stable-4459: cherry-pick OpenSSH security fixes

.github/workflows/portage-stable-packages-list

@@ -744,6 +744,7 @@ virtual/service-manager
 virtual/ssh
 virtual/tmpfiles
 virtual/udev
+virtual/zlib
 
 x11-drivers/nvidia-drivers
 

changelog/security/2026-02-12-openssh.md

@@ -0,0 +1 @@
+- openssh ([CVE-2025-61984](https://www.cve.org/CVERecord?id=CVE-2025-61984), [CVE-2025-61985](https://www.cve.org/CVERecord?id=CVE-2025-61985))

changelog/updates/2026-02-12-openssh.md

@@ -0,0 +1 @@
+- base, dev: openssh ([10.2_p1](https://www.openssh.com/txt/release-10.2) (includes [10.1](https://www.openssh.com/txt/release-10.1)))

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -92,6 +92,9 @@ dev-cpp/azure-security-keyvault-keys
 =net-misc/ntp-4.2.8_p18-r1 ~arm64
 =net-nds/rpcbind-1.2.8 ~arm64
 
+# CVE-2025-61984, CVE-2025-61985
+=net-misc/openssh-10.2_p1 ~amd64 ~arm64
+
 # Packages are in Gentoo but not expected to be used outside Flatcar, so they
 # are generally never stabilised. Thus an unusual form is used to pick up the
 # latest version of the package with the unstable keywords.

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-6.12

@@ -178,7 +178,6 @@ CONFIG_DRM_VIRTIO_GPU=m
 CONFIG_DST_CACHE=y
 CONFIG_DUMMY=m
 CONFIG_DYNAMIC_DEBUG=y
-CONFIG_DYNAMIC_FTRACE=y
 CONFIG_E100=m
 CONFIG_E1000=m
 CONFIG_E1000E=m
@@ -215,9 +214,8 @@ CONFIG_FSCACHE_STATS=y
 CONFIG_FS_DAX=y
 CONFIG_FS_ENCRYPTION=y
 CONFIG_FTRACE_SYSCALLS=y
-CONFIG_FUNCTION_TRACER=y
-CONFIG_FUSE_DAX=y
 CONFIG_FUSE_FS=m
+CONFIG_FUSE_DAX=y
 CONFIG_FUSION=y
 CONFIG_FUSION_CTL=m
 CONFIG_FUSION_LOGGING=y
@@ -1008,12 +1006,12 @@ CONFIG_VIA_RHINE_MMIO=y
 CONFIG_VIRTIO_BALLOON=m
 CONFIG_VIRTIO_BLK=m
 CONFIG_VIRTIO_CONSOLE=m
-CONFIG_VIRTIO_FS=m
 CONFIG_VIRTIO_INPUT=m
 CONFIG_VIRTIO_MMIO=y
 CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y
 CONFIG_VIRTIO_NET=m
 CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_FS=m
 CONFIG_VIRTIO_VSOCKETS=m
 CONFIG_VIRT_DRIVERS=y
 CONFIG_VLAN_8021Q=m

