Bug#1102603: openssh: CVE-2025-32728
On Thu, Apr 10, 2025 at 10:20:44PM +0200, Salvatore Bonaccorso wrote:
The following vulnerability was published for openssh.
CVE-2025-32728[0]:
| In sshd in OpenSSH before 10.0, the DisableForwarding directive does
| not adhere to the documentation stating that it disables X11 and
| agent forwarding.
I'd like to upload the attached changes to bookworm-security, as well as
to bullseye-security for LTS (after the usual changelog finalization).
Do these debdiffs look good to you? There's a bit of noise due to git
deciding to serialize some patches slightly differently, but the added
patch is the only effective change in both cases.
Thanks,
--
Colin Watson (he/him) [cjwatson@debian.org]
diff -Nru openssh-9.2p1/debian/.git-dpm openssh-9.2p1/debian/.git-dpm
--- openssh-9.2p1/debian/.git-dpm 2025-02-14 13:06:46.000000000 +0000
+++ openssh-9.2p1/debian/.git-dpm 2025-04-15 12:07:49.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-b430b77904fa045d5753bad32f6c8a582396db57
-b430b77904fa045d5753bad32f6c8a582396db57
+cf9b65754f0e54de11d075fc7317ae90a1ae4389
+cf9b65754f0e54de11d075fc7317ae90a1ae4389
cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
openssh_9.2p1.orig.tar.gz
diff -Nru openssh-9.2p1/debian/changelog openssh-9.2p1/debian/changelog
--- openssh-9.2p1/debian/changelog 2025-02-14 13:06:51.000000000 +0000
+++ openssh-9.2p1/debian/changelog 2025-04-15 12:07:53.000000000 +0100
@@ -1,3 +1,11 @@
+openssh (1:9.2p1-2+deb12u6) UNRELEASED; urgency=medium
+
+ * CVE-2025-32728: sshd(8): fix the DisableForwarding directive, which was
+ failing to disable X11 forwarding and agent forwarding as documented
+ (closes: #1102603).
+
+ -- Colin Watson <cjwatson@debian.org> Tue, 15 Apr 2025 12:07:53 +0100
+
openssh (1:9.2p1-2+deb12u5) bookworm-security; urgency=medium
* CVE-2025-26465: Fix MitM in verify_host_key_callback.
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-48795.patch openssh-9.2p1/debian/patches/CVE-2023-48795.patch
--- openssh-9.2p1/debian/patches/CVE-2023-48795.patch 2025-02-14 13:06:46.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2023-48795.patch 2025-04-15 12:07:49.000000000 +0100
@@ -307,7 +307,7 @@
+ if (*typep == 0) {
+ /* no message ready */
+ return 0;
-+ }
+ }
+ state->keep_alive_timeouts = 0;
+ DBG(debug("received packet type %d", *typep));
+
@@ -325,7 +325,7 @@
+ ssh_remote_port(ssh), reason, msg);
+ free(msg);
+ return SSH_ERR_DISCONNECTED;
- }
++ }
+
+ /*
+ * Do not implicitly handle any messages here during initial
diff -Nru openssh-9.2p1/debian/patches/fix-disable-forwarding.patch openssh-9.2p1/debian/patches/fix-disable-forwarding.patch
--- openssh-9.2p1/debian/patches/fix-disable-forwarding.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssh-9.2p1/debian/patches/fix-disable-forwarding.patch 2025-04-15 12:07:49.000000000 +0100
@@ -0,0 +1,42 @@
+From cf9b65754f0e54de11d075fc7317ae90a1ae4389 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 9 Apr 2025 07:00:03 +0000
+Subject: upstream: Fix logic error in DisableForwarding option. This option
+
+was documented as disabling X11 and agent forwarding but it failed to do so.
+Spotted by Tim Rice.
