diff mbox series

[meta-oe,kirkstone,1/1] libssh : fix CVE-2025-8114

Message ID 20251118112048.2681490-1-divya.chellam@windriver.com
State New
Headers show
Series [meta-oe,kirkstone,1/1] libssh : fix CVE-2025-8114 | expand

Commit Message

dchellam Nov. 18, 2025, 11:20 a.m. UTC 
From: Divya Chellam <divya.chellam@windriver.com>

A flaw was found in libssh, a library that implements the SSH protocol.
When calculating the session ID during the key exchange (KEX) process,
an allocation failure in cryptographic functions may lead to a NULL
pointer dereference. This issue can cause the client or server to crash.

Reference:
https://security-tracker.debian.org/tracker/CVE-2025-8114

Upstream-patch:
https://git.libssh.org/projects/libssh.git/commit/?id=53ac23ded4cb2c5463f6c4cd1525331bd578812d

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
---
 .../libssh/libssh/CVE-2025-8114.patch         | 50 +++++++++++++++++++
 .../recipes-support/libssh/libssh_0.8.9.bb    |  1 +
 2 files changed, 51 insertions(+)
 create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch
new file mode 100644
index 0000000000..44964e17ff
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch
@@ -0,0 +1,50 @@ 
+From 53ac23ded4cb2c5463f6c4cd1525331bd578812d Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 6 Aug 2025 15:17:59 +0200
+Subject: [PATCH] CVE-2025-8114: Fix NULL pointer dereference after allocation
+ failure
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Jakub Jelen <jjelen@redhat.com>
+
+CVE: CVE-2025-8114
+
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=53ac23ded4cb2c5463f6c4cd1525331bd578812d]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ src/dh.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/dh.c b/src/dh.c
+index 33883f2d..7116d1dc 100644
+--- a/src/dh.c
++++ b/src/dh.c
+@@ -873,6 +873,8 @@ int ssh_make_sessionid(ssh_session session) {
+     ssh_print_hexa("hash buffer", ssh_buffer_get(buf), ssh_buffer_get_len(buf));
+ #endif
+ 
++    /* Set rc for the following switch statement in case we goto error. */
++    rc = SSH_ERROR;
+     switch (session->next_crypto->kex_type) {
+     case SSH_KEX_DH_GROUP1_SHA1:
+     case SSH_KEX_DH_GROUP14_SHA1:
+@@ -925,6 +927,7 @@ int ssh_make_sessionid(ssh_session session) {
+                session->next_crypto->secret_hash);
+         break;
+     }
++
+     /* During the first kex, secret hash and session ID are equal. However, after
+      * a key re-exchange, a new secret hash is calculated. This hash will not replace
+      * but complement existing session id.
+@@ -933,6 +936,7 @@ int ssh_make_sessionid(ssh_session session) {
+         session->next_crypto->session_id = malloc(session->next_crypto->digest_len);
+         if (session->next_crypto->session_id == NULL) {
+             ssh_set_error_oom(session);
++	    rc = SSH_ERROR;
+             goto error;
+         }
+         memcpy(session->next_crypto->session_id, session->next_crypto->secret_hash,
+-- 
+2.40.0
+
diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb
index 891b2c38ac..3781b501cd 100644
--- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb
+++ b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb
@@ -27,6 +27,7 @@  SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
            file://CVE-2025-8277-1.patch \
            file://CVE-2025-8277-2.patch \
            file://CVE-2025-8277-3.patch \
+           file://CVE-2025-8114.patch \
           "
 SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8"