Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: open...@packages.debian.org
Control: affects -1 + src:openssh
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
The security team marked CVE-2025-32728 (#1102603) as no-dsa, but I'd
like to at least get the fix into the next stable point release.
The bug is not a regression from any version I know of; it's present
back to at least stretch.
[ Impact ]
The DisableForwarding option in sshd_config doesn't do what it says in
the documentation in terms of disabling X11 and agent forwarding (both
of which are enabled by default in Debian; in the former case this is
Debian-specific).
[ Tests ]
There are no particular automated tests, but I've manually tested that
"DisableForwarding yes" didn't disable X11 or agent forwarding with the
old version and that it now does.
[ Risks ]
The change just adds a single extra option check to two conditions, so I
consider it low-risk.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
fix-disable-forwarding.patch adds options.disable_forwarding checks to
the agent and X11 forwarding paths.
There's a bit of noise due to git deciding to serialize the existing
CVE-2023-48795.patch and gssapi.patch, but the actual code there is
unchanged.
Thanks,
--
Colin Watson (he/him) [cjwat...@debian.org]
diff -Nru openssh-9.2p1/debian/.git-dpm openssh-9.2p1/debian/.git-dpm
--- openssh-9.2p1/debian/.git-dpm 2025-02-14 13:06:46.000000000 +0000
+++ openssh-9.2p1/debian/.git-dpm 2025-04-15 12:07:49.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-b430b77904fa045d5753bad32f6c8a582396db57
-b430b77904fa045d5753bad32f6c8a582396db57
+cf9b65754f0e54de11d075fc7317ae90a1ae4389
+cf9b65754f0e54de11d075fc7317ae90a1ae4389
cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
openssh_9.2p1.orig.tar.gz
diff -Nru openssh-9.2p1/debian/changelog openssh-9.2p1/debian/changelog
--- openssh-9.2p1/debian/changelog 2025-02-14 13:06:51.000000000 +0000
+++ openssh-9.2p1/debian/changelog 2025-04-15 12:07:53.000000000 +0100
@@ -1,3 +1,11 @@
+openssh (1:9.2p1-2+deb12u6) UNRELEASED; urgency=medium
+
+ * CVE-2025-32728: sshd(8): fix the DisableForwarding directive, which was
+ failing to disable X11 forwarding and agent forwarding as documented
+ (closes: #1102603).
+
+ -- Colin Watson <cjwat...@debian.org> Tue, 15 Apr 2025 12:07:53 +0100
+
openssh (1:9.2p1-2+deb12u5) bookworm-security; urgency=medium
* CVE-2025-26465: Fix MitM in verify_host_key_callback.
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-48795.patch
openssh-9.2p1/debian/patches/CVE-2023-48795.patch
--- openssh-9.2p1/debian/patches/CVE-2023-48795.patch 2025-02-14
13:06:46.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2023-48795.patch 2025-04-15
12:07:49.000000000 +0100
@@ -307,7 +307,7 @@
+ if (*typep == 0) {
+ /* no message ready */
+ return 0;
-+ }
+ }
+ state->keep_alive_timeouts = 0;
+ DBG(debug("received packet type %d", *typep));
+
@@ -325,7 +325,7 @@
+ ssh_remote_port(ssh), reason, msg);
+ free(msg);
+ return SSH_ERR_DISCONNECTED;
- }
++ }
+
+ /*
+ * Do not implicitly handle any messages here during initial
diff -Nru openssh-9.2p1/debian/patches/fix-disable-forwarding.patch
openssh-9.2p1/debian/patches/fix-disable-forwarding.patch
--- openssh-9.2p1/debian/patches/fix-disable-forwarding.patch 1970-01-01
01:00:00.000000000 +0100
+++ openssh-9.2p1/debian/patches/fix-disable-forwarding.patch 2025-04-15
12:07:49.000000000 +0100
@@ -0,0 +1,42 @@
+From cf9b65754f0e54de11d075fc7317ae90a1ae4389 Mon Sep 17 00:00:00 2001
+From: "d...@openbsd.org" <d...@openbsd.org>
+Date: Wed, 9 Apr 2025 07:00:03 +0000
+Subject: upstream: Fix logic error in DisableForwarding option. This option
+
+was documented as disabling X11 and agent forwarding but it failed to do so.
+Spotted by Tim Rice.
