new file mode 100644
@@ -0,0 +1,38 @@
+From 6ddb730a27338983851248af59b128b995aad256 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 6 May 2025 22:43:31 +0200
+Subject: CVE-2025-5351 pki_crypto: Avoid double-free on low-memory conditions
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=6ddb730a27338983851248af59b128b995aad256]
+CVE: CVE-2025-5351
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/pki_crypto.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/pki_crypto.c b/src/pki_crypto.c
+index 5b0d7ded..aec49544 100644
+--- a/src/pki_crypto.c
++++ b/src/pki_crypto.c
+@@ -2023,6 +2023,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
+ bignum_safe_free(bn);
+ bignum_safe_free(be);
+ OSSL_PARAM_free(params);
++ params = NULL;
+ #endif /* OPENSSL_VERSION_NUMBER */
+ break;
+ }
+@@ -2143,6 +2144,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
+ */
+ #if 0
+ OSSL_PARAM_free(params);
++ params = NULL;
+ #endif /* OPENSSL_VERSION_NUMBER */
+
+ if (key->type == SSH_KEYTYPE_SK_ECDSA &&
+--
+2.49.0
+
new file mode 100644
@@ -0,0 +1,150 @@
+From a9d8a3d44829cf9182b252bc951f35fb0d573972 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 14 May 2025 14:07:58 +0200
+Subject: CVE-2025-5372 libgcrypto: Simplify error checking and handling of
+ return codes in ssh_kdf()
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=a9d8a3d44829cf9182b252bc951f35fb0d573972]
+CVE: CVE-2025-5372
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/libcrypto.c | 62 ++++++++++++++++++++++---------------------------
+ 1 file changed, 28 insertions(+), 34 deletions(-)
+
+diff --git a/src/libcrypto.c b/src/libcrypto.c
+index 4f945d90..76e067d3 100644
+--- a/src/libcrypto.c
++++ b/src/libcrypto.c
+@@ -163,7 +163,7 @@ int ssh_kdf(struct ssh_crypto_struct *crypto,
+ uint8_t key_type, unsigned char *output,
+ size_t requested_len)
+ {
+- int rc = -1;
++ int ret = SSH_ERROR, rv;
+ #if OPENSSL_VERSION_NUMBER < 0x30000000L
+ EVP_KDF_CTX *ctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF);
+ #else
+@@ -185,81 +185,75 @@ int ssh_kdf(struct ssh_crypto_struct *crypto,
+ }
+
+ #if OPENSSL_VERSION_NUMBER < 0x30000000L
+- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD,
++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD,
+ sshkdf_digest_to_md(crypto->digest_type));
+- if (rc != 1) {
++ if (rv != 1) {
+ goto out;
+ }
+- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len);
+- if (rc != 1) {
++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len);
++ if (rv != 1) {
+ goto out;
+ }
+- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
+ crypto->secret_hash, crypto->digest_len);
+- if (rc != 1) {
++ if (rv != 1) {
+ goto out;
+ }
+- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type);
+- if (rc != 1) {
++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type);
++ if (rv != 1) {
+ goto out;
+ }
+- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
+ crypto->session_id, crypto->session_id_len);
+- if (rc != 1) {
++ if (rv != 1) {
+ goto out;
+ }
+- rc = EVP_KDF_derive(ctx, output, requested_len);
+- if (rc != 1) {
++ rv = EVP_KDF_derive(ctx, output, requested_len);
++ if (rv != 1) {
+ goto out;
+ }
+ #else
+- rc = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST,
++ rv = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST,
+ md, strlen(md));
+- if (rc != 1) {
+- rc = -1;
++ if (rv != 1) {
+ goto out;
+ }
+- rc = OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY,
++ rv = OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY,
+ key, key_len);
+- if (rc != 1) {
+- rc = -1;
++ if (rv != 1) {
+ goto out;
+ }
+- rc = OSSL_PARAM_BLD_push_octet_string(param_bld,
++ rv = OSSL_PARAM_BLD_push_octet_string(param_bld,
+ OSSL_KDF_PARAM_SSHKDF_XCGHASH,
+ crypto->secret_hash,
+ crypto->digest_len);
+- if (rc != 1) {
+- rc = -1;
++ if (rv != 1) {
+ goto out;
+ }
+- rc = OSSL_PARAM_BLD_push_octet_string(param_bld,
++ rv = OSSL_PARAM_BLD_push_octet_string(param_bld,
+ OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
+ crypto->session_id,
+ crypto->session_id_len);
+- if (rc != 1) {
+- rc = -1;
++ if (rv != 1) {
+ goto out;
+ }
+- rc = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE,
++ rv = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE,
+ (const char*)&key_type, 1);
+- if (rc != 1) {
+- rc = -1;
++ if (rv != 1) {
+ goto out;
+ }
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (params == NULL) {
+- rc = -1;
+ goto out;
+ }
+
+- rc = EVP_KDF_derive(ctx, output, requested_len, params);
+- if (rc != 1) {
+- rc = -1;
++ rv = EVP_KDF_derive(ctx, output, requested_len, params);
++ if (rv != 1) {
+ goto out;
+ }
+ #endif /* OPENSSL_VERSION_NUMBER */
++ ret = SSH_OK;
+
+ out:
+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L
+@@ -267,8 +261,8 @@ out:
+ OSSL_PARAM_free(params);
+ #endif
+ EVP_KDF_CTX_free(ctx);
+- if (rc < 0) {
+- return rc;
++ if (ret < 0) {
++ return ret;
+ }
+ return 0;
+ }
+--
+2.49.0
+
@@ -11,6 +11,8 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
file://0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch \
file://run-ptest \
file://CVE-2025-5318.patch \
+ file://CVE-2025-5351.patch \
+ file://CVE-2025-5372.patch \
"
SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"
* CVE-2025-5351 - Upstream-Status: Backport from https://git.libssh.org/projects/libssh.git/commit/?id=6ddb730a27338983851248af59b128b995aad256 * CVE-2025-5372 - Upstream-Status: Backport from https://git.libssh.org/projects/libssh.git/commit/?id=a9d8a3d44829cf9182b252bc951f35fb0d573972 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../libssh/libssh/CVE-2025-5351.patch | 38 +++++ .../libssh/libssh/CVE-2025-5372.patch | 150 ++++++++++++++++++ .../recipes-support/libssh/libssh_0.10.6.bb | 2 + 3 files changed, 190 insertions(+) create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-5351.patch create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-5372.patch