sdk_container/src/third_party/portage-stable/net-misc/openssh/Manifest

@@ -1,5 +1,9 @@
 DIST openssh-10.0p1.tar.gz 1972675 BLAKE2B 4ce353adf75aade8f4b2a223ad13e2f92cd23d1e60b4ee52bad0eaf036571229438cd9760dfa99c0e10fa09a8ac47b2bfb04eb183fb7b9287ac564ec75316a75 SHA512 2daa1fcf95793b23810142077e68ddfabdf3732b207ef4f033a027f72d733d0e9bcdb6f757e7f3a5934b972de05bfaae3baae381cfc7a400cd8ab4d4e277a0ed
 DIST openssh-10.0p1.tar.gz.asc 833 BLAKE2B 105fd1238c9923719fb7fcbafa55806e2e5053095422b95193438d4c536d1f3bae04a1fc674fe1fee8bc14abaa5ea41c4d25134f4fe677cdf1d761c009246f0c SHA512 6ab9deb4233ff159e55a18c9fc07d5ff8a41723dad74aa3d803e1476b585f5662aba34f8a7a1f5fe1d248f3ff3cd663f2c2fb8e399c6a4723b6215b0eb423d13
+DIST openssh-10.1p1.tar.gz 1972831 BLAKE2B 08864c9302935cde87eec9d736a90b0bcf23220349bf77cc177459715c567b6178722e9e5d8eea3d55eddb49fef09c187e0895e72236aede397e67674e10cd31 SHA512 9b88ac5b84461a0d4f6022b4dee294964487ea36d5ba5cb9c35d2edcba49a687c609ea30f272ebf924270a025cf2cd82677d0917e5d37334534cd5bee93452d9
+DIST openssh-10.1p1.tar.gz.asc 833 BLAKE2B c9df62728276464926ac7d28d54dd23a42bef150a9f64bfec14278d0e1817a876ee76b3329aca863997107bb8d4d43a694643f730249d9940d967b4c2a18fed3 SHA512 a4082bf8526d60094b5a3207995793c44448833b1cdd7ec91f04554fd8bddc1df3b45ee9ffe42de3bfc72d4968808834e289159e3c96f031e09a78da844641ae
+DIST openssh-10.2p1.tar.gz 1974519 BLAKE2B 8c031b10b1642e21b46f7d1db84ba42692e378a54af3d8e5b5c8706c3a0a06d442a02ed8803063121e7ff325ea275cad4432b9eaa6a7f47a4d7cfad504953ab6 SHA512 66f3dd646179e71aaf41c33b6f14a207dc873d71d24f11c130a89dee317ee45398b818e5b94887b5913240964a38630d7bca3e481e0f1eff2e41d9e1cfdbdfc5
+DIST openssh-10.2p1.tar.gz.asc 833 BLAKE2B 34e1a697e9565f5d4e8139537e76e123512285662576f6f2b513ba129d5e42310c1997e70d7c69b2c4fe1c85f9323ef686b8f83f12a73c5a4f229ff855efd7c6 SHA512 f1f71700b1b0b2117aed505488b98b7ebb51ce26e53184b08df0b07aa2c5a1e54dc4d3cbcbe871b5ad849a2a0e22b02af318ff22a68c980ab53b04be03c9bf3c
 DIST openssh-9.8p1.tar.gz 1910393 BLAKE2B 3bf983c4ef5358054ed0104cd51d3e0069fbc2b80d8522d0df644d5508ec1d26a67bf061b1b5698d1cdf0d2cbba16b4cdca12a4ce30da24429094576a075e192 SHA512 95dec2f18e58eb47994f3de4430253e0665e185564b65088ca5f4108870e05feddef8cda8d3c0a4b75f18b98cc2c024df0e27de53b48c1a16da8da483cb8292a
 DIST openssh-9.8p1.tar.gz.asc 833 BLAKE2B 5291e8c03ab9a75acb44285cd7fc010f4a33551f142499624165dac708fc05a6d077df81555aa41037b45f6301e4e5db3161a7a23404473f8a233a877fc55cc3 SHA512 4df1f1be2c6ab7f3aebaedd0a773b0e8c8929abb30cd3415873ad55d012cfa113f792e888e5e772dd468c394aeb7e35d62893a514dbc0ab1a03acd79918657f7
 DIST openssh-9.9p2.tar.gz 1944499 BLAKE2B 1b5bc09482b3a807ccfee52c86c6be3c363acf0c8e774862e0ae64f76bfeb4ce7cf29b3ed2f99c04c89bb4977da0cf50a7a175b15bf1d9925de1e03c66f8306d SHA512 4c6d839aa3189cd5254c745f2bd51cd3f468b02f8e427b8d7a16b9ad017888a41178d2746dc51fb2d3fec5be00e54b9ab7c32c472ca7dec57a1dea4fc9840278

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.0_p2/0001-upstream-fix-out-of-bounds-read.patch

