From fc86875e6acb36401dfc1dfb6b628a9d1460f367 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 9 Apr 2025 07:00:03 +0000
Subject: [PATCH] upstream: Fix logic error in DisableForwarding option.

This option was documented as disabling X11 and agent forwarding but it failed to do so.
Spotted by Tim Rice.

OpenBSD-Commit-ID: fffc89195968f7eedd2fc57f0b1f1ef3193f5ed1

Upstream: https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367

Fixes the following CVE:
  - CVE-2025-32728: In sshd in OpenSSH before 10.0, the DisableForwarding
                    directive does not adhere to the documentation stating
                    that it disables X11 and agent forwarding.

[Titouan: 
 - Remove diff on OpenBSD comment at the top of the file that does not apply
   cleanly on openssh 9.9
]
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
---
 session.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/session.c b/session.c
index 52a4a3446e6..6444c77f31c 100644
--- a/session.c
+++ b/session.c
@@ -2171,7 +2171,8 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
 	if ((r = sshpkt_get_end(ssh)) != 0)
 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
 	if (!auth_opts->permit_agent_forwarding_flag ||
-	    !options.allow_agent_forwarding) {
+	    !options.allow_agent_forwarding ||
+	    options.disable_forwarding) {
 		debug_f("agent forwarding disabled");
 		return 0;
 	}
@@ -2566,7 +2567,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
 		ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
 		return 0;
 	}
-	if (!options.x11_forwarding) {
+	if (!options.x11_forwarding || options.disable_forwarding) {
 		debug("X11 forwarding disabled in server configuration file.");
 		return 0;
 	}