+
+OpenBSD-Commit-ID: fffc89195968f7eedd2fc57f0b1f1ef3193f5ed1
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=fc86875e6acb36401dfc1dfb6b628a9d1460f367
+Bug-Debian: https://bugs.debian.org/1102603
+Last-Update: 2025-04-15
+
+Patch-Name: fix-disable-forwarding.patch
+---
+ session.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/session.c b/session.c
+index 492463529..3414ddd49 100644
+--- a/session.c
++++ b/session.c
+@@ -2191,7 +2191,8 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
+ if ((r = sshpkt_get_end(ssh)) != 0)
+ sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
+ if (!auth_opts->permit_agent_forwarding_flag ||
+- !options.allow_agent_forwarding) {
++ !options.allow_agent_forwarding ||
++ options.disable_forwarding) {
+ debug_f("agent forwarding disabled");
+ return 0;
+ }
+@@ -2579,7 +2580,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
+ ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
+ return 0;
+ }
+- if (!options.x11_forwarding) {
++ if (!options.x11_forwarding || options.disable_forwarding) {
+ debug("X11 forwarding disabled in server configuration file.");
+ return 0;
+ }
diff -Nru openssh-9.2p1/debian/patches/gssapi.patch openssh-9.2p1/debian/patches/gssapi.patch
--- openssh-9.2p1/debian/patches/gssapi.patch 2025-02-14 13:06:46.000000000 +0000
+++ openssh-9.2p1/debian/patches/gssapi.patch 2025-04-15 12:07:49.000000000 +0100
@@ -36,7 +36,7 @@
configure.ac | 24 ++
gss-genr.c | 297 +++++++++++++++++++++++-
gss-serv-krb5.c | 87 ++++++-
- gss-serv.c | 205 +++++++++++++++--
+ gss-serv.c | 207 +++++++++++++++--
kex.c | 66 +++++-
kex.h | 29 +++
kexdh.c | 10 +
@@ -64,7 +64,7 @@
sshd_config.5 | 30 +++
sshkey.c | 8 +-
sshkey.h | 1 +
- 39 files changed, 2769 insertions(+), 165 deletions(-)
+ 39 files changed, 2770 insertions(+), 166 deletions(-)
create mode 100644 kexgssc.c
create mode 100644 kexgsss.c
create mode 100644 ssh-null.c
@@ -1144,7 +1144,8 @@
+ int equal = 0;
+ gss_name_t new_name = GSS_C_NO_NAME;
+ gss_buffer_desc ename = GSS_C_EMPTY_BUFFER;
-+
+
+- gss_buffer_desc ename;
+ if (options.gss_store_rekey && client->used && ctx->client_creds) {
+ if (client->mech->oid.length != ctx->oid->length ||
+ (memcmp(client->mech->oid.elements,
@@ -1159,8 +1160,7 @@
+ ssh_gssapi_error(ctx);
+ return (ctx->major);
+ }
-
-- gss_buffer_desc ename;
++
+ ctx->major = gss_compare_name(&ctx->minor, client->name,
+ new_name, &equal);
+
@@ -1270,6 +1270,9 @@
-/* Privileged */
-OM_uint32
-ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+-{
+- ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
+- gssbuf, gssmic, NULL);
+/* These bits are only used for rekeying. The unpriviledged child is running
+ * as the user, the monitor is root.