@@ -0,0 +1,41 @@
+https://github.com/openssh/openssh-portable/commit/4b1f172fe91c253d09d75650981a3e0c87651fa3
+
+From 4b1f172fe91c253d09d75650981a3e0c87651fa3 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 30 Apr 2025 05:23:15 +0000
+Subject: [PATCH] upstream: fix a out-of-bounds read if the known_hosts file is
+
+truncated after the hostname.
+
+Reported by the OpenAI Security Research Team
+
+ok deraadt@
+
+OpenBSD-Commit-ID: c0b516d7c80c4779a403826f73bcd8adbbc54ebd
+---
+ hostfile.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/hostfile.c b/hostfile.c
+index c5669c70373..a4a5a9a5e3a 100644
+--- a/hostfile.c
++++ b/hostfile.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: hostfile.c,v 1.95 2023/02/21 06:48:18 dtucker Exp $ */
++/* $OpenBSD: hostfile.c,v 1.96 2025/04/30 05:23:15 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -810,6 +810,12 @@ hostkeys_foreach_file(const char *path, FILE *f, hostkeys_foreach_fn *callback,
+ 		/* Find the end of the host name portion. */
+ 		for (cp2 = cp; *cp2 && *cp2 != ' ' && *cp2 != '\t'; cp2++)
+ 			;
++		if (*cp2 == '\0') {
++			verbose_f("truncated line at %s:%lu", path, linenum);
++			if ((options & HKF_WANT_MATCH) == 0)
++				goto bad;
++			continue;
++		}
+ 		lineinfo.hosts = cp;
+ 		*cp2++ = '\0';
+

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.0_p2/0002-upstream-fix-mistracking-of-MaxStartups.patch

@@ -0,0 +1,94 @@
+https://github.com/openssh/openssh-portable/commit/78af391990b210ae0797c37c30719232cda61fef
+
+From 78af391990b210ae0797c37c30719232cda61fef Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 4 Jul 2025 09:51:01 +0000
+Subject: [PATCH] upstream: Fix mistracking of MaxStartups process exits in
+ some
+
+situations. At worst, this can cause all MaxStartups slots to fill and sshd
+to refuse new connections.
+
+Diagnosis by xnor; ok dtucker@
+
+OpenBSD-Commit-ID: 10273033055552557196730f898ed6308b36a78d
+---
+ sshd.c | 28 ++++++++++++++++------------
+ 1 file changed, 16 insertions(+), 12 deletions(-)
+
+diff --git a/sshd.c b/sshd.c
+index 4a93e29e4c0..d721a5de36a 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -289,8 +289,10 @@ child_finish(struct early_child *child)
+ {
+ 	if (children_active == 0)
+ 		fatal_f("internal error: children_active underflow");
+-	if (child->pipefd != -1)
++	if (child->pipefd != -1) {
++		srclimit_done(child->pipefd);
+ 		close(child->pipefd);
++	}
+ 	sshbuf_free(child->config);
+ 	sshbuf_free(child->keys);
+ 	free(child->id);
+@@ -311,6 +313,7 @@ child_close(struct early_child *child, int force_final, int quiet)
+ 	if (!quiet)
+ 		debug_f("enter%s", force_final ? " (forcing)" : "");
+ 	if (child->pipefd != -1) {
++		srclimit_done(child->pipefd);
+ 		close(child->pipefd);
+ 		child->pipefd = -1;
+ 	}
+@@ -1039,7 +1042,6 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s,
+ 			if (ret <= 0) {
+ 				if (children[i].early)
+ 					listening--;
+-				srclimit_done(children[i].pipefd);
+ 				child_close(&(children[i]), 0, 0);
+ 				continue;
+ 			}
+@@ -1078,23 +1080,19 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s,
+ 				}
+ 				/* FALLTHROUGH */
+ 			case 0:
+-				/* child exited preauth */
++				/* child closed pipe */
+ 				if (children[i].early)
+ 					listening--;
+-				srclimit_done(children[i].pipefd);
++				debug3_f("child %lu for %s closed pipe",
++				    (long)children[i].pid, children[i].id);
+ 				child_close(&(children[i]), 0, 0);
+ 				break;
+ 			case 1:
+ 				if (children[i].config) {
+ 					error_f("startup pipe %d (fd=%d)"
+-					    " early read", i, children[i].pipefd);
+-					if (children[i].early)
+-						listening--;
+-					if (children[i].pid > 0)
+-						kill(children[i].pid, SIGTERM);
+-					srclimit_done(children[i].pipefd);
+-					child_close(&(children[i]), 0, 0);
+-					break;
++					    " early read",
++					    i, children[i].pipefd);
++					goto problem_child;
+ 				}
+ 				if (children[i].early && c == '\0') {
+ 					/* child has finished preliminaries */
+@@ -1114,6 +1112,12 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s,
+ 					    "child %ld for %s in state %d",
+ 					    (int)c, (long)children[i].pid,
+ 					    children[i].id, children[i].early);
++ problem_child:
++					if (children[i].early)
++						listening--;
++					if (children[i].pid > 0)
++						kill(children[i].pid, SIGTERM);
++					child_close(&(children[i]), 0, 0);
+ 				}
+ 				break;
+ 			}
+

