Factory/.openssh.new.1937/openssh.changes- (bsc#1264568): /work/SRC/openSUSE:Factory/.openssh.new.1937/openssh.changes: * fix-mac-validation-strsep-logic-bug.patch /work/SRC/openSUSE:Factory/.openssh.new.1937/openssh.changes- ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.fn1rpX/_old 2026-06-02 19:47:29.397553959 +0200 +++ /var/tmp/diff_new_pack.fn1rpX/_new 2026-06-02 19:47:29.409554456 +0200 @@ -181,6 +181,8 @@ Patch107: openssh-send-extra-term-env.patch # PATCH-FIX-SUSE openssh-7.7p1-gssapi-new-unique.patch bsc#1258166 [email protected] -- SSSD non-file ccache: krb5 new_unique Patch108: openssh-7.7p1-gssapi-new-unique.patch +# PATCH-FIX-SUSE fix-mac-validation-strsep-logic-bug.patch bsc#1264568 [email protected] -- Fix strsep logic bug in mac validation +Patch109: fix-mac-validation-strsep-logic-bug.patch # 200..300 -- Patches submitted to upstream # 1000..2000 -- Conditional patches %if %{with crypto_policies} ++++++ fix-mac-validation-strsep-logic-bug.patch ++++++ Index: openssh-10.3p1/mac.c =================================================================== --- openssh-10.3p1.orig/mac.c +++ openssh-10.3p1/mac.c @@ -307,20 +307,24 @@ mac_valid_internal(const char *names, int (*setup)(struct sshmac *, char *)) { char *maclist, *cp, *p; + int found = 0; if (names == NULL || strcmp(names, "") == 0) return 0; if ((maclist = cp = strdup(names)) == NULL) return 0; - for ((p = strsep(&cp, MAC_SEP)); p && *p != '\0'; + for ((p = strsep(&cp, MAC_SEP)); p != NULL; (p = strsep(&cp, MAC_SEP))) { + if (*p == '\0') + continue; if (setup(NULL, p) < 0) { free(maclist); return 0; - } + } else + found = 1; } free(maclist); - return 1; + return found; } int Index: openssh-10.3p1/cipher.c =================================================================== --- openssh-10.3p1.orig/cipher.c +++ openssh-10.3p1/cipher.c @@ -225,21 +225,25 @@ ciphers_valid_internal(const char *names { const struct sshcipher *c; char *cipher_list, *cp, *p; + int found = 0; if (names == NULL || strcmp(names, "") == 0) return 0; if ((cipher_list = cp = strdup(names)) == NULL) return 0; - for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; + for ((p = strsep(&cp, CIPHER_SEP)); p != NULL; (p = strsep(&cp, CIPHER_SEP))) { + if (*p == '\0') + continue; c = by_name(p); if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) { free(cipher_list); return 0; - } + } else + found = 1; } free(cipher_list); - return 1; + return found; } int ++++++ openssh-8.0p1-gssapi-keyex.patch ++++++ --- /var/tmp/diff_new_pack.fn1rpX/_old 2026-06-02 19:47:29.841572350 +0200 +++ /var/tmp/diff_new_pack.fn1rpX/_new 2026-06-02 19:47:29.857573013 +0200 @@ -1635,11 +1635,11 @@ + fatal("Failed to read token: %s", ssh_err(r)); + /* If we're already complete - protocol error */ + if (maj_status == GSS_S_COMPLETE) -+ sshpkt_disconnect(ssh, "Protocol error: received token when complete"); ++ ssh_packet_disconnect(ssh, "Protocol error: received token when complete"); + } else { + /* No token included */ + if (maj_status != GSS_S_COMPLETE) -+ sshpkt_disconnect(ssh, "Protocol error: did not receive final token"); ++ ssh_packet_disconnect(ssh, "Protocol error: did not receive final token"); + } + if ((r = sshpkt_get_end(ssh)) != 0) { + fatal("Expecting end of packet."); @@ -1655,7 +1655,7 @@ + fatal("sshpkt_get failed: %s", ssh_err(r)); + fatal("GSSAPI Error: \n%.400s", msg); + default: -+ sshpkt_disconnect(ssh, "Protocol error: didn't expect packet type %d", ++ ssh_packet_disconnect(ssh, "Protocol error: didn't expect packet type %d", + type); + } + token_ptr = &recv_tok; @@ -1728,7 +1728,7 @@ + + /* Verify that the hash matches the MIC we just got. */ + if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok))) -+ sshpkt_disconnect(ssh, "Hash's MIC didn't verify"); ++ ssh_packet_disconnect(ssh, "Hash's MIC didn't verify"); + + gss_release_buffer(&min_status, &msg_tok); + @@ -1932,11 +1932,11 @@ + fatal("sshpkt failed: %s", ssh_err(r)); + /* If we're already complete - protocol error */ + if (maj_status == GSS_S_COMPLETE) -+ sshpkt_disconnect(ssh, "Protocol error: received token when complete"); ++ ssh_packet_disconnect(ssh, "Protocol error: received token when complete"); + } else { + /* No token included */ + if (maj_status != GSS_S_COMPLETE) -+ sshpkt_disconnect(ssh, "Protocol error: did not receive final token"); ++ ssh_packet_disconnect(ssh, "Protocol error: did not receive final token"); + } + break; + case SSH2_MSG_KEXGSS_ERROR: @@ -1949,7 +1949,7 @@ + fatal("sshpkt failed: %s", ssh_err(r)); + fatal("GSSAPI Error: \n%.400s", msg); + default: -+ sshpkt_disconnect(ssh, "Protocol error: didn't expect packet type %d", ++ ssh_packet_disconnect(ssh, "Protocol error: didn't expect packet type %d", + type); + } + token_ptr = &recv_tok; @@ -2011,7 +2011,7 @@ + + /* Verify that the hash matches the MIC we just got. */ + if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok))) -+ sshpkt_disconnect(ssh, "Hash's MIC didn't verify"); ++ ssh_packet_disconnect(ssh, "Hash's MIC didn't verify"); + + gss_release_buffer(&min_status, &msg_tok); + @@ -2111,7 +2111,7 @@ + */ + + OM_uint32 ret_flags = 0; -+ gss_buffer_desc gssbuf = {0, NULL}, recv_tok, msg_tok; ++ gss_buffer_desc gssbuf = {0, NULL}, recv_tok = GSS_C_EMPTY_BUFFER, msg_tok = GSS_C_EMPTY_BUFFER; + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; + Gssctxt *ctxt = NULL; + struct sshbuf *shared_secret = NULL; @@ -2215,7 +2215,7 @@ + fatal("sshpkt failed: %s", ssh_err(r)); + break; + default: -+ sshpkt_disconnect(ssh, ++ ssh_packet_disconnect(ssh, + "Protocol error: didn't expect packet type %d", + type); + } @@ -2314,7 +2314,7 @@ + */ + + OM_uint32 ret_flags = 0; -+ gss_buffer_desc gssbuf, recv_tok, msg_tok; ++ gss_buffer_desc gssbuf = GSS_C_EMPTY_BUFFER, recv_tok = GSS_C_EMPTY_BUFFER, msg_tok = GSS_C_EMPTY_BUFFER; + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; + Gssctxt *ctxt = NULL; + struct sshbuf *shared_secret = NULL; @@ -2371,7 +2371,7 @@ + min, nbits, max); + kex->dh = mm_choose_dh(min, nbits, max); + if (kex->dh == NULL) { -+ sshpkt_disconnect(ssh, "Protocol error: no matching group found"); ++ ssh_packet_disconnect(ssh, "Protocol error: no matching group found"); + fatal("Protocol error: no matching group found"); + } + @@ -2411,7 +2411,7 @@ + fatal("sshpkt failed: %s", ssh_err(r)); + break; + default: -+ sshpkt_disconnect(ssh, ++ ssh_packet_disconnect(ssh, + "Protocol error: didn't expect packet type %d", + type); + } @@ -3646,7 +3646,7 @@ +{ + struct sshbuf *b = NULL; + Authctxt *authctxt = ssh->authctxt; -+ gss_buffer_desc gssbuf; ++ gss_buffer_desc gssbuf = GSS_C_EMPTY_BUFFER; + gss_buffer_desc mic = GSS_C_EMPTY_BUFFER; + OM_uint32 ms; + int r; @@ -3979,7 +3979,7 @@ =================================================================== --- openssh-10.3p1.orig/packet.c +++ openssh-10.3p1/packet.c -@@ -1577,6 +1577,29 @@ ssh_packet_read(struct ssh *ssh) +@@ -1577,6 +1577,28 @@ ssh_packet_read(struct ssh *ssh) return type; } @@ -3997,10 +3997,9 @@ + if ((r = ssh_packet_read_seqnr(ssh, &type, NULL)) != 0) + return r; + if (type != expected_type) { -+ if ((r = sshpkt_disconnect(ssh, ++ ssh_packet_disconnect(ssh, + "Protocol error: expected packet type %d, got %d", -+ expected_type, type)) != 0) -+ return r; ++ expected_type, type); + return SSH_ERR_PROTOCOL_ERROR; + } + return 0;
