Bug#1117529: openssh: CVE-2025-61984

[Colin Watson <cjwatson@debian.org>]

On Tue, Oct 07, 2025 at 09:50:28AM +0200, Salvatore Bonaccorso wrote:
> The following vulnerability was published for openssh.
>
> CVE-2025-61984[0]:
> | ssh in OpenSSH before 10.1 allows control characters in usernames
> | that originate from certain possibly untrusted sources, potentially
> | leading to code execution when a ProxyCommand is used. The untrusted
> | sources are the command line and %-sequence expansion of a
> | configuration file. (A configuration file that provides a complete
> | literal username is not categorized as an untrusted source.)

For bookworm, note that only a small portion of this vulnerability 
applies.  %-expansion of usernames was introduced in 
https://anongit.mindrot.org/openssh.git/commit/?id=bd30cf784d6e825ef71592fb723c41d4f2fd407b 
(OpenSSH 10.0) and so is not present in bookworm or earlier.  As a 
result, most of the patch is inapplicable because its purpose is mainly 
to call valid_ruser after %-expansion when needed.

However, the addition of an iscntrl check to valid_user still applies.  
On bookworm (using bash's escape-sequence syntax):

  $ ssh $'\n'@localhost

  @localhost's password:

On forky:

  $ ssh $'\n'@localhost
  remote username contains invalid characters

I'll reduce the patch accordingly when backporting this to bookworm.

--
Colin Watson (he/him)                              [cjwatson@debian.org]