Re: [OE-core][scarthgap][PATCH] openssh: fix CVE-2026-35386

Thu, 11 Jun 2026 01:33:40 -0700 

Hello Adarsh

This patch seems strange for various reasons

The only thing it does is move the check for valid_hostname, it does not
include the original fix (check for valid_ruser)

This is also strange since this particular fix seems to already be
included (in a slightly different form) in CVE-2025-61984.patch

(also your patch name includes a -1 in its name)

Please check what is going on here... if the above patch fixes two CVE,
please add the second CVE line to the correct patch and rename it to
CVE-2025-61984_CVE-2026-35386.patch

Thanks a lot
Jeremy

On Fri May 22, 2026 at 2:29 PM CEST, Adarsh Jagadish Kamini via 
lists.openembedded.org wrote:
> From: Adarsh Jagadish Kamini <[email protected]>
>
> Backport patch to fix CVE-2026-35386.
> https://nvd.nist.gov/vuln/detail/CVE-2026-35386
>
> Upstream fix:
>   
> https://github.com/openssh/openssh-portable/commit/76685c9b09a66435cd2ad8373246adf1c53976d3
>
> Tested with openssh ptest suite via do_testimage on core-image-minimal.
>
> Signed-off-by: Adarsh Jagadish Kamini <[email protected]>
> ---
>  .../openssh/openssh/CVE-2026-35386-1.patch    | 65 +++++++++++++++++++
>  .../openssh/openssh_9.6p1.bb                  |  1 +
>  2 files changed, 66 insertions(+)
>  create mode 100644 
> meta/recipes-connectivity/openssh/openssh/CVE-2026-35386-1.patch
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2026-35386-1.patch 
> b/meta/recipes-connectivity/openssh/openssh/CVE-2026-35386-1.patch
> new file mode 100644
> index 0000000000..a4b81bf407
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2026-35386-1.patch
> @@ -0,0 +1,65 @@
> +From 96968048d6bb9a3183882b7af0630895bd4e7059 Mon Sep 17 00:00:00 2001
> +From: "[email protected]" <[email protected]>
> +Date: Thu, 2 Apr 2026 07:50:55 +0000
> +Subject: [PATCH] upstream: move username validity check for usernames
> + specified on
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +the commandline to earlier in main(), specifically before some contexts where
> +a username with shell characters might be expanded by a %u directive in
> +ssh_config.
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +We continue to recommend against using untrusted input on
> +the SSH commandline. Mitigations like this are not 100%
> +guarantees of safety because we can't control every
> +combination of user shell and configuration where they are
> +used.
> +
> +Reported by Florian Kohnhäuser
> +
> +OpenBSD-Commit-ID: 25ef72223f5ccf1c38d307ae77c23c03f59acc55
> +
> +Backport notes: The upstream commit uses renamed functions
> +(ssh_valid_hostname, ssh_valid_ruser) that don't exist in 9.6p1.
> +Adapted to use the existing function names (valid_hostname, valid_ruser).
> +
> +CVE: CVE-2026-35386
> +Upstream-Status: Backport 
> [https://github.com/openssh/openssh-portable/commit/76685c9b09a66435cd2ad8373246adf1c53976d3]
> +
> +Signed-off-by: Adarsh Jagadish Kamini <[email protected]>
> +---
> + ssh.c | 10 +++++++---
> + 1 file changed, 7 insertions(+), 3 deletions(-)
> +
> +diff --git a/ssh.c b/ssh.c
> +index 9c49f98a8..951da74fa 100644
> +--- a/ssh.c
> ++++ b/ssh.c
> +@@ -1,4 +1,4 @@
> +-/* $OpenBSD: ssh.c,v 1.599 2023/12/18 14:47:44 djm Exp $ */
> ++/* $OpenBSD: ssh.c,v 1.630 2026/04/02 07:50:55 djm Exp $ */
> + /*
> +  * Author: Tatu Ylonen <[email protected]>
> +  * Copyright (c) 1995 Tatu Ylonen <[email protected]>, Espoo, Finland
> +@@ -1160,10 +1160,14 @@ main(int ac, char **av)
> +     if (!host)
> +             usage();
> + 
> +-    if (!valid_hostname(host))
> +-            fatal("hostname contains invalid characters");
> ++    /*
> ++     * Validate commandline-specified values that end up in %tokens
> ++     * before they are used in config parsing.
> ++     */
> +     if (options.user != NULL && !valid_ruser(options.user))
> +             fatal("remote username contains invalid characters");
> ++    if (!valid_hostname(host))
> ++            fatal("hostname contains invalid characters");
> +     options.host_arg = xstrdup(host);
> + 
> +     /* Initialize the command to execute on remote host. */
> diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb 
> b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
> index 1cdd888ccb..98176a971b 100644
> --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
> @@ -34,6 +34,7 @@ SRC_URI = 
> "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
>             file://CVE-2025-32728.patch \
>             file://CVE-2025-61985.patch \
>             file://CVE-2025-61984.patch \
> +                file://CVE-2026-35386-1.patch \
>             "
>  SRC_URI[sha256sum] = 
> "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c"
>  


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#238429): 
https://lists.openembedded.org/g/openembedded-core/message/238429
Mute This Topic: https://lists.openembedded.org/mt/119439875/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to