Skip to content

Fix CVE-2026-3497#244

Open
fscheiner wants to merge 1 commit intogridcf:masterfrom
fscheiner:include-fix-for-cve-2026-3497
Open

Fix CVE-2026-3497#244
fscheiner wants to merge 1 commit intogridcf:masterfrom
fscheiner:include-fix-for-cve-2026-3497

Conversation

@fscheiner
Copy link
Copy Markdown
Member

@fscheiner fscheiner commented Apr 12, 2026

Fix information disclosure or denial of service due to uninitialized variables in gssapi-keyex

Based on https://src.fedoraproject.org/rpms/openssh/c/f595270c4ac496ad743336e80a4f3cc11a144efb?branch=rawhide by Zoltan Fridrich zfridric@redhat.com

@fscheiner
Fix CVE-2026-3497
3fde336 
Fix information disclosure or denial of service due to uninitialized variables in gssapi-keyex

Based on https://src.fedoraproject.org/rpms/openssh/c/f595270c4ac496ad743336e80a4f3cc11a144efb?branch=rawhide
by Zoltan Fridrich <zfridric@redhat.com>
@fscheiner
Copy link
Copy Markdown
Member Author

fscheiner commented Apr 12, 2026
edited
Loading

Untested so far. Also still unclear if the GSI functionality is affected.

fscheiner
fscheiner commented Apr 12, 2026
View reviewed changes
Comment thread gsi_openssh/source/kexgsss.c
if (kex->dh == NULL) {
sshpkt_disconnect(ssh, "Protocol error: no matching group found");
fatal("Protocol error: no matching group found");
ssh_packet_disconnect(ssh, "Protocol error: no matching group found");
Copy link
Copy Markdown
Member Author

@fscheiner fscheiner Apr 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@msalle : Here I wonder if that is enough, as the original code did end - I guess the key exchange - with fatal() at this point. But the change by Red Hat has it that way.

Copy link
Copy Markdown
Member

@msalle msalle Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd stick to what RH is doing, although it might look a bit odd.
However from https://github.com/openssh/openssh-portable/blob/master/packet.c#L2121 and further it is clear that ssh_packet_disconnect() never returns and so there should indeed be no a reason for a subsequent fatal().

@fscheiner fscheiner requested review from ellert and msalle April 12, 2026 21:38
msalle
msalle approved these changes Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@msalle msalle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't tested it, but I'd say if it builds ok and you have tested also run-time that it works, and given that it's mostly (if not all) the fixes from RH in any case, I'd say it looks fine to me.

Comment thread gsi_openssh/source/kexgsss.c
if (kex->dh == NULL) {
sshpkt_disconnect(ssh, "Protocol error: no matching group found");
fatal("Protocol error: no matching group found");
ssh_packet_disconnect(ssh, "Protocol error: no matching group found");
Copy link
Copy Markdown
Member

@msalle msalle Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd stick to what RH is doing, although it might look a bit odd.
However from https://github.com/openssh/openssh-portable/blob/master/packet.c#L2121 and further it is clear that ssh_packet_disconnect() never returns and so there should indeed be no a reason for a subsequent fatal().

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@msalle msalle msalle approved these changes

@ellert ellert Awaiting requested review from ellert

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fscheiner @msalle