+
+OpenBSD-Commit-ID: fffc89195968f7eedd2fc57f0b1f1ef3193f5ed1
+
+Origin: upstream,
https://anongit.mindrot.org/openssh.git/commit/?id=fc86875e6acb36401dfc1dfb6b628a9d1460f367
+Bug-Debian: https://bugs.debian.org/1102603
+Last-Update: 2025-04-15
+
+Patch-Name: fix-disable-forwarding.patch
+---
+ session.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/session.c b/session.c
+index 492463529..3414ddd49 100644
+--- a/session.c
++++ b/session.c
+@@ -2191,7 +2191,8 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
+ if ((r = sshpkt_get_end(ssh)) != 0)
+ sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
+ if (!auth_opts->permit_agent_forwarding_flag ||
+- !options.allow_agent_forwarding) {
++ !options.allow_agent_forwarding ||
++ options.disable_forwarding) {
+ debug_f("agent forwarding disabled");
+ return 0;
+ }
+@@ -2579,7 +2580,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
+ ssh_packet_send_debug(ssh, "X11 forwarding disabled by key
options.");
+ return 0;
+ }
+- if (!options.x11_forwarding) {
++ if (!options.x11_forwarding || options.disable_forwarding) {
+ debug("X11 forwarding disabled in server configuration file.");
+ return 0;
+ }
diff -Nru openssh-9.2p1/debian/patches/gssapi.patch
openssh-9.2p1/debian/patches/gssapi.patch
--- openssh-9.2p1/debian/patches/gssapi.patch 2025-02-14 13:06:46.000000000
+0000
+++ openssh-9.2p1/debian/patches/gssapi.patch 2025-04-15 12:07:49.000000000
+0100
@@ -36,7 +36,7 @@
configure.ac | 24 ++
gss-genr.c | 297 +++++++++++++++++++++++-
gss-serv-krb5.c | 87 ++++++-
- gss-serv.c | 205 +++++++++++++++--
+ gss-serv.c | 207 +++++++++++++++--
kex.c | 66 +++++-
kex.h | 29 +++
kexdh.c | 10 +
@@ -64,7 +64,7 @@
sshd_config.5 | 30 +++
sshkey.c | 8 +-
sshkey.h | 1 +
- 39 files changed, 2769 insertions(+), 165 deletions(-)
+ 39 files changed, 2770 insertions(+), 166 deletions(-)
create mode 100644 kexgssc.c
create mode 100644 kexgsss.c
create mode 100644 ssh-null.c
@@ -1144,7 +1144,8 @@
+ int equal = 0;
+ gss_name_t new_name = GSS_C_NO_NAME;
+ gss_buffer_desc ename = GSS_C_EMPTY_BUFFER;
-+
+
+- gss_buffer_desc ename;
+ if (options.gss_store_rekey && client->used && ctx->client_creds) {
+ if (client->mech->oid.length != ctx->oid->length ||
+ (memcmp(client->mech->oid.elements,
@@ -1159,8 +1160,7 @@
+ ssh_gssapi_error(ctx);
+ return (ctx->major);
+ }
-
-- gss_buffer_desc ename;
++
+ ctx->major = gss_compare_name(&ctx->minor, client->name,
+ new_name, &equal);
+
@@ -1270,6 +1270,9 @@
-/* Privileged */
-OM_uint32
-ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+-{
+- ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
+- gssbuf, gssmic, NULL);
+/* These bits are only used for rekeying. The unpriviledged child is running
+ * as the user, the monitor is root.
+ *
@@ -1277,20 +1280,18 @@
+ * *) Ask the monitor to store our credentials into the store we specify
+ * *) If it succeeds, maybe do a PAM update
+ */
-+
+
+- return (ctx->major);
+/* Stuff for PAM */
+
+#ifdef USE_PAM
+static int ssh_gssapi_simple_conv(int n, const struct pam_message **msg,
+ struct pam_response **resp, void *data)
- {
-- ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
-- gssbuf, gssmic, NULL);
++{
+ return (PAM_CONV_ERR);
+}
+#endif
-
-- return (ctx->major);
++
+void
+ssh_gssapi_rekey_creds(void) {
+ int ok;
diff -Nru openssh-9.2p1/debian/patches/series
openssh-9.2p1/debian/patches/series
--- openssh-9.2p1/debian/patches/series 2025-02-14 13:06:46.000000000 +0000
+++ openssh-9.2p1/debian/patches/series 2025-04-15 12:07:49.000000000 +0100
@@ -37,3 +37,4 @@
sntrup761x25519-sha512.patch
CVE-2025-26465.patch
incorrect-return-values.patch
+fix-disable-forwarding.patch