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0001-upstream-don-t-reuse-c-isatty-for-signalling-that-th.patch

@@ -0,0 +1,76 @@
+From 979cbc2c1e0c9cd2f60d45d8d1da69519ec425cf Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 7 Oct 2025 08:02:32 +0000
+Subject: [PATCH 1/6] upstream: don't reuse c->isatty for signalling that the
+ remote channel
+
+has a tty attached as this causes side effects, e.g. in channel_handle_rfd().
+bz3872
+
+ok markus@
+
+OpenBSD-Commit-ID: 4cd8a9f641498ca6089442e59bad0fd3dcbe85f8
+---
+ channels.c | 9 +++++----
+ channels.h | 3 ++-
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/channels.c b/channels.c
+index f1d7bcf34..80014ff34 100644
+--- a/channels.c
++++ b/channels.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: channels.c,v 1.451 2025/09/25 06:33:19 djm Exp $ */
++/* $OpenBSD: channels.c,v 1.452 2025/10/07 08:02:32 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -362,7 +362,7 @@ channel_classify(struct ssh *ssh, Channel *c)
+ {
+ 	struct ssh_channels *sc = ssh->chanctxt;
+ 	const char *type = c->xctype == NULL ? c->ctype : c->xctype;
+-	const char *classifier = c->isatty ?
++	const char *classifier = (c->isatty || c->remote_has_tty) ?
+ 	    sc->bulk_classifier_tty : sc->bulk_classifier_notty;
+
+ 	c->bulk = type != NULL && match_pattern_list(type, classifier, 0) == 1;
+@@ -566,7 +566,7 @@ channel_new(struct ssh *ssh, char *ctype, int type, int rfd, int wfd, int efd,
+ void
+ channel_set_tty(struct ssh *ssh, Channel *c)
+ {
+-	c->isatty = 1;
++	c->remote_has_tty = 1;
+ 	channel_classify(ssh, c);
+ }
+
+@@ -1078,7 +1078,8 @@ channel_format_status(const Channel *c)
+ 	    c->rfd, c->wfd, c->efd, c->sock, c->ctl_chan,
+ 	    c->have_ctl_child_id ? "c" : "nc", c->ctl_child_id,
+ 	    c->io_want, c->io_ready,
+-	    c->isatty ? "T" : "", c->bulk ? "B" : "I");
++	    c->isatty ? "T" : (c->remote_has_tty ? "RT" : ""),
++	    c->bulk ? "B" : "I");
+ 	return ret;
+ }
+
+diff --git a/channels.h b/channels.h
+index df7c7f364..7456541f8 100644
+--- a/channels.h
++++ b/channels.h
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: channels.h,v 1.161 2025/09/25 06:33:19 djm Exp $ */
++/* $OpenBSD: channels.h,v 1.162 2025/10/07 08:02:32 djm Exp $ */
+
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+@@ -145,6 +145,7 @@ struct Channel {
+ 	int     ctl_chan;	/* control channel (multiplexed connections) */
+ 	uint32_t ctl_child_id;	/* child session for mux controllers */
+ 	int	have_ctl_child_id;/* non-zero if ctl_child_id is valid */
++	int     remote_has_tty;	/* remote side has a tty */
+ 	int     isatty;		/* rfd is a tty */
+ #ifdef _AIX
+ 	int     wfd_isatty;	/* wfd is a tty */
+-- 
+2.51.0
+