+ *
@@ -1277,20 +1280,18 @@
+ * *) Ask the monitor to store our credentials into the store we specify
+ * *) If it succeeds, maybe do a PAM update
+ */
-+
+
+- return (ctx->major);
+/* Stuff for PAM */
+
+#ifdef USE_PAM
+static int ssh_gssapi_simple_conv(int n, const struct pam_message **msg,
+ struct pam_response **resp, void *data)
- {
-- ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
-- gssbuf, gssmic, NULL);
++{
+ return (PAM_CONV_ERR);
+}
+#endif
-
-- return (ctx->major);
++
+void
+ssh_gssapi_rekey_creds(void) {
+ int ok;
diff -Nru openssh-9.2p1/debian/patches/series openssh-9.2p1/debian/patches/series
--- openssh-9.2p1/debian/patches/series 2025-02-14 13:06:46.000000000 +0000
+++ openssh-9.2p1/debian/patches/series 2025-04-15 12:07:49.000000000 +0100
@@ -37,3 +37,4 @@
sntrup761x25519-sha512.patch
CVE-2025-26465.patch
incorrect-return-values.patch
+fix-disable-forwarding.patch
diff -Nru openssh-8.4p1/debian/.git-dpm openssh-8.4p1/debian/.git-dpm
--- openssh-8.4p1/debian/.git-dpm 2025-02-18 10:15:55.000000000 +0000
+++ openssh-8.4p1/debian/.git-dpm 2025-04-15 12:17:59.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-df652eae9e552fa9c21c95f5f9f8b7b493d8d205
-df652eae9e552fa9c21c95f5f9f8b7b493d8d205
+9440ae44efe9c6748785741279856e80ceaa824b
+9440ae44efe9c6748785741279856e80ceaa824b
2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb
2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb
openssh_8.4p1.orig.tar.gz
diff -Nru openssh-8.4p1/debian/changelog openssh-8.4p1/debian/changelog
--- openssh-8.4p1/debian/changelog 2025-02-18 10:15:55.000000000 +0000
+++ openssh-8.4p1/debian/changelog 2025-04-15 12:18:10.000000000 +0100
@@ -1,3 +1,11 @@
+openssh (1:8.4p1-5+deb11u5) UNRELEASED; urgency=medium
+
+ * CVE-2025-32728: sshd(8): fix the DisableForwarding directive, which was
+ failing to disable X11 forwarding and agent forwarding as documented
+ (closes: #1102603).
+
+ -- Colin Watson <cjwatson@debian.org> Tue, 15 Apr 2025 12:18:10 +0100
+
openssh (1:8.4p1-5+deb11u4) bullseye-security; urgency=medium
* CVE-2025-26465: Fix MitM in verify_host_key_callback.
diff -Nru openssh-8.4p1/debian/patches/CVE-2023-48795.patch openssh-8.4p1/debian/patches/CVE-2023-48795.patch
--- openssh-8.4p1/debian/patches/CVE-2023-48795.patch 2025-02-18 10:15:55.000000000 +0000
+++ openssh-8.4p1/debian/patches/CVE-2023-48795.patch 2025-04-15 12:17:59.000000000 +0100
@@ -300,7 +300,7 @@
+ if (*typep == 0) {
+ /* no message ready */
+ return 0;
-+ }
+ }
+ state->keep_alive_timeouts = 0;
+ DBG(debug("received packet type %d", *typep));
+
@@ -318,7 +318,7 @@
+ ssh_remote_port(ssh), reason, msg);
+ free(msg);
+ return SSH_ERR_DISCONNECTED;
- }
++ }
+
+ /*
+ * Do not implicitly handle any messages here during initial
diff -Nru openssh-8.4p1/debian/patches/fix-disable-forwarding.patch openssh-8.4p1/debian/patches/fix-disable-forwarding.patch
--- openssh-8.4p1/debian/patches/fix-disable-forwarding.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssh-8.4p1/debian/patches/fix-disable-forwarding.patch 2025-04-15 12:17:59.000000000 +0100
@@ -0,0 +1,42 @@
+From 9440ae44efe9c6748785741279856e80ceaa824b Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 9 Apr 2025 07:00:03 +0000
+Subject: upstream: Fix logic error in DisableForwarding option. This option
+
+was documented as disabling X11 and agent forwarding but it failed to do so.
+Spotted by Tim Rice.
