diff mbox series

[meta-oe,scarthgap] libssh: fix CVE-2025-4877

Message ID 20250901053610.64593-1-hprajapati@mvista.com
State New
Headers show
Series [meta-oe,scarthgap] libssh: fix CVE-2025-4877 | expand

Commit Message

Hitendra Prajapati Sept. 1, 2025, 5:36 a.m. UTC 
Upstream-Status: Backport from https://git.libssh.org/projects/libssh.git/commit/?id=6fd9cc8ce3958092a1aae11f1f2e911b2747732d

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 .../libssh/libssh/CVE-2025-4877.patch         | 57 +++++++++++++++++++
 .../recipes-support/libssh/libssh_0.10.6.bb   |  1 +
 2 files changed, 58 insertions(+)
 create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-4877.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-4877.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4877.patch
new file mode 100644
index 0000000000..afea52c5b5
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4877.patch
@@ -0,0 +1,57 @@ 
+From 6fd9cc8ce3958092a1aae11f1f2e911b2747732d Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 15 Apr 2025 11:41:24 +0200
+Subject: CVE-2025-4877 base64: Prevent integer overflow and potential OOB
+
+Set maximum input to 256MB to have safe margin to the 1GB trigger point
+for 32b arch.
+
+The OOB should not be reachable by any internal code paths as most of
+the buffers and strings we use as input for this operation already have
+similar limit and none really allows this much of data.
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit 00f09acbec55962839fc7837ef14c56fb8fbaf72)
+
+CVE: CVE-2025-4877
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=6fd9cc8ce3958092a1aae11f1f2e911b2747732d]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/base64.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/base64.c b/src/base64.c
+index 4148f49c..f42e0e80 100644
+--- a/src/base64.c
++++ b/src/base64.c
+@@ -29,6 +29,9 @@
+ #include "libssh/priv.h"
+ #include "libssh/buffer.h"
+ 
++/* Do not allow encoding more than 256MB of data */
++#define BASE64_MAX_INPUT_LEN 256 * 1024 * 1024
++
+ static
+ const uint8_t alphabet[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+                          "abcdefghijklmnopqrstuvwxyz"
+@@ -274,7 +277,15 @@ uint8_t *bin_to_base64(const uint8_t *source, size_t len)
+ {
+     uint8_t *base64 = NULL;
+     uint8_t *ptr = NULL;
+-    size_t flen = len + (3 - (len % 3)); /* round to upper 3 multiple */
++    size_t flen = 0;
++
++    /* Set the artificial upper limit for the input. Otherwise on 32b arch, the
++     * following line could overflow for sizes larger than SIZE_MAX / 4 */
++    if (len > BASE64_MAX_INPUT_LEN) {
++        return NULL;
++    }
++
++    flen = len + (3 - (len % 3)); /* round to upper 3 multiple */
+     flen = (4 * flen) / 3 + 1;
+ 
+     base64 = malloc(flen);
+-- 
+2.50.1
+
diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
index 64835c5e08..48cb47d4c0 100644
--- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
+++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
@@ -13,6 +13,7 @@  SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
            file://CVE-2025-5318.patch \
            file://CVE-2025-5351.patch \
            file://CVE-2025-5372.patch \
+           file://CVE-2025-4877.patch \
           "
 SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"