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0002-Add-clock_gettime-compat-shim.patch

@@ -0,0 +1,69 @@
+From 28a2788d609efe363b403432b08511c801d13667 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Tue, 7 Oct 2025 20:04:40 +1100
+Subject: [PATCH 2/6] Add clock_gettime compat shim.
+
+This fixes the build on macOS prior to 10.12 Sierra, since it does not
+have it.  Found and tested by Sevan Janiyan.
+---
+ openbsd-compat/bsd-misc.c | 24 ++++++++++++++++++++++++
+ openbsd-compat/bsd-misc.h |  8 ++++++++
+ 2 files changed, 32 insertions(+)
+
+diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c
+index 983cd3fe6..2c196ec23 100644
+--- a/openbsd-compat/bsd-misc.c
++++ b/openbsd-compat/bsd-misc.c
+@@ -494,6 +494,30 @@ localtime_r(const time_t *timep, struct tm *result)
+ }
+ #endif
+
++#ifndef HAVE_CLOCK_GETTIME
++int
++clock_gettime(clockid_t clockid, struct timespec *ts)
++{
++	struct timeval tv;
++
++	if (clockid != CLOCK_REALTIME) {
++		errno = ENOSYS;
++		return -1;
++	}
++	if (ts == NULL) {
++		errno = EFAULT;
++		return -1;
++	}
++
++	if (gettimeofday(&tv, NULL) == -1)
++		return -1;
++
++	ts->tv_sec = tv.tv_sec;
++	ts->tv_nsec = (long)tv.tv_usec * 1000;
++	return 0;
++}
++#endif
++
+ #ifdef ASAN_OPTIONS
+ const char *__asan_default_options(void) {
+ 	return ASAN_OPTIONS;
+diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h
+index 2ad89cd83..8495f471c 100644
+--- a/openbsd-compat/bsd-misc.h
++++ b/openbsd-compat/bsd-misc.h
+@@ -202,6 +202,14 @@ int flock(int, int);
+ struct tm *localtime_r(const time_t *, struct tm *);
+ #endif
+
++#ifndef HAVE_CLOCK_GETTIME
++typedef int clockid_t;
++#ifndef CLOCK_REALTIME
++# define CLOCK_REALTIME	0
++#endif
++int clock_gettime(clockid_t, struct timespec *);
++#endif
++
+ #ifndef HAVE_REALPATH
+ #define realpath(x, y)	(sftp_realpath((x), (y)))
+ #endif
+-- 
+2.51.0
+

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0003-Don-t-copy-native-host-keys-for-hostbased-test.patch

@@ -0,0 +1,27 @@
+From aefeee5bedcf117aa9278014eda5f099b5898a10 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Tue, 7 Oct 2025 20:10:56 +1100
+Subject: [PATCH 3/6] Don't copy native host keys for hostbased test.
+
+Some github runners (notably macos-14) seem to have host keys where
+public and private do not match, so generate our own keys for testing
+purposes.
+---
+ .github/run_test.sh | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/.github/run_test.sh b/.github/run_test.sh
+index aac9ce579..33c90ac29 100755
+--- a/.github/run_test.sh
++++ b/.github/run_test.sh
+@@ -13,7 +13,6 @@ if [ ! -z "$SUDO" ] && [ ! -z "$TEST_SSH_HOSTBASED_AUTH" ]; then
+     hostname | $SUDO tee $sshconf/shosts.equiv >/dev/null
+     echo "EnableSSHKeysign yes" | $SUDO tee $sshconf/ssh_config >/dev/null
+     $SUDO mkdir -p $sshconf
+-    $SUDO cp -p /etc/ssh/ssh_host*key* $sshconf
+     $SUDO make install
+     for key in $sshconf/ssh_host*key*.pub; do
+         echo `hostname` `cat $key` | \
+-- 
+2.51.0
+