From 54b87913791e83a8e2fff9bb4b6c0755b8515c41 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Apr 14 2023 11:22:13 +0000
Subject: Avoid possible self-DoS attack


Resolves: CVE-2023-25136

---

diff --git a/openssh-8.7p1-CVE-2023-25136.patch b/openssh-8.7p1-CVE-2023-25136.patch
new file mode 100644
index 0000000..ca661ee
--- /dev/null
+++ b/openssh-8.7p1-CVE-2023-25136.patch
@@ -0,0 +1,38 @@
+diff --git a/compat.c b/compat.c
+index 46dfe3a9c2e..478a9403eea 100644
+--- a/compat.c
++++ b/compat.c
+@@ -190,26 +190,26 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop)
+ char *
+ compat_kex_proposal(struct ssh *ssh, char *p)
+ {
+-	char *cp = NULL;
++	char *cp = NULL, *cp2 = NULL;
+ 
+ 	if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0)
+ 		return xstrdup(p);
+ 	debug2_f("original KEX proposal: %s", p);
+ 	if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0)
+-		if ((p = match_filter_denylist(p,
++		if ((cp = match_filter_denylist(p,
+ 		    "curve25519-sha256@libssh.org")) == NULL)
+ 			fatal("match_filter_denylist failed");
+ 	if ((ssh->compat & SSH_OLD_DHGEX) != 0) {
+-		cp = p;
+-		if ((p = match_filter_denylist(p,
++		if ((cp2 = match_filter_denylist(cp ? cp : p,
+ 		    "diffie-hellman-group-exchange-sha256,"
+ 		    "diffie-hellman-group-exchange-sha1")) == NULL)
+ 			fatal("match_filter_denylist failed");
+ 		free(cp);
++		cp = cp2;
+ 	}
+-	debug2_f("compat KEX proposal: %s", p);
+-	if (*p == '\0')
++	if (cp == NULL || *cp == '\0')
+ 		fatal("No supported key exchange algorithms found");
+-	return p;
++	debug2_f("compat KEX proposal: %s", cp);
++	return cp;
+ }
+ 
diff --git a/openssh.spec b/openssh.spec
index 1675a80..401565c 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -51,7 +51,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.8p1
-%global openssh_rel 9
+%global openssh_rel 10
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 6
 
@@ -253,6 +253,8 @@ Patch1005: openssh-8.7p1-host-based-auth.patch
 # upstream MR:
 # https://github.com/openssh/openssh-portable/pull/323
 Patch1006: openssh-8.7p1-negotiate-supported-algs.patch
+# CVE-2023-25136
+Patch1007: openssh-8.7p1-CVE-2023-25136.patch
 
 # downstream only
 # we skip some ssh-rsa/ssh-dss tests to make native test suite pass
@@ -460,6 +462,7 @@ popd
 %patch1004 -p1 -b .gssapi-auth
 %patch1005 -p1 -b .host-based-auth
 %patch1006 -p1 -b .negotiate-supported-algs
+%patch1007 -p1 -b .cve-2023-25136
 
 %patch1100 -p1 -b .skipsshrsadsstests
 
@@ -751,7 +754,11 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
-* Mon Mar 13 2023 Zoltan Fridrich <zfridric@redhat.com> - 9.0p1-9
+* Fri Apr 14 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.8p1-10
+- Avoid possible self-DoS attack
+  Resolves: CVE-2023-25136
+
+* Mon Mar 13 2023 Zoltan Fridrich <zfridric@redhat.com> - 8.8p1-9
 - Add sk-dummy subpackage for test purposes (rhbz#2176795)
 
 * Mon Oct 24 2022 Norbert Pocs <npocs@redhat.com> - 8.8p1-8