File 0018-CVE-2025-58181-fix-vendor-crypto-ssh-3.patch of Package docker-stable
From df8c92d0412c56f802e46c847cbcecf5b12e37e3 Mon Sep 17 00:00:00 2001
From: Valentin LEFEBVRE <valentin.lefebvre@suse.com>
Date: Wed, 18 Feb 2026 16:22:29 +0100
Subject: [PATCH 18/18] CVE-2025-58181: fix vendor crypto/ssh (#3)
curb GSSAPI DoS risk by limiting number of specified OIDS
Previously, an attacker could specify an integer up to 0xFFFFFFFF
that would directly allocate memory despite the observability of
the rest of the payload. This change places a hard cap on the
amount of mechanisms that can be specified and encoded in the
payload. Additionally, it performs a small sanity check to deny
payloads whose stated size is contradictory to the observed payload.
Thank you to Jakub Ciolek for reporting this issue.
Fixes CVE-2025-58181
Fixes golang/go#76363
Change-Id: I0307ab3e906a3f2ae763b5f9f0310f7073f84485
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/721961
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
[vlefebvre: Adapt for SUSE-v28.5.1]
Signed-off-by: vlefebvre <valentin.lefebvre@suse.com>
---
vendor/golang.org/x/crypto/ssh/ssh_gss.go | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/vendor/golang.org/x/crypto/ssh/ssh_gss.go b/vendor/golang.org/x/crypto/ssh/ssh_gss.go
index 24bd7c8e83..a6249a1227 100644
--- a/vendor/golang.org/x/crypto/ssh/ssh_gss.go
+++ b/vendor/golang.org/x/crypto/ssh/ssh_gss.go
@@ -106,6 +106,13 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) {
if !ok {
return nil, errors.New("parse uint32 failed")
}
+ // Each ASN.1 encoded OID must have a minimum
+ // of 2 bytes; 64 maximum mechanisms is an
+ // arbitrary, but reasonable ceiling.
+ const maxMechs = 64
+ if n > maxMechs || int(n)*2 > len(rest) {
+ return nil, errors.New("invalid mechanism count")
+ }
s := &userAuthRequestGSSAPI{
N: n,
OIDS: make([]asn1.ObjectIdentifier, n),
@@ -122,7 +129,6 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) {
if rest, err = asn1.Unmarshal(desiredMech, &s.OIDS[i]); err != nil {
return nil, err
}
-
}
return s, nil
}
--
2.52.0
