From c53b0ef3ecd38cf89525c38d04d51ff0439e50bf Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Fri, 21 Nov 2025 08:14:38 +0100
Subject: [PATCH] CVE-2025-14821 cmake: Fix global config location on Windows

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
(cherry picked from commit 6a7f19ec3486698bde3169161edf01ca11cca55f)
---
 DefineOptions.cmake | 14 ++++++++++++--
 config.h.cmake      |  4 ++++
 src/options.c       |  4 ++--
 3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/DefineOptions.cmake b/DefineOptions.cmake
index 8007552a..3f0b0eb9 100644
--- a/DefineOptions.cmake
+++ b/DefineOptions.cmake
@@ -69,12 +69,22 @@ if (WITH_ABI_BREAK)
     set(WITH_SYMBOL_VERSIONING ON)
 endif (WITH_ABI_BREAK)
 
+set(GLOBAL_CONF_DIR "/etc/ssh")
+if (WIN32)
+    # Use PROGRAMDATA on Windows
+    if (DEFINED ENV{PROGRAMDATA})
+        set(GLOBAL_CONF_DIR "$ENV{PROGRAMDATA}/ssh")
+    else ()
+        set(GLOBAL_CONF_DIR "C:/ProgramData/ssh")
+    endif ()
+endif ()
+
 if (NOT GLOBAL_BIND_CONFIG)
-    set(GLOBAL_BIND_CONFIG "/etc/ssh/libssh_server_config")
+    set(GLOBAL_BIND_CONFIG "${GLOBAL_CONF_DIR}/libssh_server_config")
 endif (NOT GLOBAL_BIND_CONFIG)
 
 if (NOT GLOBAL_CLIENT_CONFIG)
-    set(GLOBAL_CLIENT_CONFIG "/etc/ssh/ssh_config")
+    set(GLOBAL_CLIENT_CONFIG "${GLOBAL_CONF_DIR}/ssh_config")
 endif (NOT GLOBAL_CLIENT_CONFIG)
 
 if (FUZZ_TESTING)
diff --git a/config.h.cmake b/config.h.cmake
index 8dce5273..da8a2ace 100644
--- a/config.h.cmake
+++ b/config.h.cmake
@@ -8,6 +8,10 @@
 #cmakedefine BINARYDIR "${BINARYDIR}"
 #cmakedefine SOURCEDIR "${SOURCEDIR}"
 
+/* Global configuration directory */
+#cmakedefine USR_GLOBAL_CONF_DIR "${USR_GLOBAL_CONF_DIR}"
+#cmakedefine GLOBAL_CONF_DIR "${GLOBAL_CONF_DIR}"
+
 /* Global bind configuration file path */
 #cmakedefine GLOBAL_BIND_CONFIG "${GLOBAL_BIND_CONFIG}"
 
diff --git a/src/options.c b/src/options.c
index 785296dd..920c32ef 100644
--- a/src/options.c
+++ b/src/options.c
@@ -861,7 +861,7 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
             SAFE_FREE(session->opts.global_knownhosts);
             if (v == NULL) {
                 session->opts.global_knownhosts =
-                    strdup("/etc/ssh/ssh_known_hosts");
+                    strdup(GLOBAL_CONF_DIR "/ssh_known_hosts");
                 if (session->opts.global_knownhosts == NULL) {
                     ssh_set_error_oom(session);
                     return -1;
@@ -1900,7 +1900,7 @@ int ssh_options_apply(ssh_session session)
 
     if ((session->opts.exp_flags & SSH_OPT_EXP_FLAG_GLOBAL_KNOWNHOSTS) == 0) {
         if (session->opts.global_knownhosts == NULL) {
-            tmp = strdup("/etc/ssh/ssh_known_hosts");
+            tmp = strdup(GLOBAL_CONF_DIR "/ssh_known_hosts");
         } else {
             tmp = ssh_path_expand_escape(session,
                                          session->opts.global_knownhosts);