+
+OpenBSD-Commit-ID: fffc89195968f7eedd2fc57f0b1f1ef3193f5ed1
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=fc86875e6acb36401dfc1dfb6b628a9d1460f367
+Bug-Debian: https://bugs.debian.org/1102603
+Last-Update: 2025-04-15
+
+Patch-Name: fix-disable-forwarding.patch
+---
+ session.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/session.c b/session.c
+index b1796a803..b060d3665 100644
+--- a/session.c
++++ b/session.c
+@@ -2196,7 +2196,8 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
+ if ((r = sshpkt_get_end(ssh)) != 0)
+ sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
+ if (!auth_opts->permit_agent_forwarding_flag ||
+- !options.allow_agent_forwarding) {
++ !options.allow_agent_forwarding ||
++ options.disable_forwarding) {
+ debug("%s: agent forwarding disabled", __func__);
+ return 0;
+ }
+@@ -2584,7 +2585,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
+ ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
+ return 0;
+ }
+- if (!options.x11_forwarding) {
++ if (!options.x11_forwarding || options.disable_forwarding) {
+ debug("X11 forwarding disabled in server configuration file.");
+ return 0;
+ }
diff -Nru openssh-8.4p1/debian/patches/gssapi.patch openssh-8.4p1/debian/patches/gssapi.patch
--- openssh-8.4p1/debian/patches/gssapi.patch 2025-02-18 10:15:55.000000000 +0000
+++ openssh-8.4p1/debian/patches/gssapi.patch 2025-04-15 12:17:59.000000000 +0100
@@ -36,7 +36,7 @@
configure.ac | 24 ++
gss-genr.c | 300 +++++++++++++++++++++++-
gss-serv-krb5.c | 85 ++++++-
- gss-serv.c | 186 +++++++++++++--
+ gss-serv.c | 188 +++++++++++++--
kex.c | 66 +++++-
kex.h | 29 +++
kexdh.c | 10 +
@@ -63,7 +63,7 @@
sshd_config.5 | 30 +++
sshkey.c | 3 +-
sshkey.h | 1 +
- 38 files changed, 2640 insertions(+), 160 deletions(-)
+ 38 files changed, 2641 insertions(+), 161 deletions(-)
create mode 100644 kexgssc.c
create mode 100644 kexgsss.c
@@ -1139,7 +1139,8 @@
+ int equal = 0;
+ gss_name_t new_name = GSS_C_NO_NAME;
+ gss_buffer_desc ename = GSS_C_EMPTY_BUFFER;
-+
+
+- gss_buffer_desc ename;
+ if (options.gss_store_rekey && client->used && ctx->client_creds) {
+ if (client->mech->oid.length != ctx->oid->length ||
+ (memcmp(client->mech->oid.elements,
@@ -1167,8 +1168,7 @@
+ debug("Rekeyed credentials have different name");
+ return GSS_S_COMPLETE;
+ }
-
-- gss_buffer_desc ename;
++
+ debug("Marking rekeyed credentials for export");
+
+ gss_release_name(&ctx->minor, &client->name);
@@ -1239,6 +1239,9 @@
-/* Privileged */
-OM_uint32
-ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+-{
+- ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
+- gssbuf, gssmic, NULL);
+/* These bits are only used for rekeying. The unpriviledged child is running
+ * as the user, the monitor is root.
+ *
@@ -1246,20 +1249,18 @@
+ * *) Ask the monitor to store our credentials into the store we specify
+ * *) If it succeeds, maybe do a PAM update
+ */
-+
+
+- return (ctx->major);
+/* Stuff for PAM */
+
+#ifdef USE_PAM
+static int ssh_gssapi_simple_conv(int n, const struct pam_message **msg,
+ struct pam_response **resp, void *data)
- {
-- ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
-- gssbuf, gssmic, NULL);
++{
+ return (PAM_CONV_ERR);
+}
+#endif
-
-- return (ctx->major);
++
+void
+ssh_gssapi_rekey_creds(void) {
+ int ok;
diff -Nru openssh-8.4p1/debian/patches/series openssh-8.4p1/debian/patches/series
--- openssh-8.4p1/debian/patches/series 2025-02-18 10:15:55.000000000 +0000
+++ openssh-8.4p1/debian/patches/series 2025-04-15 12:17:59.000000000 +0100
@@ -35,3 +35,4 @@
CVE-2023-51385.patch
CVE-2025-26465.patch
incorrect-return-values.patch
+fix-disable-forwarding.patch
Reply to: