From patchwork Thu Sep 11 10:37:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: dchellam X-Patchwork-Id: 70017 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 77F28CA1016 for ; Thu, 11 Sep 2025 10:37:49 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.43367.1757587067401827486 for ; Thu, 11 Sep 2025 03:37:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=DSCZY7WA; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=13490b2759=divya.chellam@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 58BAJI1n3186447 for ; Thu, 11 Sep 2025 10:37:46 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=PPS06212021; bh=l1IFeIDdkxc51uD3qLAD jxYwZg+xrghTgBezAMvju5w=; b=DSCZY7WAvimJx+e4Bq+fYyUpVyyyQX6ej4lC y7haWfZSS5FjOHvSs9I9PsaD+SBKGBQyCeBHMrVbG8VQhjaEeX1x651Pyb2Dj4DC eegW/yoCDD4mAWFhhZ2CSYGW5sM3IsH1WqkP9HAoxb5ge2XRDk89tWfI9Aw+4K/8 WBs/KS2SA9tAfT6YgncB5nOTH/jRdqSoanBoRQ4zu8JMZkDGwIKcbVivQkXOP7Cr oY20IBBFfw0x6ERxqZ6xB0oNEcpj2DBh6WF07UXJRRSMagtbPQ01nq3/s3sAHFFd GHQUlkBtbOiCDkJaeltzxJxMyQsouDS7WMN2pseb3ZcwM/MCgg== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 490a5w5s3x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 11 Sep 2025 10:37:45 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.58; Thu, 11 Sep 2025 03:37:40 -0700 From: dchellam To: Subject: [oe][meta-oe][scarthgap][PATCH 1/2] libssh: fix CVE-2025-4878 Date: Thu, 11 Sep 2025 16:07:04 +0530 Message-ID: <20250911103705.252836-1-divya.chellam@windriver.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 X-Originating-IP: [10.11.232.110] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) To ala-exchng01.corp.ad.wrs.com (10.11.224.121) X-Proofpoint-GUID: zikdzOEkzX0xap2i7B4G-ZYi3wTOaiEF X-Proofpoint-ORIG-GUID: zikdzOEkzX0xap2i7B4G-ZYi3wTOaiEF X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTExMDA5NiBTYWx0ZWRfX4DHfHfF6yf/Q AiIXzEV80BJtghxIlqpj7NHpyGybMCKt2AVft5T5I19lHbtq22Rl7T1rPSY0tN1vkwvCX90TUPU MpeeWlzcHTJRAysZtymzdYRRpA4LR3nRlzrt+Dfb25IufUFoiE+4E2MDTpDXAbonb8+CB2AjxO1 V/DfrcZukuau7yg8oQPuPjZur0mWkZNHcQpB9rPLqc1UP5HVZaLHuipkyk0THv7SQW+bYpDjDgC PBHaBa0qoEq2G0Sc43MDTpmzJE7ltu1nOr8tldZ8FsOLpN8pyGiQfkfvX7sc1if6mzq+dAI9gXc pYnDQSTBUbamwp5i83vEVlTQ+FeQwmJk+dmwS3QaWNhLnqDnaLIBDt5JzYFq7g= X-Authority-Analysis: v=2.4 cv=AMtZH25w c=1 sm=1 tr=0 ts=68c2a67a cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=gmxlzscTznEA:10 a=yJojWOMRYYMA:10 a=xNf9USuDAAAA:8 a=nar8ntqeAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=_9gtbkrcAAAA:8 a=1XWaLZrsAAAA:8 a=F1kP7urYChkrk79T3QwA:9 a=RptMqvEBejqe73AKBt4K:22 a=FdTzh2GWekK77mhwV6Dw:22 a=mzAfeOUevkGYtpgvwSZb:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-10_04,2025-09-11_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 suspectscore=0 priorityscore=1501 clxscore=1015 phishscore=0 malwarescore=0 spamscore=0 adultscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2507300000 definitions=firstrun List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 11 Sep 2025 10:37:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/119359 From: Divya Chellam A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekey_from_file() function. This flaw can be triggered if the file specified by the filename doesn't exist and may lead to possible signing failures or heap corruption. Reference: https://security-tracker.debian.org/tracker/CVE-2025-4878 Upstream-patches: https://git.libssh.org/projects/libssh.git/commit/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1 https://git.libssh.org/projects/libssh.git/commit/?id=b35ee876adc92a208d47194772e99f9c71e0bedb Signed-off-by: Divya Chellam --- .../libssh/libssh/CVE-2025-4878-0001.patch | 2552 +++++++++++++++++ .../libssh/libssh/CVE-2025-4878-0002.patch | 34 + .../recipes-support/libssh/libssh_0.10.6.bb | 2 + 3 files changed, 2588 insertions(+) create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0001.patch create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0002.patch diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0001.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0001.patch new file mode 100644 index 0000000000..22f8733a69 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0001.patch @@ -0,0 +1,2552 @@ +From 697650caa97eaf7623924c75f9fcfec6dd423cd1 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 23 Apr 2025 17:57:11 +0200 +Subject: [PATCH] CVE-2025-4878 Initialize pointers where possible + +This is mostly mechanical change initializing all the pointers I was able to +find with some grep and manual review of sources and examples. + +Used the following greps (which yield some false positives though): + + git grep " \w* *\* *\w*;$" + git grep " ssh_session \w*;" + git grep " ssh_channel \w*;" + git grep " struct ssh_iterator \*\w*;" + git grep " ssh_bind \w*;" + git grep " ssh_key \w*;" + git grep " ssh_string \w*;" + git grep " ssh_buffer \w*;" + git grep " HMACCTX \w*;" + git grep " SHACTX \w*;" + grep -rinP '^(?!.*=)\s*(?:\w+\s+)*\w+\s*\*\s*\w+\s*;' + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +CVE: CVE-2025-4878 + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1] + +Signed-off-by: Divya Chellam +--- + doc/authentication.dox | 10 +++---- + doc/command.dox | 2 +- + doc/forwarding.dox | 4 +-- + doc/guided_tour.dox | 14 ++++----- + doc/shell.dox | 2 +- + examples/authentication.c | 12 ++++---- + examples/connect_ssh.c | 2 +- + examples/exec.c | 4 +-- + examples/knownhosts.c | 2 +- + examples/libssh_scp.c | 11 ++++---- + examples/proxy.c | 18 ++++++------ + examples/samplesshd-cb.c | 10 +++---- + examples/samplesshd-kbdint.c | 16 +++++------ + examples/scp_download.c | 4 +-- + examples/senddata.c | 4 +-- + examples/ssh_client.c | 8 +++--- + examples/sshd_direct-tcpip.c | 14 ++++----- + examples/sshnetcat.c | 6 ++-- + src/agent.c | 13 +++++---- + src/auth.c | 7 +++-- + src/bind.c | 11 ++++---- + src/bind_config.c | 4 +-- + src/buffer.c | 9 +++--- + src/callbacks.c | 2 +- + src/chachapoly.c | 2 +- + src/channels.c | 55 ++++++++++++++++++------------------ + src/client.c | 2 +- + src/config.c | 4 +-- + src/config_parser.c | 12 ++++---- + src/connect.c | 4 +-- + src/connector.c | 5 ++-- + src/dh_crypto.c | 2 +- + src/ecdh_gcrypt.c | 4 +-- + src/gcrypt_missing.c | 2 +- + src/getpass.c | 4 +-- + src/gssapi.c | 28 +++++++++--------- + src/kex.c | 4 +-- + src/known_hosts.c | 41 ++++++++++++++------------- + src/knownhosts.c | 18 ++++++------ + src/legacy.c | 43 +++++++++++++++------------- + src/libmbedcrypto.c | 2 +- + src/log.c | 2 +- + src/messages.c | 18 ++++++------ + src/misc.c | 24 ++++++++-------- + src/options.c | 18 ++++++------ + src/packet.c | 6 ++-- + src/packet_crypt.c | 2 +- + src/pki.c | 50 ++++++++++++++++---------------- + src/pki_container_openssh.c | 14 ++++----- + src/pki_crypto.c | 8 +++--- + src/pki_ed25519.c | 6 ++-- + src/pki_ed25519_common.c | 2 +- + src/pki_gcrypt.c | 12 ++++---- + src/pki_mbedcrypto.c | 12 ++++---- + src/poll.c | 10 +++---- + src/server.c | 23 ++++++++------- + src/session.c | 14 ++++----- + src/sftpserver.c | 12 ++++---- + src/string.c | 6 ++-- + src/threads/winlocks.c | 2 +- + src/wrapper.c | 2 +- + 61 files changed, 340 insertions(+), 324 deletions(-) + +diff --git a/doc/authentication.dox b/doc/authentication.dox +index 7d0ab81d..a0b2df84 100644 +--- a/doc/authentication.dox ++++ b/doc/authentication.dox +@@ -105,7 +105,7 @@ Here is a small example of password authentication: + @code + int authenticate_password(ssh_session session) + { +- char *password; ++ char *password = NULL; + int rc; + + password = getpass("Enter your password: "); +@@ -218,7 +218,7 @@ int authenticate_kbdint(ssh_session session) + rc = ssh_userauth_kbdint(session, NULL, NULL); + while (rc == SSH_AUTH_INFO) + { +- const char *name, *instruction; ++ const char *name = NULL, *instruction = NULL; + int nprompts, iprompt; + + name = ssh_userauth_kbdint_getname(session); +@@ -231,7 +231,7 @@ int authenticate_kbdint(ssh_session session) + printf("%s\n", instruction); + for (iprompt = 0; iprompt < nprompts; iprompt++) + { +- const char *prompt; ++ const char *prompt = NULL; + char echo; + + prompt = ssh_userauth_kbdint_getprompt(session, iprompt, &echo); +@@ -251,7 +251,7 @@ int authenticate_kbdint(ssh_session session) + } + else + { +- char *ptr; ++ char *ptr = NULL; + + ptr = getpass(prompt); + if (ssh_userauth_kbdint_setanswer(session, iprompt, ptr) < 0) +@@ -354,7 +354,7 @@ The following example shows how to retrieve and dispose the issue banner: + int display_banner(ssh_session session) + { + int rc; +- char *banner; ++ char *banner = NULL; + + /* + *** Does not work without calling ssh_userauth_none() first *** +diff --git a/doc/command.dox b/doc/command.dox +index 588151c6..e82748ce 100644 +--- a/doc/command.dox ++++ b/doc/command.dox +@@ -22,7 +22,7 @@ a SSH session that uses this channel: + @code + int show_remote_files(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + + channel = ssh_channel_new(session); +diff --git a/doc/forwarding.dox b/doc/forwarding.dox +index 2b202b4d..3ca3aa8a 100644 +--- a/doc/forwarding.dox ++++ b/doc/forwarding.dox +@@ -100,7 +100,7 @@ used to retrieve google's home page from the remote SSH server. + @code + int direct_forwarding(ssh_session session) + { +- ssh_channel forwarding_channel; ++ ssh_channel forwarding_channel = NULL; + int rc = SSH_ERROR; + char *http_get = "GET / HTTP/1.1\nHost: www.google.com\n\n"; + int nbytes, nwritten; +@@ -161,7 +161,7 @@ local libssh application, which handles them: + int web_server(ssh_session session) + { + int rc; +- ssh_channel channel; ++ ssh_channel channel = NULL; + char buffer[256]; + int nbytes, nwritten; + int port = 0; +diff --git a/doc/guided_tour.dox b/doc/guided_tour.dox +index 69576f18..60f4087e 100644 +--- a/doc/guided_tour.dox ++++ b/doc/guided_tour.dox +@@ -79,7 +79,7 @@ Here is a small example of how to use it: + + int main() + { +- ssh_session my_ssh_session; ++ ssh_session my_ssh_session = NULL; + int verbosity = SSH_LOG_PROTOCOL; + int port = 22; + +@@ -126,7 +126,7 @@ Here's an example: + + int main() + { +- ssh_session my_ssh_session; ++ ssh_session my_ssh_session = NULL; + int rc; + + my_ssh_session = ssh_new(); +@@ -190,8 +190,8 @@ int verify_knownhost(ssh_session session) + ssh_key srv_pubkey = NULL; + size_t hlen; + char buf[10]; +- char *hexa; +- char *p; ++ char *hexa = NULL; ++ char *p = NULL; + int cmp; + int rc; + +@@ -317,9 +317,9 @@ The example below shows an authentication with password: + + int main() + { +- ssh_session my_ssh_session; ++ ssh_session my_ssh_session = NULL; + int rc; +- char *password; ++ char *password = NULL; + + // Open session and set options + my_ssh_session = ssh_new(); +@@ -380,7 +380,7 @@ The example below shows how to execute a remote command: + @code + int show_remote_processes(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + char buffer[256]; + int nbytes; +diff --git a/doc/shell.dox b/doc/shell.dox +index d770f27a..54d97888 100644 +--- a/doc/shell.dox ++++ b/doc/shell.dox +@@ -26,7 +26,7 @@ The code sample below achieves these tasks: + @code + int shell_session(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + + channel = ssh_channel_new(session); +diff --git a/examples/authentication.c b/examples/authentication.c +index 7c47c8bd..31de7cfc 100644 +--- a/examples/authentication.c ++++ b/examples/authentication.c +@@ -30,8 +30,8 @@ int authenticate_kbdint(ssh_session session, const char *password) + + err = ssh_userauth_kbdint(session, NULL, NULL); + while (err == SSH_AUTH_INFO) { +- const char *instruction; +- const char *name; ++ const char *instruction = NULL; ++ const char *name = NULL; + char buffer[128]; + int i, n; + +@@ -48,8 +48,8 @@ int authenticate_kbdint(ssh_session session, const char *password) + } + + for (i = 0; i < n; i++) { +- const char *answer; +- const char *prompt; ++ const char *answer = NULL; ++ const char *prompt = NULL; + char echo; + + prompt = ssh_userauth_kbdint_getprompt(session, i, &echo); +@@ -58,7 +58,7 @@ int authenticate_kbdint(ssh_session session, const char *password) + } + + if (echo) { +- char *p; ++ char *p = NULL; + + printf("%s", prompt); + +@@ -143,7 +143,7 @@ int authenticate_console(ssh_session session) + int rc; + int method; + char password[128] = {0}; +- char *banner; ++ char *banner = NULL; + + // Try to authenticate + rc = ssh_userauth_none(session, NULL); +diff --git a/examples/connect_ssh.c b/examples/connect_ssh.c +index c9e4ef6e..06094272 100644 +--- a/examples/connect_ssh.c ++++ b/examples/connect_ssh.c +@@ -22,7 +22,7 @@ clients must be made or how a client should react. + #include + + ssh_session connect_ssh(const char *host, const char *user,int verbosity){ +- ssh_session session; ++ ssh_session session = NULL; + int auth=0; + + session=ssh_new(); +diff --git a/examples/exec.c b/examples/exec.c +index 77d3be47..f90df364 100644 +--- a/examples/exec.c ++++ b/examples/exec.c +@@ -5,8 +5,8 @@ + #include "examples_common.h" + + int main(void) { +- ssh_session session; +- ssh_channel channel; ++ ssh_session session = NULL; ++ ssh_channel channel = NULL; + char buffer[256]; + int rbytes, wbytes, total = 0; + int rc; +diff --git a/examples/knownhosts.c b/examples/knownhosts.c +index 0726bfa8..2857a085 100644 +--- a/examples/knownhosts.c ++++ b/examples/knownhosts.c +@@ -38,7 +38,7 @@ int verify_knownhost(ssh_session session) + char buf[10]; + unsigned char *hash = NULL; + size_t hlen; +- ssh_key srv_pubkey; ++ ssh_key srv_pubkey = NULL; + int rc; + + rc = ssh_get_server_publickey(session, &srv_pubkey); +diff --git a/examples/libssh_scp.c b/examples/libssh_scp.c +index 6fdf8a4f..a332e0d2 100644 +--- a/examples/libssh_scp.c ++++ b/examples/libssh_scp.c +@@ -26,9 +26,9 @@ program. + #define BUF_SIZE 16384 + #endif + +-static char **sources; ++static char **sources = NULL; + static int nsources; +-static char *destination; ++static char *destination = NULL; + static int verbosity = 0; + + struct location { +@@ -114,9 +114,10 @@ static void location_free(struct location *loc) + } + } + +-static struct location *parse_location(char *loc) { +- struct location *location; +- char *ptr; ++static struct location *parse_location(char *loc) ++{ ++ struct location *location = NULL; ++ char *ptr = NULL; + + location = malloc(sizeof(struct location)); + if (location == NULL) { +diff --git a/examples/proxy.c b/examples/proxy.c +index 159a37e5..25451789 100644 +--- a/examples/proxy.c ++++ b/examples/proxy.c +@@ -35,8 +35,8 @@ clients must be made or how a client should react. + static int authenticated=0; + static int tries = 0; + static int error = 0; +-static ssh_channel chan=NULL; +-static char *username; ++static ssh_channel chan = NULL; ++static char *username = NULL; + static ssh_gssapi_creds client_creds = NULL; + + static int auth_password(ssh_session session, const char *user, +@@ -216,11 +216,12 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) { + static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + #endif /* HAVE_ARGP_H */ + +-int main(int argc, char **argv){ +- ssh_session session; +- ssh_bind sshbind; +- ssh_event mainloop; +- ssh_session client_session; ++int main(int argc, char **argv) ++{ ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; ++ ssh_event mainloop = NULL; ++ ssh_session client_session = NULL; + + struct ssh_server_callbacks_struct cb = { + .userdata = NULL, +@@ -231,7 +232,7 @@ int main(int argc, char **argv){ + + char buf[BUF_SIZE]; + char host[128]=""; +- char *ptr; ++ char *ptr = NULL; + int i,r, rc; + + sshbind=ssh_bind_new(); +@@ -348,4 +349,3 @@ int main(int argc, char **argv){ + ssh_finalize(); + return 0; + } +- +diff --git a/examples/samplesshd-cb.c b/examples/samplesshd-cb.c +index e5b48994..693b040d 100644 +--- a/examples/samplesshd-cb.c ++++ b/examples/samplesshd-cb.c +@@ -257,10 +257,11 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) { + static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + #endif /* HAVE_ARGP_H */ + +-int main(int argc, char **argv){ +- ssh_session session; +- ssh_bind sshbind; +- ssh_event mainloop; ++int main(int argc, char **argv) ++{ ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; ++ ssh_event mainloop = NULL; + struct ssh_server_callbacks_struct cb = { + .userdata = NULL, + .auth_none_function = auth_none, +@@ -353,4 +354,3 @@ int main(int argc, char **argv){ + ssh_finalize(); + return 0; + } +- +diff --git a/examples/samplesshd-kbdint.c b/examples/samplesshd-kbdint.c +index 6608306c..141088c2 100644 +--- a/examples/samplesshd-kbdint.c ++++ b/examples/samplesshd-kbdint.c +@@ -187,8 +187,8 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) { + static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + #endif /* HAVE_ARGP_H */ + +-static const char *name; +-static const char *instruction; ++static const char *name = NULL; ++static const char *instruction = NULL; + static const char *prompts[2]; + static char echo[] = { 1, 0 }; + +@@ -292,11 +292,12 @@ static int authenticate(ssh_session session) { + return 0; + } + +-int main(int argc, char **argv){ +- ssh_session session; +- ssh_bind sshbind; +- ssh_message message; +- ssh_channel chan=0; ++int main(int argc, char **argv) ++{ ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; ++ ssh_message message = NULL; ++ ssh_channel chan = NULL; + char buf[BUF_SIZE]; + int auth=0; + int shell=0; +@@ -426,4 +427,3 @@ int main(int argc, char **argv){ + ssh_finalize(); + return 0; + } +- +diff --git a/examples/scp_download.c b/examples/scp_download.c +index e6c1e796..dcaa2cb7 100644 +--- a/examples/scp_download.c ++++ b/examples/scp_download.c +@@ -108,7 +108,7 @@ static int fetch_files(ssh_session session){ + int size; + char buffer[BUF_SIZE]; + int mode; +- char *filename; ++ char *filename = NULL; + int r; + ssh_scp scp=ssh_scp_new(session, SSH_SCP_READ | SSH_SCP_RECURSIVE, "/tmp/libssh_tests/*"); + if(ssh_scp_init(scp) != SSH_OK){ +@@ -167,7 +167,7 @@ static int fetch_files(ssh_session session){ + } + + int main(int argc, char **argv){ +- ssh_session session; ++ ssh_session session = NULL; + if(opts(argc,argv)<0) + return EXIT_FAILURE; + session=connect_ssh(host,NULL,verbosity); +diff --git a/examples/senddata.c b/examples/senddata.c +index 21181fb9..78383a2b 100644 +--- a/examples/senddata.c ++++ b/examples/senddata.c +@@ -6,7 +6,7 @@ + #define LIMIT 0x100000000UL + + int main(void) { +- ssh_session session; ++ ssh_session session = NULL; + ssh_channel channel; + char buffer[1024*1024]; + int rc; +@@ -47,7 +47,7 @@ int main(void) { + if(total > LIMIT) + break; + } +- ++ + if (rc < 0) { + printf("error : %s\n",ssh_get_error(session)); + ssh_channel_close(channel); +diff --git a/examples/ssh_client.c b/examples/ssh_client.c +index aaf0cb5b..896890c3 100644 +--- a/examples/ssh_client.c ++++ b/examples/ssh_client.c +@@ -53,7 +53,7 @@ static struct termios terminal; + + static char *pcap_file = NULL; + +-static char *proxycommand; ++static char *proxycommand = NULL; + + static int auth_callback(const char *prompt, + char *buf, +@@ -252,7 +252,7 @@ static void select_loop(ssh_session session,ssh_channel channel) + + static void shell(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + struct termios terminal_local; + int interactive=isatty(0); + +@@ -324,7 +324,7 @@ static void batch_shell(ssh_session session) + static int client(ssh_session session) + { + int auth = 0; +- char *banner; ++ char *banner = NULL; + int state; + + if (user) { +@@ -408,7 +408,7 @@ static void cleanup_pcap(void) + + int main(int argc, char **argv) + { +- ssh_session session; ++ ssh_session session = NULL; + + ssh_init(); + session = ssh_new(); +diff --git a/examples/sshd_direct-tcpip.c b/examples/sshd_direct-tcpip.c +index b0e29796..152377e9 100644 +--- a/examples/sshd_direct-tcpip.c ++++ b/examples/sshd_direct-tcpip.c +@@ -358,7 +358,7 @@ my_fd_data_function(UNUSED_PARAM(socket_t fd), + { + struct event_fd_data_struct *event_fd_data = (struct event_fd_data_struct *)userdata; + ssh_channel channel = event_fd_data->channel; +- ssh_session session; ++ ssh_session session = NULL; + int len, i, wr; + char buf[BUF_SIZE]; + int blocking; +@@ -452,8 +452,8 @@ open_tcp_socket(ssh_message msg) + { + struct sockaddr_in sin; + int forwardsock = -1; +- struct hostent *host; +- const char *dest_hostname; ++ struct hostent *host = NULL; ++ const char *dest_hostname = NULL; + int dest_port; + + forwardsock = socket(AF_INET, SOCK_STREAM, 0); +@@ -496,8 +496,8 @@ message_callback(UNUSED_PARAM(ssh_session session), + UNUSED_PARAM(void *userdata)) + { + ssh_channel channel; +- int socket_fd, *pFd; +- struct ssh_channel_callbacks_struct *cb_chan; ++ int socket_fd, *pFd = NULL; ++ struct ssh_channel_callbacks_struct *cb_chan = NULL; + struct event_fd_data_struct *event_fd_data; + + _ssh_log(SSH_LOG_PACKET, "=== message_callback", "Message type: %d", +@@ -665,8 +665,8 @@ static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + int + main(int argc, char **argv) + { +- ssh_session session; +- ssh_bind sshbind; ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; + struct ssh_server_callbacks_struct cb = { + .userdata = NULL, + .auth_password_function = auth_password, +diff --git a/examples/sshnetcat.c b/examples/sshnetcat.c +index 59b0a289..8a1153a6 100644 +--- a/examples/sshnetcat.c ++++ b/examples/sshnetcat.c +@@ -39,7 +39,7 @@ clients must be made or how a client should react. + #define BUF_SIZE 4096 + #endif + +-char *host; ++char *host = NULL; + const char *desthost="localhost"; + const char *port="22"; + +@@ -193,7 +193,7 @@ static void forwarding(ssh_session session){ + + static int client(ssh_session session){ + int auth=0; +- char *banner; ++ char *banner = NULL; + int state; + + if (ssh_options_set(session, SSH_OPTIONS_HOST ,host) < 0) +@@ -246,7 +246,7 @@ void cleanup_pcap(void) + #endif + + int main(int argc, char **argv){ +- ssh_session session; ++ ssh_session session = NULL; + + session = ssh_new(); + +diff --git a/src/agent.c b/src/agent.c +index 6e3d7d79..c81b0805 100644 +--- a/src/agent.c ++++ b/src/agent.c +@@ -424,8 +424,9 @@ ssh_key ssh_agent_get_first_ident(struct ssh_session_struct *session, + + /* caller has to free comment */ + ssh_key ssh_agent_get_next_ident(struct ssh_session_struct *session, +- char **comment) { +- struct ssh_key_struct *key; ++ char **comment) ++{ ++ struct ssh_key_struct *key = NULL; + struct ssh_string_struct *blob = NULL; + struct ssh_string_struct *tmp = NULL; + int rc; +@@ -494,10 +495,10 @@ ssh_string ssh_agent_sign_data(ssh_session session, + const ssh_key pubkey, + struct ssh_buffer_struct *data) + { +- ssh_buffer request; +- ssh_buffer reply; +- ssh_string key_blob; +- ssh_string sig_blob; ++ ssh_buffer request = NULL; ++ ssh_buffer reply = NULL; ++ ssh_string key_blob = NULL; ++ ssh_string sig_blob = NULL; + unsigned int type = 0; + unsigned int flags = 0; + uint32_t dlen; +diff --git a/src/auth.c b/src/auth.c +index 4feb6558..98022311 100644 +--- a/src/auth.c ++++ b/src/auth.c +@@ -195,8 +195,9 @@ static int ssh_userauth_get_response(ssh_session session) + * + * This banner should be shown to user prior to authentication + */ +-SSH_PACKET_CALLBACK(ssh_packet_userauth_banner) { +- ssh_string banner; ++SSH_PACKET_CALLBACK(ssh_packet_userauth_banner) ++{ ++ ssh_string banner = NULL; + (void)type; + (void)user; + +@@ -1398,7 +1399,7 @@ int ssh_userauth_agent_pubkey(ssh_session session, + const char *username, + ssh_public_key publickey) + { +- ssh_key key; ++ ssh_key key = NULL; + int rc; + + key = ssh_key_new(); +diff --git a/src/bind.c b/src/bind.c +index a91e6747..c331006a 100644 +--- a/src/bind.c ++++ b/src/bind.c +@@ -74,7 +74,7 @@ + static socket_t bind_socket(ssh_bind sshbind, const char *hostname, + int port) { + char port_c[6]; +- struct addrinfo *ai; ++ struct addrinfo *ai = NULL; + struct addrinfo hints; + int opt = 1; + socket_t s; +@@ -132,8 +132,9 @@ static socket_t bind_socket(ssh_bind sshbind, const char *hostname, + return s; + } + +-ssh_bind ssh_bind_new(void) { +- ssh_bind ptr; ++ssh_bind ssh_bind_new(void) ++{ ++ ssh_bind ptr = NULL; + + ptr = calloc(1, sizeof(struct ssh_bind_struct)); + if (ptr == NULL) { +@@ -251,7 +252,7 @@ static int ssh_bind_import_keys(ssh_bind sshbind) { + } + + int ssh_bind_listen(ssh_bind sshbind) { +- const char *host; ++ const char *host = NULL; + socket_t fd; + int rc; + +@@ -475,7 +476,7 @@ int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd) + return SSH_ERROR; + } + } else { +- char *p; ++ char *p = NULL; + /* If something was set to the session prior to calling this + * function, keep only what is allowed by the options set in + * sshbind */ +diff --git a/src/bind_config.c b/src/bind_config.c +index 27c42c95..ed42cbe3 100644 +--- a/src/bind_config.c ++++ b/src/bind_config.c +@@ -200,7 +200,7 @@ local_parse_file(ssh_bind bind, + uint8_t *seen, + unsigned int depth) + { +- FILE *f; ++ FILE *f = NULL; + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; + int rv; +@@ -626,7 +626,7 @@ int ssh_bind_config_parse_file(ssh_bind bind, const char *filename) + { + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; +- FILE *f; ++ FILE *f = NULL; + uint32_t parser_flags; + int rv; + +diff --git a/src/buffer.c b/src/buffer.c +index 8991e006..62fda334 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -371,7 +371,8 @@ int ssh_buffer_allocate_size(struct ssh_buffer_struct *buffer, + */ + void *ssh_buffer_allocate(struct ssh_buffer_struct *buffer, uint32_t len) + { +- void *ptr; ++ void *ptr = NULL; ++ + buffer_verify(buffer); + + if (buffer->used + len < len) { +@@ -925,7 +926,7 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, + va_list ap) + { + int rc = SSH_ERROR; +- const char *p; ++ const char *p = NULL; + union { + uint8_t byte; + uint16_t word; +@@ -934,7 +935,7 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, + ssh_string string; + void *data; + } o; +- char *cstring; ++ char *cstring = NULL; + bignum b; + size_t len; + size_t count; +@@ -1093,7 +1094,7 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, + va_list ap) + { + int rc = SSH_ERROR; +- const char *p = format, *last; ++ const char *p = format, *last = NULL; + union { + uint8_t *byte; + uint16_t *word; +diff --git a/src/callbacks.c b/src/callbacks.c +index 3ed2f11c..6bfed62a 100644 +--- a/src/callbacks.c ++++ b/src/callbacks.c +@@ -113,7 +113,7 @@ int ssh_add_channel_callbacks(ssh_channel channel, ssh_channel_callbacks cb) + + int ssh_remove_channel_callbacks(ssh_channel channel, ssh_channel_callbacks cb) + { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + + if (channel == NULL || channel->callbacks == NULL){ + return SSH_ERROR; +diff --git a/src/chachapoly.c b/src/chachapoly.c +index 2cd23854..354a0d26 100644 +--- a/src/chachapoly.c ++++ b/src/chachapoly.c +@@ -42,7 +42,7 @@ static int chacha20_set_encrypt_key(struct ssh_cipher_struct *cipher, + void *key, + void *IV) + { +- struct chacha20_poly1305_keysched *sched; ++ struct chacha20_poly1305_keysched *sched = NULL; + uint8_t *u8key = key; + (void)IV; + +diff --git a/src/channels.c b/src/channels.c +index ab6915a2..8290dbd1 100644 +--- a/src/channels.c ++++ b/src/channels.c +@@ -165,7 +165,7 @@ uint32_t ssh_channel_new_id(ssh_session session) + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_open_conf){ + uint32_t channelid=0; +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + (void)type; + (void)user; +@@ -226,7 +226,7 @@ error: + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){ + +- ssh_channel channel; ++ ssh_channel channel = NULL; + char *error = NULL; + uint32_t code; + int rc; +@@ -386,7 +386,7 @@ end: + /* return channel with corresponding local id, or NULL if not found */ + ssh_channel ssh_channel_from_local(ssh_session session, uint32_t id) { + struct ssh_iterator *it; +- ssh_channel channel; ++ ssh_channel channel = NULL; + + for (it = ssh_list_get_iterator(session->channels); it != NULL ; it=it->next) { + channel = ssh_iterator_value(ssh_channel, it); +@@ -471,7 +471,7 @@ error: + */ + static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + uint32_t chan; + int rc; + +@@ -493,7 +493,7 @@ static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet) + } + + SSH_PACKET_CALLBACK(channel_rcv_change_window) { +- ssh_channel channel; ++ ssh_channel channel = NULL; + uint32_t bytes; + int rc; + (void)user; +@@ -632,7 +632,7 @@ SSH_PACKET_CALLBACK(channel_rcv_data){ + } + + SSH_PACKET_CALLBACK(channel_rcv_eof) { +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)user; + (void)type; + +@@ -676,8 +676,9 @@ static bool ssh_channel_has_unread_data(ssh_channel channel) + return false; + } + +-SSH_PACKET_CALLBACK(channel_rcv_close) { +- ssh_channel channel; ++SSH_PACKET_CALLBACK(channel_rcv_close) ++{ ++ ssh_channel channel = NULL; + (void)user; + (void)type; + +@@ -902,7 +903,7 @@ int channel_default_bufferize(ssh_channel channel, + void *data, uint32_t len, + bool is_stderr) + { +- ssh_session session; ++ ssh_session session = NULL; + + if(channel == NULL) { + return -1; +@@ -1041,7 +1042,7 @@ int ssh_channel_open_auth_agent(ssh_channel channel) + int ssh_channel_open_forward(ssh_channel channel, const char *remotehost, + int remoteport, const char *sourcehost, int localport) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer payload = NULL; + ssh_string str = NULL; + int rc = SSH_ERROR; +@@ -1179,7 +1180,7 @@ error: + */ + void ssh_channel_free(ssh_channel channel) + { +- ssh_session session; ++ ssh_session session = NULL; + + if (channel == NULL) { + return; +@@ -1280,7 +1281,7 @@ void ssh_channel_do_free(ssh_channel channel) + */ + int ssh_channel_send_eof(ssh_channel channel) + { +- ssh_session session; ++ ssh_session session = NULL; + int rc = SSH_ERROR; + int err; + +@@ -1341,7 +1342,7 @@ error: + */ + int ssh_channel_close(ssh_channel channel) + { +- ssh_session session; ++ ssh_session session = NULL; + int rc = 0; + + if(channel == NULL) { +@@ -1437,7 +1438,7 @@ static int channel_write_common(ssh_channel channel, + const void *data, + uint32_t len, int is_stderr) + { +- ssh_session session; ++ ssh_session session = NULL; + uint32_t origlen = len; + size_t effectivelen; + size_t maxpacketlen; +@@ -1694,7 +1695,7 @@ void ssh_channel_set_blocking(ssh_channel channel, int blocking) + * @brief handle a SSH_CHANNEL_SUCCESS packet and set the channel state. + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_success){ +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)type; + (void)user; + +@@ -1724,7 +1725,7 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_success){ + * @brief Handle a SSH_CHANNEL_FAILURE packet and set the channel state. + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_failure){ +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)type; + (void)user; + +@@ -1863,7 +1864,7 @@ error: + int ssh_channel_request_pty_size(ssh_channel channel, const char *terminal, + int col, int row) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer buffer = NULL; + int rc = SSH_ERROR; + +@@ -2174,7 +2175,7 @@ static ssh_channel ssh_channel_accept(ssh_session session, int channeltype, + #endif + ssh_message msg = NULL; + ssh_channel channel = NULL; +- struct ssh_iterator *iterator; ++ struct ssh_iterator *iterator = NULL; + int t; + + /* +@@ -2838,7 +2839,7 @@ error: + int channel_read_buffer(ssh_channel channel, ssh_buffer buffer, uint32_t count, + int is_stderr) + { +- ssh_session session; ++ ssh_session session = NULL; + char *buffer_tmp = NULL; + int r; + uint32_t total=0; +@@ -2979,7 +2980,7 @@ int ssh_channel_read_timeout(ssh_channel channel, + int is_stderr, + int timeout_ms) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer stdbuf; + uint32_t len; + struct ssh_channel_read_termination_struct ctx; +@@ -3103,7 +3104,7 @@ int ssh_channel_read_nonblocking(ssh_channel channel, + uint32_t count, + int is_stderr) + { +- ssh_session session; ++ ssh_session session = NULL; + uint32_t to_read; + int rc; + int blocking; +@@ -3213,8 +3214,8 @@ int ssh_channel_poll(ssh_channel channel, int is_stderr) + */ + int ssh_channel_poll_timeout(ssh_channel channel, int timeout, int is_stderr) + { +- ssh_session session; +- ssh_buffer stdbuf; ++ ssh_session session = NULL; ++ ssh_buffer stdbuf = NULL; + struct ssh_channel_read_termination_struct ctx; + size_t len; + int rc; +@@ -3341,7 +3342,7 @@ channel_protocol_select(ssh_channel *rchans, ssh_channel *wchans, + ssh_channel *echans, ssh_channel *rout, + ssh_channel *wout, ssh_channel *eout) + { +- ssh_channel chan; ++ ssh_channel chan = NULL; + int i; + int j = 0; + +@@ -3422,7 +3423,7 @@ static size_t count_ptrs(ssh_channel *ptrs) + int ssh_channel_select(ssh_channel *readchans, ssh_channel *writechans, + ssh_channel *exceptchans, struct timeval * timeout) + { +- ssh_channel *rchans, *wchans, *echans; ++ ssh_channel *rchans = NULL, *wchans = NULL, *echans = NULL; + ssh_channel dummy = NULL; + ssh_event event = NULL; + int rc; +@@ -3615,7 +3616,7 @@ int ssh_channel_write_stderr(ssh_channel channel, const void *data, uint32_t len + int ssh_channel_open_reverse_forward(ssh_channel channel, const char *remotehost, + int remoteport, const char *sourcehost, int localport) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer payload = NULL; + int rc = SSH_ERROR; + +@@ -3679,7 +3680,7 @@ error: + int ssh_channel_open_x11(ssh_channel channel, + const char *orig_addr, int orig_port) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer payload = NULL; + int rc = SSH_ERROR; + +diff --git a/src/client.c b/src/client.c +index e912090e..0cfca1c4 100644 +--- a/src/client.c ++++ b/src/client.c +@@ -748,7 +748,7 @@ ssh_session_set_disconnect_message(ssh_session session, const char *message) + void + ssh_disconnect(ssh_session session) + { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + int rc; + + if (session == NULL) { +diff --git a/src/config.c b/src/config.c +index c5c40125..d4d8d419 100644 +--- a/src/config.c ++++ b/src/config.c +@@ -203,7 +203,7 @@ local_parse_file(ssh_session session, + unsigned int depth, + bool global) + { +- FILE *f; ++ FILE *f = NULL; + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; + int rv; +@@ -1201,7 +1201,7 @@ int ssh_config_parse_file(ssh_session session, const char *filename) + { + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; +- FILE *f; ++ FILE *f = NULL; + int parsing, rv; + bool global = 0; + +diff --git a/src/config_parser.c b/src/config_parser.c +index b8b94611..e55c76d0 100644 +--- a/src/config_parser.c ++++ b/src/config_parser.c +@@ -39,8 +39,8 @@ + */ + char *ssh_config_get_cmd(char **str) + { +- register char *c; +- char *r; ++ register char *c = NULL; ++ char *r = NULL; + + /* Ignore leading spaces */ + for (c = *str; *c; c++) { +@@ -67,7 +67,7 @@ out: + */ + char *ssh_config_get_token(char **str) + { +- register char *c; ++ register char *c = NULL; + bool had_equal = false; + char *r = NULL; + +@@ -116,7 +116,7 @@ out: + + long ssh_config_get_long(char **str, long notfound) + { +- char *p, *endp; ++ char *p = NULL, *endp = NULL; + long i; + + p = ssh_config_get_token(str); +@@ -133,7 +133,7 @@ long ssh_config_get_long(char **str, long notfound) + + const char *ssh_config_get_str_tok(char **str, const char *def) + { +- char *p; ++ char *p = NULL; + + p = ssh_config_get_token(str); + if (p && *p) { +@@ -145,7 +145,7 @@ const char *ssh_config_get_str_tok(char **str, const char *def) + + int ssh_config_get_yesno(char **str, int notfound) + { +- const char *p; ++ const char *p = NULL; + + p = ssh_config_get_str_tok(str, NULL); + if (p == NULL) { +diff --git a/src/connect.c b/src/connect.c +index 15cae644..2d09af5e 100644 +--- a/src/connect.c ++++ b/src/connect.c +@@ -194,8 +194,8 @@ socket_t ssh_connect_host_nonblocking(ssh_session session, const char *host, + } + + if (bind_addr) { +- struct addrinfo *bind_ai; +- struct addrinfo *bind_itr; ++ struct addrinfo *bind_ai = NULL; ++ struct addrinfo *bind_itr = NULL; + + SSH_LOG(SSH_LOG_PACKET, "Resolving %s", bind_addr); + +diff --git a/src/connector.c b/src/connector.c +index 56716749..6632cca1 100644 +--- a/src/connector.c ++++ b/src/connector.c +@@ -637,8 +637,9 @@ error: + return rc; + } + +-int ssh_connector_remove_event(ssh_connector connector) { +- ssh_session session; ++int ssh_connector_remove_event(ssh_connector connector) ++{ ++ ssh_session session = NULL; + + if (connector->in_poll != NULL) { + ssh_event_remove_poll(connector->event, connector->in_poll); +diff --git a/src/dh_crypto.c b/src/dh_crypto.c +index 9ff7ad3c..4dd9b507 100644 +--- a/src/dh_crypto.c ++++ b/src/dh_crypto.c +@@ -404,7 +404,7 @@ done: + */ + int ssh_dh_init_common(struct ssh_crypto_struct *crypto) + { +- struct dh_ctx *ctx; ++ struct dh_ctx *ctx = NULL; + int rc; + + ctx = calloc(1, sizeof(*ctx)); +diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c +index 3d9d426f..73fcd50f 100644 +--- a/src/ecdh_gcrypt.c ++++ b/src/ecdh_gcrypt.c +@@ -132,9 +132,9 @@ int ecdh_build_k(ssh_session session) + #else + size_t k_len = 0; + enum ssh_key_exchange_e kex_type = session->next_crypto->kex_type; +- ssh_string s; ++ ssh_string s = NULL; + #endif +- ssh_string pubkey_raw; ++ ssh_string pubkey_raw = NULL; + gcry_sexp_t pubkey = NULL; + ssh_string privkey = NULL; + int rc = SSH_ERROR; +diff --git a/src/gcrypt_missing.c b/src/gcrypt_missing.c +index e931ec5b..56dcfb6d 100644 +--- a/src/gcrypt_missing.c ++++ b/src/gcrypt_missing.c +@@ -47,7 +47,7 @@ int ssh_gcry_dec2bn(bignum *bn, const char *data) { + + char *ssh_gcry_bn2dec(bignum bn) { + bignum bndup, num, ten; +- char *ret; ++ char *ret = NULL; + int count, count2; + int size, rsize; + char decnum; +diff --git a/src/getpass.c b/src/getpass.c +index 6be33c77..c19c4bc0 100644 +--- a/src/getpass.c ++++ b/src/getpass.c +@@ -46,7 +46,7 @@ + */ + static int ssh_gets(const char *prompt, char *buf, size_t len, int verify) + { +- char *tmp; ++ char *tmp = NULL; + char *ptr = NULL; + int ok = 0; + +@@ -78,7 +78,7 @@ static int ssh_gets(const char *prompt, char *buf, size_t len, int verify) + } + + if (verify) { +- char *key_string; ++ char *key_string = NULL; + + key_string = calloc(1, len); + if (key_string == NULL) { +diff --git a/src/gssapi.c b/src/gssapi.c +index 5325ac72..fd7b25af 100644 +--- a/src/gssapi.c ++++ b/src/gssapi.c +@@ -196,7 +196,7 @@ ssh_gssapi_handle_userauth(ssh_session session, const char *user, + gss_name_t server_name; /* local server fqdn */ + OM_uint32 maj_stat, min_stat; + size_t i; +- char *ptr; ++ char *ptr = NULL; + gss_OID_set supported; /* oids supported by server */ + gss_OID_set both_supported; /* oids supported by both client and server */ + gss_OID_set selected; /* oid selected for authentication */ +@@ -341,7 +341,7 @@ static char *ssh_gssapi_name_to_char(gss_name_t name) + { + gss_buffer_desc buffer; + OM_uint32 maj_stat, min_stat; +- char *ptr; ++ char *ptr = NULL; + maj_stat = gss_display_name(&min_stat, name, &buffer, NULL); + ssh_gssapi_log_error(SSH_LOG_WARNING, + "converting name", +@@ -359,9 +359,10 @@ static char *ssh_gssapi_name_to_char(gss_name_t name) + + } + +-SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server){ +- ssh_string token; +- char *hexa; ++SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server) ++{ ++ ssh_string token = NULL; ++ char *hexa = NULL; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER; + gss_name_t client_name = GSS_C_NO_NAME; +@@ -385,7 +386,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server){ + } + + if (ssh_callbacks_exists(session->server_callbacks, gssapi_accept_sec_ctx_function)){ +- ssh_string out_token=NULL; ++ ssh_string out_token = NULL; + rc = session->server_callbacks->gssapi_accept_sec_ctx_function(session, + token, &out_token, session->server_callbacks->userdata); + if (rc == SSH_ERROR){ +@@ -507,7 +508,7 @@ static ssh_buffer ssh_gssapi_build_mic(ssh_session session) + + SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_mic) + { +- ssh_string mic_token; ++ ssh_string mic_token = NULL; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc mic_buf = GSS_C_EMPTY_BUFFER; + gss_buffer_desc mic_token_buf = GSS_C_EMPTY_BUFFER; +@@ -670,7 +671,7 @@ static int ssh_gssapi_match(ssh_session session, gss_OID_set *valid_oids) + gss_name_t client_id = GSS_C_NO_NAME; + gss_OID oid; + unsigned int i; +- char *ptr; ++ char *ptr = NULL; + int ret; + + if (session->gssapi->client.client_deleg_creds == NULL) { +@@ -866,11 +867,11 @@ static gss_OID ssh_gssapi_oid_from_string(ssh_string oid_s) + + SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){ + int rc; +- ssh_string oid_s; ++ ssh_string oid_s = NULL; + gss_uint32 maj_stat, min_stat; + gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; + gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; +- char *hexa; ++ char *hexa = NULL; + (void)type; + (void)user; + +@@ -987,10 +988,11 @@ static int ssh_gssapi_send_mic(ssh_session session) + return ssh_packet_send(session); + } + +-SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client){ ++SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client) ++{ + int rc; +- ssh_string token; +- char *hexa; ++ ssh_string token = NULL; ++ char *hexa = NULL; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER; + (void)user; +diff --git a/src/kex.c b/src/kex.c +index fbc70cf4..ecfc0120 100644 +--- a/src/kex.c ++++ b/src/kex.c +@@ -330,7 +330,7 @@ static int cmp_first_kex_algo(const char *client_str, + size_t client_kex_len; + size_t server_kex_len; + +- char *colon; ++ char *colon = NULL; + + int is_wrong = 1; + +@@ -762,7 +762,7 @@ char *ssh_client_select_hostkeys(ssh_session session) + int ssh_set_client_kex(ssh_session session) + { + struct ssh_kex_struct *client = &session->next_crypto->client_kex; +- const char *wanted; ++ const char *wanted = NULL; + int ok; + int i; + +diff --git a/src/known_hosts.c b/src/known_hosts.c +index 84e15572..f660a6f3 100644 +--- a/src/known_hosts.c ++++ b/src/known_hosts.c +@@ -79,8 +79,8 @@ static struct ssh_tokens_st *ssh_get_knownhost_line(FILE **file, + const char **found_type) + { + char buffer[MAX_LINE_SIZE] = {0}; +- char *ptr; +- struct ssh_tokens_st *tokens; ++ char *ptr = NULL; ++ struct ssh_tokens_st *tokens = NULL; + + if (*file == NULL) { + *file = fopen(filename,"r"); +@@ -149,7 +149,7 @@ static struct ssh_tokens_st *ssh_get_knownhost_line(FILE **file, + static int check_public_key(ssh_session session, char **tokens) { + ssh_string pubkey_blob = NULL; + ssh_buffer pubkey_buffer; +- char *pubkey_64; ++ char *pubkey_64 = NULL; + int rc; + + /* ssh-dss or ssh-rsa */ +@@ -205,11 +205,11 @@ static int match_hashed_host(const char *host, const char *sourcehash) + * hash := HMAC_SHA1(key=salt,data=host) + */ + unsigned char buffer[256] = {0}; +- ssh_buffer salt; +- ssh_buffer hash; +- HMACCTX mac; +- char *source; +- char *b64hash; ++ ssh_buffer salt = NULL; ++ ssh_buffer hash = NULL; ++ HMACCTX mac = NULL; ++ char *source = NULL; ++ char *b64hash = NULL; + int match, rc; + size_t size; + +@@ -304,14 +304,14 @@ static int match_hashed_host(const char *host, const char *sourcehash) + int ssh_is_server_known(ssh_session session) + { + FILE *file = NULL; +- char *host; +- char *hostport; +- const char *type; ++ char *host = NULL; ++ char *hostport = NULL; ++ const char *type = NULL; + int match; + int i = 0; +- char *files[3]; ++ char *files[3] = {0}; + +- struct ssh_tokens_st *tokens; ++ struct ssh_tokens_st *tokens = NULL; + + int ret = SSH_SERVER_NOT_KNOWN; + +@@ -443,12 +443,13 @@ int ssh_is_server_known(ssh_session session) + * @deprecated Please use ssh_session_export_known_hosts_entry() + * @brief This function is deprecated. + */ +-char * ssh_dump_knownhost(ssh_session session) { ++char *ssh_dump_knownhost(ssh_session session) ++{ + ssh_key server_pubkey = NULL; +- char *host; +- char *hostport; +- char *buffer; +- char *b64_key; ++ char *host = NULL; ++ char *hostport = NULL; ++ char *buffer = NULL; ++ char *b64_key = NULL; + int rc; + + if (session->opts.host == NULL) { +@@ -513,9 +514,9 @@ char * ssh_dump_knownhost(ssh_session session) { + */ + int ssh_write_knownhost(ssh_session session) + { +- FILE *file; ++ FILE *file = NULL; + char *buffer = NULL; +- char *dir; ++ char *dir = NULL; + int rc; + + if (session->opts.knownhosts == NULL) { +diff --git a/src/knownhosts.c b/src/knownhosts.c +index 9f978096..109b4f06 100644 +--- a/src/knownhosts.c ++++ b/src/knownhosts.c +@@ -61,7 +61,7 @@ static int hash_hostname(const char *name, + size_t *hash_size) + { + int rc; +- HMACCTX mac_ctx; ++ HMACCTX mac_ctx = NULL; + + mac_ctx = hmac_init(salt, salt_size, SSH_HMAC_SHA1); + if (mac_ctx == NULL) { +@@ -81,8 +81,8 @@ static int hash_hostname(const char *name, + + static int match_hashed_hostname(const char *host, const char *hashed_host) + { +- char *hashed; +- char *b64_hash; ++ char *hashed = NULL; ++ char *b64_hash = NULL; + ssh_buffer salt = NULL; + ssh_buffer hash = NULL; + unsigned char hashed_buf[256] = {0}; +@@ -229,7 +229,7 @@ static int ssh_known_hosts_read_entries(const char *match, + char line[MAX_LINE_SIZE]; + size_t lineno = 0; + size_t len = 0; +- FILE *fp; ++ FILE *fp = NULL; + int rc; + + fp = fopen(filename, "r"); +@@ -288,7 +288,7 @@ static int ssh_known_hosts_read_entries(const char *match, + for (it = ssh_list_get_iterator(*entries); + it != NULL; + it = it->next) { +- struct ssh_knownhosts_entry *entry2; ++ struct ssh_knownhosts_entry *entry2 = NULL; + int cmp; + entry2 = ssh_iterator_value(struct ssh_knownhosts_entry *, it); + cmp = ssh_known_hosts_entries_compare(entry, entry2); +@@ -312,8 +312,8 @@ error: + + static char *ssh_session_get_host_port(ssh_session session) + { +- char *host_port; +- char *host; ++ char *host_port = NULL; ++ char *host = NULL; + + if (session->opts.host == NULL) { + ssh_set_error(session, +@@ -537,7 +537,7 @@ char *ssh_known_hosts_get_algorithms_names(ssh_session session) + char *host_port = NULL; + size_t count; + bool needcomma = false; +- char *names; ++ char *names = NULL; + + int rc; + +@@ -645,7 +645,7 @@ int ssh_known_hosts_parse_line(const char *hostname, + { + struct ssh_knownhosts_entry *e = NULL; + char *known_host = NULL; +- char *p; ++ char *p = NULL; + char *save_tok = NULL; + enum ssh_keytypes_e key_type; + int match = 0; +diff --git a/src/legacy.c b/src/legacy.c +index 7b165dbe..7359040c 100644 +--- a/src/legacy.c ++++ b/src/legacy.c +@@ -48,7 +48,7 @@ int ssh_auth_list(ssh_session session) { + int ssh_userauth_offer_pubkey(ssh_session session, const char *username, + int type, ssh_string publickey) + { +- ssh_key key; ++ ssh_key key = NULL; + int rc; + + (void) type; /* unused */ +@@ -70,7 +70,7 @@ int ssh_userauth_pubkey(ssh_session session, + ssh_string publickey, + ssh_private_key privatekey) + { +- ssh_key key; ++ ssh_key key = NULL; + int rc; + + (void) publickey; /* unused */ +@@ -389,10 +389,11 @@ void publickey_free(ssh_public_key key) { + SAFE_FREE(key); + } + +-ssh_public_key publickey_from_privatekey(ssh_private_key prv) { +- struct ssh_public_key_struct *p; +- ssh_key privkey; +- ssh_key pubkey; ++ssh_public_key publickey_from_privatekey(ssh_private_key prv) ++{ ++ struct ssh_public_key_struct *p = NULL; ++ ssh_key privkey = NULL; ++ ssh_key pubkey = NULL; + int rc; + + privkey = ssh_key_new(); +@@ -434,8 +435,8 @@ ssh_private_key privatekey_from_file(ssh_session session, + const char *passphrase) { + ssh_auth_callback auth_fn = NULL; + void *auth_data = NULL; +- ssh_private_key privkey; +- ssh_key key; ++ ssh_private_key privkey = NULL; ++ ssh_key key = NULL; + int rc; + + (void) type; /* unused */ +@@ -510,7 +511,7 @@ void privatekey_free(ssh_private_key prv) { + + ssh_string publickey_from_file(ssh_session session, const char *filename, + int *type) { +- ssh_key key; ++ ssh_key key = NULL; + ssh_string key_str = NULL; + int rc; + +@@ -543,9 +544,10 @@ int ssh_type_from_name(const char *name) { + return ssh_key_type_from_name(name); + } + +-ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) { +- struct ssh_public_key_struct *pubkey; +- ssh_key key; ++ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) ++{ ++ struct ssh_public_key_struct *pubkey = NULL; ++ ssh_key key = NULL; + int rc; + + (void) session; /* unused */ +@@ -579,9 +581,10 @@ ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) { + return pubkey; + } + +-ssh_string publickey_to_string(ssh_public_key pubkey) { +- ssh_key key; +- ssh_string key_blob; ++ssh_string publickey_to_string(ssh_public_key pubkey) ++{ ++ ssh_key key = NULL; ++ ssh_string key_blob = NULL; + int rc; + + if (pubkey == NULL) { +@@ -624,11 +627,11 @@ int ssh_publickey_to_file(ssh_session session, + ssh_string pubkey, + int type) + { +- FILE *fp; +- char *user; ++ FILE *fp = NULL; ++ char *user = NULL; + char buffer[1024]; + char host[256]; +- unsigned char *pubkey_64; ++ unsigned char *pubkey_64 = NULL; + size_t len; + int rc; + if(session==NULL) +@@ -695,9 +698,9 @@ int ssh_try_publickey_from_file(ssh_session session, + const char *keyfile, + ssh_string *publickey, + int *type) { +- char *pubkey_file; ++ char *pubkey_file = NULL; + size_t len; +- ssh_string pubkey_string; ++ ssh_string pubkey_string = NULL; + int pubkey_type; + + if (session == NULL || keyfile == NULL || publickey == NULL || type == NULL) { +diff --git a/src/libmbedcrypto.c b/src/libmbedcrypto.c +index caa3b6e9..422d5ae2 100644 +--- a/src/libmbedcrypto.c ++++ b/src/libmbedcrypto.c +@@ -133,7 +133,7 @@ cipher_init(struct ssh_cipher_struct *cipher, + void *IV) + { + const mbedtls_cipher_info_t *cipher_info = NULL; +- mbedtls_cipher_context_t *ctx; ++ mbedtls_cipher_context_t *ctx = NULL; + size_t key_bitlen = 0; + size_t iv_size = 0; + int rc; +diff --git a/src/log.c b/src/log.c +index 5bae18b8..fabbe945 100644 +--- a/src/log.c ++++ b/src/log.c +@@ -44,7 +44,7 @@ + + static LIBSSH_THREAD int ssh_log_level; + static LIBSSH_THREAD ssh_logging_callback ssh_log_cb; +-static LIBSSH_THREAD void *ssh_log_userdata; ++static LIBSSH_THREAD void *ssh_log_userdata = NULL; + + /** + * @defgroup libssh_log The SSH logging functions +diff --git a/src/messages.c b/src/messages.c +index 3f969536..6dadabf0 100644 +--- a/src/messages.c ++++ b/src/messages.c +@@ -479,7 +479,7 @@ static void ssh_message_queue(ssh_session session, ssh_message message) + */ + ssh_message ssh_message_pop_head(ssh_session session){ + ssh_message msg=NULL; +- struct ssh_iterator *i; ++ struct ssh_iterator *i = NULL; + if(session->ssh_message_list == NULL) + return NULL; + i=ssh_list_get_iterator(session->ssh_message_list); +@@ -493,7 +493,7 @@ ssh_message ssh_message_pop_head(ssh_session session){ + /* Returns 1 if there is a message available */ + static int ssh_message_termination(void *s){ + ssh_session session = s; +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + if(session->session_state == SSH_SESSION_STATE_ERROR) + return 1; + it = ssh_list_get_iterator(session->ssh_message_list); +@@ -694,7 +694,7 @@ static ssh_buffer ssh_msg_userauth_build_digest(ssh_session session, + ssh_string algo) + { + struct ssh_crypto_struct *crypto = NULL; +- ssh_buffer buffer; ++ ssh_buffer buffer = NULL; + ssh_string str=NULL; + int rc; + +@@ -933,9 +933,9 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){ + #ifdef WITH_GSSAPI + if (strcmp(method, "gssapi-with-mic") == 0) { + uint32_t n_oid; +- ssh_string *oids; +- ssh_string oid; +- char *hexa; ++ ssh_string *oids = NULL; ++ ssh_string oid = NULL; ++ char *hexa = NULL; + int i; + ssh_buffer_get_u32(packet, &n_oid); + n_oid=ntohl(n_oid); +@@ -1019,7 +1019,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){ + SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){ + uint32_t nanswers; + uint32_t i; +- ssh_string tmp; ++ ssh_string tmp = NULL; + int rc; + + ssh_message msg = NULL; +@@ -1251,7 +1251,7 @@ end: + * @returns SSH_OK on success, SSH_ERROR if an error occurred. + */ + int ssh_message_channel_request_open_reply_accept_channel(ssh_message msg, ssh_channel chan) { +- ssh_session session; ++ ssh_session session = NULL; + int rc; + + if (msg == NULL) { +@@ -1302,7 +1302,7 @@ int ssh_message_channel_request_open_reply_accept_channel(ssh_message msg, ssh_c + * @returns NULL in case of error + */ + ssh_channel ssh_message_channel_request_open_reply_accept(ssh_message msg) { +- ssh_channel chan; ++ ssh_channel chan = NULL; + int rc; + + if (msg == NULL) { +diff --git a/src/misc.c b/src/misc.c +index 7081f12a..f371f332 100644 +--- a/src/misc.c ++++ b/src/misc.c +@@ -393,7 +393,7 @@ int ssh_is_ipaddr(const char *str) + + char *ssh_lowercase(const char* str) + { +- char *new, *p; ++ char *new = NULL, *p = NULL; + + if (str == NULL) { + return NULL; +@@ -447,7 +447,7 @@ char *ssh_hostport(const char *host, int port) + char *ssh_get_hexa(const unsigned char *what, size_t len) + { + const char h[] = "0123456789abcdef"; +- char *hexa; ++ char *hexa = NULL; + size_t i; + size_t hlen = len * 3; + +@@ -716,7 +716,7 @@ struct ssh_list *ssh_list_new(void) + + void ssh_list_free(struct ssh_list *list) + { +- struct ssh_iterator *ptr, *next; ++ struct ssh_iterator *ptr = NULL, *next = NULL; + if (!list) + return; + ptr = list->root; +@@ -737,7 +737,7 @@ struct ssh_iterator *ssh_list_get_iterator(const struct ssh_list *list) + + struct ssh_iterator *ssh_list_find(const struct ssh_list *list, void *value) + { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + + for (it = ssh_list_get_iterator(list); it != NULL ; it = it->next) + if (it->data == value) +@@ -826,7 +826,7 @@ int ssh_list_prepend(struct ssh_list *list, const void *data) + + void ssh_list_remove(struct ssh_list *list, struct ssh_iterator *iterator) + { +- struct ssh_iterator *ptr, *prev; ++ struct ssh_iterator *ptr = NULL, *prev = NULL; + + if (list == NULL) { + return; +@@ -967,7 +967,7 @@ char *ssh_dirname (const char *path) + char *ssh_basename (const char *path) + { + char *new = NULL; +- const char *s; ++ const char *s = NULL; + size_t len; + + if (path == NULL || *path == '\0') { +@@ -1105,8 +1105,8 @@ int ssh_mkdirs(const char *pathname, mode_t mode) + */ + char *ssh_path_expand_tilde(const char *d) + { +- char *h = NULL, *r; +- const char *p; ++ char *h = NULL, *r = NULL; ++ const char *p = NULL; + size_t ld; + size_t lh = 0; + +@@ -1121,7 +1121,7 @@ char *ssh_path_expand_tilde(const char *d) + #ifdef _WIN32 + return strdup(d); + #else +- struct passwd *pw; ++ struct passwd *pw = NULL; + size_t s = p - d; + char u[128]; + +@@ -1182,7 +1182,7 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) + char *buf = NULL; + char *r = NULL; + char *x = NULL; +- const char *p; ++ const char *p = NULL; + size_t i, l; + + r = ssh_path_expand_tilde(s); +@@ -1335,8 +1335,8 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) + */ + int ssh_analyze_banner(ssh_session session, int server) + { +- const char *banner; +- const char *openssh; ++ const char *banner = NULL; ++ const char *openssh = NULL; + + if (server) { + banner = session->clientbanner; +diff --git a/src/options.c b/src/options.c +index 38511455..b641b34f 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -67,7 +67,7 @@ + */ + int ssh_options_copy(ssh_session src, ssh_session *dest) + { +- ssh_session new; ++ ssh_session new = NULL; + struct ssh_iterator *it = NULL; + struct ssh_list *list = NULL; + char *id = NULL; +@@ -499,8 +499,8 @@ int ssh_options_set_algo(ssh_session session, + int ssh_options_set(ssh_session session, enum ssh_options_e type, + const void *value) + { +- const char *v; +- char *p, *q; ++ const char *v = NULL; ++ char *p = NULL, *q = NULL; + long int i; + unsigned int u; + int rc; +@@ -1170,7 +1170,7 @@ int ssh_options_get_port(ssh_session session, unsigned int* port_target) { + */ + int ssh_options_get(ssh_session session, enum ssh_options_e type, char** value) + { +- char* src = NULL; ++ char *src = NULL; + + if (session == NULL) { + return SSH_ERROR; +@@ -1192,7 +1192,7 @@ int ssh_options_get(ssh_session session, enum ssh_options_e type, char** value) + break; + } + case SSH_OPTIONS_IDENTITY: { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + it = ssh_list_get_iterator(session->opts.identity); + if (it == NULL) { + it = ssh_list_get_iterator(session->opts.identity_non_exp); +@@ -1445,7 +1445,7 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv) + */ + int ssh_options_parse_config(ssh_session session, const char *filename) + { +- char *expanded_filename; ++ char *expanded_filename = NULL; + int r; + + if (session == NULL) { +@@ -1491,7 +1491,7 @@ out: + + int ssh_options_apply(ssh_session session) + { +- char *tmp; ++ char *tmp = NULL; + int rc; + + if (session->opts.sshdir == NULL) { +@@ -2204,7 +2204,7 @@ static char *ssh_bind_options_expand_escape(ssh_bind sshbind, const char *s) + char *buf = NULL; + char *r = NULL; + char *x = NULL; +- const char *p; ++ const char *p = NULL; + size_t i, l; + + r = ssh_path_expand_tilde(s); +@@ -2310,7 +2310,7 @@ static char *ssh_bind_options_expand_escape(ssh_bind sshbind, const char *s) + int ssh_bind_options_parse_config(ssh_bind sshbind, const char *filename) + { + int rc = 0; +- char *expanded_filename; ++ char *expanded_filename = NULL; + + if (sshbind == NULL) { + return -1; +diff --git a/src/packet.c b/src/packet.c +index ea73f9ad..4b4d0dc3 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -1430,8 +1430,8 @@ error: + static void ssh_packet_socket_controlflow_callback(int code, void *userdata) + { + ssh_session session = userdata; +- struct ssh_iterator *it; +- ssh_channel channel; ++ struct ssh_iterator *it = NULL; ++ ssh_channel channel = NULL; + + if (code == SSH_SOCKET_FLOW_WRITEWONTBLOCK) { + SSH_LOG(SSH_LOG_TRACE, "sending channel_write_wontblock callback"); +@@ -1894,7 +1894,7 @@ int ssh_packet_send(ssh_session session) + + /* We finished the key exchange so we can try to send our queue now */ + if (rc == SSH_OK && type == SSH2_MSG_NEWKEYS) { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + + if (session->flags & SSH_SESSION_FLAG_KEX_STRICT) { + /* reset packet sequence number when running in strict kex mode */ +diff --git a/src/packet_crypt.c b/src/packet_crypt.c +index fe3f489e..96e9586c 100644 +--- a/src/packet_crypt.c ++++ b/src/packet_crypt.c +@@ -262,7 +262,7 @@ int ssh_packet_hmac_verify(ssh_session session, + { + struct ssh_crypto_struct *crypto = NULL; + unsigned char hmacbuf[DIGEST_MAX_LEN] = {0}; +- HMACCTX ctx; ++ HMACCTX ctx = NULL; + size_t hmaclen = DIGEST_MAX_LEN; + uint32_t seq; + int cmp; +diff --git a/src/pki.c b/src/pki.c +index a7c84c5e..cf4176fb 100644 +--- a/src/pki.c ++++ b/src/pki.c +@@ -369,7 +369,7 @@ enum ssh_digest_e ssh_key_hash_from_name(const char *name) + */ + int ssh_key_algorithm_allowed(ssh_session session, const char *type) + { +- const char *allowed_list; ++ const char *allowed_list = NULL; + + if (session->client) { + allowed_list = session->opts.pubkey_accepted_types; +@@ -729,7 +729,7 @@ int ssh_key_cmp(const ssh_key k1, + + ssh_signature ssh_signature_new(void) + { +- struct ssh_signature_struct *sig; ++ struct ssh_signature_struct *sig = NULL; + + sig = malloc(sizeof(struct ssh_signature_struct)); + if (sig == NULL) { +@@ -821,7 +821,7 @@ int ssh_pki_import_privkey_base64(const char *b64_key, + void *auth_data, + ssh_key *pkey) + { +- ssh_key key; ++ ssh_key key = NULL; + char *openssh_header = NULL; + + if (b64_key == NULL || pkey == NULL) { +@@ -944,8 +944,8 @@ int ssh_pki_import_privkey_file(const char *filename, + void *auth_data, + ssh_key *pkey) { + struct stat sb; +- char *key_buf; +- FILE *file; ++ char *key_buf = NULL; ++ FILE *file = NULL; + off_t size; + int rc; + char err_msg[SSH_ERRNO_MSG_MAX] = {0}; +@@ -1046,7 +1046,7 @@ int ssh_pki_export_privkey_file(const ssh_key privkey, + void *auth_data, + const char *filename) + { +- ssh_string blob; ++ ssh_string blob = NULL; + FILE *fp; + int rc; + +@@ -1093,8 +1093,8 @@ int ssh_pki_export_privkey_file(const ssh_key privkey, + /* temporary function to migrate seamlessly to ssh_key */ + ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key) + { +- ssh_public_key pub; +- ssh_key tmp; ++ ssh_public_key pub = NULL; ++ ssh_key tmp = NULL; + + if (key == NULL) { + return NULL; +@@ -1131,7 +1131,7 @@ ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key) + + ssh_private_key ssh_pki_convert_key_to_privatekey(const ssh_key key) + { +- ssh_private_key privkey; ++ ssh_private_key privkey = NULL; + + privkey = calloc(1, sizeof(struct ssh_private_key_struct)); + if (privkey == NULL) { +@@ -1521,9 +1521,9 @@ static int pki_import_cert_buffer(ssh_buffer buffer, + enum ssh_keytypes_e type, + ssh_key *pkey) + { +- ssh_buffer cert; +- ssh_string tmp_s; +- const char *type_c; ++ ssh_buffer cert = NULL; ++ ssh_string tmp_s = NULL; ++ const char *type_c = NULL; + ssh_key key = NULL; + int rc; + +@@ -2067,7 +2067,7 @@ error: + int ssh_pki_export_privkey_to_pubkey(const ssh_key privkey, + ssh_key *pkey) + { +- ssh_key pubkey; ++ ssh_key pubkey = NULL; + + if (privkey == NULL || !ssh_key_is_private(privkey)) { + return SSH_ERROR; +@@ -2105,7 +2105,7 @@ int ssh_pki_export_privkey_to_pubkey(const ssh_key privkey, + int ssh_pki_export_pubkey_blob(const ssh_key key, + ssh_string *pblob) + { +- ssh_string blob; ++ ssh_string blob = NULL; + + if (key == NULL) { + return SSH_OK; +@@ -2135,8 +2135,8 @@ int ssh_pki_export_pubkey_blob(const ssh_key key, + int ssh_pki_export_pubkey_base64(const ssh_key key, + char **b64_key) + { +- ssh_string key_blob; +- unsigned char *b64; ++ ssh_string key_blob = NULL; ++ unsigned char *b64 = NULL; + + if (key == NULL || b64_key == NULL) { + return SSH_ERROR; +@@ -2175,9 +2175,9 @@ int ssh_pki_export_pubkey_file(const ssh_key key, + { + char key_buf[MAX_LINE_SIZE]; + char host[256]; +- char *b64_key; +- char *user; +- FILE *fp; ++ char *b64_key = NULL; ++ char *user = NULL; ++ FILE *fp = NULL; + int rc; + + if (key == NULL || filename == NULL || *filename == '\0') { +@@ -2238,7 +2238,7 @@ int ssh_pki_export_pubkey_file(const ssh_key key, + * @returns SSH_OK on success, SSH_ERROR otherwise. + **/ + int ssh_pki_copy_cert_to_privkey(const ssh_key certkey, ssh_key privkey) { +- ssh_buffer cert_buffer; ++ ssh_buffer cert_buffer = NULL; + int rc; + + if (certkey == NULL || privkey == NULL) { +@@ -2273,7 +2273,7 @@ int ssh_pki_export_signature_blob(const ssh_signature sig, + ssh_string *sig_blob) + { + ssh_buffer buf = NULL; +- ssh_string str; ++ ssh_string str = NULL; + int rc; + + if (sig == NULL || sig_blob == NULL) { +@@ -2337,7 +2337,7 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob, + enum ssh_keytypes_e type; + enum ssh_digest_e hash_type; + ssh_string algorithm = NULL, blob = NULL; +- ssh_buffer buf; ++ ssh_buffer buf = NULL; + const char *alg = NULL; + uint8_t flags = 0; + uint32_t counter = 0; +@@ -2697,9 +2697,9 @@ ssh_string ssh_pki_do_sign_agent(ssh_session session, + const ssh_key pubkey) + { + struct ssh_crypto_struct *crypto = NULL; +- ssh_string session_id; +- ssh_string sig_blob; +- ssh_buffer sig_buf; ++ ssh_string session_id = NULL; ++ ssh_string sig_blob = NULL; ++ ssh_buffer sig_buf = NULL; + int rc; + + crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_BOTH); +diff --git a/src/pki_container_openssh.c b/src/pki_container_openssh.c +index 4314c5b7..f2776c2c 100644 +--- a/src/pki_container_openssh.c ++++ b/src/pki_container_openssh.c +@@ -234,12 +234,12 @@ ssh_pki_openssh_import(const char *text_key, + bool private) + { + const char *ptr = text_key; +- const char *end; +- char *base64; ++ const char *end = NULL; ++ char *base64 = NULL; + int cmp; + int rc; + int i; +- ssh_buffer buffer = NULL, privkey_buffer=NULL; ++ ssh_buffer buffer = NULL, privkey_buffer = NULL; + char *magic = NULL, *ciphername = NULL, *kdfname = NULL; + uint32_t nkeys = 0, checkint1 = 0, checkint2 = 0xFFFF; + ssh_string kdfoptions = NULL; +@@ -538,14 +538,14 @@ ssh_string ssh_pki_openssh_privkey_export(const ssh_key privkey, + { + ssh_buffer buffer; + ssh_string str = NULL; +- ssh_string pubkey_s=NULL; ++ ssh_string pubkey_s = NULL; + ssh_buffer privkey_buffer = NULL; + uint32_t rnd; + uint32_t rounds = 16; +- ssh_string salt=NULL; +- ssh_string kdf_options=NULL; ++ ssh_string salt = NULL; ++ ssh_string kdf_options = NULL; + int to_encrypt=0; +- unsigned char *b64; ++ unsigned char *b64 = NULL; + uint32_t str_len, len; + uint8_t padding = 1; + int ok; +diff --git a/src/pki_crypto.c b/src/pki_crypto.c +index aec49544..0fc69121 100644 +--- a/src/pki_crypto.c ++++ b/src/pki_crypto.c +@@ -382,7 +382,7 @@ int pki_pubkey_build_ecdsa(ssh_key key, int nid, ssh_string e) + #else + int rc; + const char *group_name = OSSL_EC_curve_nid2name(nid); +- OSSL_PARAM_BLD *param_bld; ++ OSSL_PARAM_BLD *param_bld = NULL; + #endif /* OPENSSL_VERSION_NUMBER */ + + key->ecdsa_nid = nid; +@@ -2299,7 +2299,7 @@ static ssh_string pki_ecdsa_signature_to_blob(const ssh_signature sig) + const unsigned char *raw_sig_data = NULL; + size_t raw_sig_len; + +- ECDSA_SIG *ecdsa_sig; ++ ECDSA_SIG *ecdsa_sig = NULL; + + int rc; + +@@ -2616,8 +2616,8 @@ static int pki_signature_from_ecdsa_blob(UNUSED_PARAM(const ssh_key pubkey), + ECDSA_SIG *ecdsa_sig = NULL; + BIGNUM *pr = NULL, *ps = NULL; + +- ssh_string r; +- ssh_string s; ++ ssh_string r = NULL; ++ ssh_string s = NULL; + + ssh_buffer buf = NULL; + uint32_t rlen; +diff --git a/src/pki_ed25519.c b/src/pki_ed25519.c +index 6a5a4a8a..0674fb63 100644 +--- a/src/pki_ed25519.c ++++ b/src/pki_ed25519.c +@@ -62,7 +62,7 @@ int pki_ed25519_sign(const ssh_key privkey, + size_t hlen) + { + int rc; +- uint8_t *buffer; ++ uint8_t *buffer = NULL; + uint64_t dlen = 0; + + buffer = malloc(hlen + ED25519_SIG_LEN); +@@ -104,8 +104,8 @@ int pki_ed25519_verify(const ssh_key pubkey, + size_t hlen) + { + uint64_t mlen = 0; +- uint8_t *buffer; +- uint8_t *buffer2; ++ uint8_t *buffer = NULL; ++ uint8_t *buffer2 = NULL; + int rc; + + if (pubkey == NULL || sig == NULL || +diff --git a/src/pki_ed25519_common.c b/src/pki_ed25519_common.c +index bdc6f6bb..59a3b03c 100644 +--- a/src/pki_ed25519_common.c ++++ b/src/pki_ed25519_common.c +@@ -213,7 +213,7 @@ int pki_ed25519_public_key_to_blob(ssh_buffer buffer, ssh_key key) + */ + ssh_string pki_ed25519_signature_to_blob(ssh_signature sig) + { +- ssh_string sig_blob; ++ ssh_string sig_blob = NULL; + int rc; + + #ifdef HAVE_OPENSSL_ED25519 +diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c +index 418a46b3..cb4de325 100644 +--- a/src/pki_gcrypt.c ++++ b/src/pki_gcrypt.c +@@ -152,7 +152,7 @@ static ssh_string asn1_get_int(ssh_buffer buffer) { + + static ssh_string asn1_get_bit_string(ssh_buffer buffer) + { +- ssh_string str; ++ ssh_string str = NULL; + unsigned char type; + uint32_t size; + unsigned char unused, last, *p; +@@ -1882,9 +1882,9 @@ ssh_string pki_signature_to_blob(const ssh_signature sig) + case SSH_KEYTYPE_ECDSA_P521: + #ifdef HAVE_GCRYPT_ECC + { +- ssh_string R; +- ssh_string S; +- ssh_buffer b; ++ ssh_string R = NULL; ++ ssh_string S = NULL; ++ ssh_buffer b = NULL; + + b = ssh_buffer_new(); + if (b == NULL) { +@@ -2054,8 +2054,8 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, + case SSH_KEYTYPE_SK_ECDSA: + #ifdef HAVE_GCRYPT_ECC + { /* build ecdsa siganature */ +- ssh_buffer b; +- ssh_string r, s; ++ ssh_buffer b = NULL; ++ ssh_string r = NULL, s = NULL; + uint32_t rlen; + + b = ssh_buffer_new(); +diff --git a/src/pki_mbedcrypto.c b/src/pki_mbedcrypto.c +index cb9d3228..01813702 100644 +--- a/src/pki_mbedcrypto.c ++++ b/src/pki_mbedcrypto.c +@@ -1078,9 +1078,9 @@ ssh_string pki_signature_to_blob(const ssh_signature sig) + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: { +- ssh_string r; +- ssh_string s; +- ssh_buffer b; ++ ssh_string r = NULL; ++ ssh_string s = NULL; ++ ssh_buffer b = NULL; + int rc; + + b = ssh_buffer_new(); +@@ -1234,9 +1234,9 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: + case SSH_KEYTYPE_SK_ECDSA: { +- ssh_buffer b; +- ssh_string r; +- ssh_string s; ++ ssh_buffer b = NULL; ++ ssh_string r = NULL; ++ ssh_string s = NULL; + size_t rlen; + + b = ssh_buffer_new(); +diff --git a/src/poll.c b/src/poll.c +index 8f81c11c..d0f9726d 100644 +--- a/src/poll.c ++++ b/src/poll.c +@@ -560,8 +560,8 @@ void ssh_poll_ctx_free(ssh_poll_ctx ctx) + + static int ssh_poll_ctx_resize(ssh_poll_ctx ctx, size_t new_size) + { +- ssh_poll_handle *pollptrs; +- ssh_pollfd_t *pollfds; ++ ssh_poll_handle *pollptrs = NULL; ++ ssh_pollfd_t *pollfds = NULL; + + pollptrs = realloc(ctx->pollptrs, sizeof(ssh_poll_handle) * new_size); + if (pollptrs == NULL) { +@@ -862,7 +862,7 @@ ssh_event_add_fd(ssh_event event, socket_t fd, short events, + ssh_event_callback cb, void *userdata) + { + ssh_poll_handle p; +- struct ssh_event_fd_wrapper *pw; ++ struct ssh_event_fd_wrapper *pw = NULL; + + if(event == NULL || event->ctx == NULL || cb == NULL + || fd == SSH_INVALID_SOCKET) { +@@ -932,7 +932,7 @@ int ssh_event_add_session(ssh_event event, ssh_session session) + { + ssh_poll_handle p; + #ifdef WITH_SERVER +- struct ssh_iterator *iterator; ++ struct ssh_iterator *iterator = NULL; + #endif + + if(event == NULL || event->ctx == NULL || session == NULL) { +@@ -1079,7 +1079,7 @@ int ssh_event_remove_session(ssh_event event, ssh_session session) + register size_t i, used; + int rc = SSH_ERROR; + #ifdef WITH_SERVER +- struct ssh_iterator *iterator; ++ struct ssh_iterator *iterator = NULL; + #endif + + if (event == NULL || event->ctx == NULL || session == NULL) { +diff --git a/src/server.c b/src/server.c +index 70b90899..89f8d8b0 100644 +--- a/src/server.c ++++ b/src/server.c +@@ -85,8 +85,8 @@ int server_set_kex(ssh_session session) + { + struct ssh_kex_struct *server = &session->next_crypto->server_kex; + int i, j, rc; +- const char *wanted, *allowed; +- char *kept; ++ const char *wanted = NULL, *allowed = NULL; ++ char *kept = NULL; + char hostkeys[128] = {0}; + enum ssh_keytypes_e keytype; + size_t len; +@@ -219,9 +219,10 @@ int ssh_server_init_kex(ssh_session session) { + return server_set_kex(session); + } + +-static int ssh_server_send_extensions(ssh_session session) { ++static int ssh_server_send_extensions(ssh_session session) ++{ + int rc; +- const char *hostkey_algorithms; ++ const char *hostkey_algorithms = NULL; + + SSH_LOG(SSH_LOG_PACKET, "Sending SSH_MSG_EXT_INFO"); + +@@ -286,8 +287,8 @@ ssh_get_key_params(ssh_session session, + ssh_key *privkey, + enum ssh_digest_e *digest) + { +- ssh_key pubkey; +- ssh_string pubkey_blob; ++ ssh_key pubkey = NULL; ++ ssh_string pubkey_blob = NULL; + int rc; + + switch(session->srv.hostkey) { +@@ -723,8 +724,9 @@ static int ssh_message_service_request_reply_default(ssh_message msg) { + * + * @returns SSH_OK when success otherwise SSH_ERROR + */ +-int ssh_message_service_reply_success(ssh_message msg) { +- ssh_session session; ++int ssh_message_service_reply_success(ssh_message msg) ++{ ++ ssh_session session = NULL; + int rc; + + if (msg == NULL) { +@@ -1132,8 +1134,9 @@ int ssh_message_auth_reply_pk_ok(ssh_message msg, ssh_string algo, ssh_string pu + * + * @returns SSH_OK on success, otherwise SSH_ERROR + */ +-int ssh_message_auth_reply_pk_ok_simple(ssh_message msg) { +- ssh_string algo; ++int ssh_message_auth_reply_pk_ok_simple(ssh_message msg) ++{ ++ ssh_string algo = NULL; + ssh_string pubkey_blob = NULL; + int ret; + +diff --git a/src/session.c b/src/session.c +index 8c509699..0e0f622b 100644 +--- a/src/session.c ++++ b/src/session.c +@@ -58,7 +58,7 @@ + */ + ssh_session ssh_new(void) + { +- ssh_session session; ++ ssh_session session = NULL; + char *id = NULL; + int rc; + +@@ -280,7 +280,7 @@ void ssh_free(ssh_session session) + + /* options */ + if (session->opts.identity) { +- char *id; ++ char *id = NULL; + + for (id = ssh_list_pop_head(char *, session->opts.identity); + id != NULL; +@@ -291,7 +291,7 @@ void ssh_free(ssh_session session) + } + + if (session->opts.identity_non_exp) { +- char *id; ++ char *id = NULL; + + for (id = ssh_list_pop_head(char *, session->opts.identity_non_exp); + id != NULL; +@@ -1157,7 +1157,7 @@ int ssh_get_publickey_hash(const ssh_key key, + unsigned char **hash, + size_t *hlen) + { +- ssh_string blob; ++ ssh_string blob = NULL; + unsigned char *h = NULL; + int rc; + +@@ -1169,7 +1169,7 @@ int ssh_get_publickey_hash(const ssh_key key, + switch (type) { + case SSH_PUBLICKEY_HASH_SHA1: + { +- SHACTX ctx; ++ SHACTX ctx = NULL; + + h = calloc(1, SHA_DIGEST_LEN); + if (h == NULL) { +@@ -1201,7 +1201,7 @@ int ssh_get_publickey_hash(const ssh_key key, + break; + case SSH_PUBLICKEY_HASH_SHA256: + { +- SHA256CTX ctx; ++ SHA256CTX ctx = NULL; + + h = calloc(1, SHA256_DIGEST_LEN); + if (h == NULL) { +@@ -1233,7 +1233,7 @@ int ssh_get_publickey_hash(const ssh_key key, + break; + case SSH_PUBLICKEY_HASH_MD5: + { +- MD5CTX ctx; ++ MD5CTX ctx = NULL; + + /* In FIPS mode, we cannot use MD5 */ + if (ssh_fips_mode()) { +diff --git a/src/sftpserver.c b/src/sftpserver.c +index b3349e16..528ef6f9 100644 +--- a/src/sftpserver.c ++++ b/src/sftpserver.c +@@ -299,8 +299,8 @@ void sftp_client_message_free(sftp_client_message msg) { + + int sftp_reply_name(sftp_client_message msg, const char *name, + sftp_attributes attr) { +- ssh_buffer out; +- ssh_string file; ++ ssh_buffer out = NULL; ++ ssh_string file = NULL; + + out = ssh_buffer_new(); + if (out == NULL) { +@@ -369,7 +369,7 @@ int sftp_reply_attr(sftp_client_message msg, sftp_attributes attr) { + + int sftp_reply_names_add(sftp_client_message msg, const char *file, + const char *longname, sftp_attributes attr) { +- ssh_string name; ++ ssh_string name = NULL; + + name = ssh_string_from_char(file); + if (name == NULL) { +@@ -435,8 +435,8 @@ int sftp_reply_names(sftp_client_message msg) { + + int sftp_reply_status(sftp_client_message msg, uint32_t status, + const char *message) { +- ssh_buffer out; +- ssh_string s; ++ ssh_buffer out = NULL; ++ ssh_string s = NULL; + + out = ssh_buffer_new(); + if (out == NULL) { +@@ -492,7 +492,7 @@ int sftp_reply_data(sftp_client_message msg, const void *data, int len) { + * valid info (or worse). + */ + ssh_string sftp_handle_alloc(sftp_session sftp, void *info) { +- ssh_string ret; ++ ssh_string ret = NULL; + uint32_t val; + uint32_t i; + +diff --git a/src/string.c b/src/string.c +index 44403487..0ab9310c 100644 +--- a/src/string.c ++++ b/src/string.c +@@ -106,7 +106,7 @@ int ssh_string_fill(struct ssh_string_struct *s, const void *data, size_t len) { + * @note The null byte is not copied nor counted in the output string. + */ + struct ssh_string_struct *ssh_string_from_char(const char *what) { +- struct ssh_string_struct *ptr; ++ struct ssh_string_struct *ptr = NULL; + size_t len; + + if(what == NULL) { +@@ -180,7 +180,7 @@ const char *ssh_string_get_char(struct ssh_string_struct *s) + */ + char *ssh_string_to_char(struct ssh_string_struct *s) { + size_t len; +- char *new; ++ char *new = NULL; + + if (s == NULL) { + return NULL; +@@ -219,7 +219,7 @@ void ssh_string_free_char(char *s) { + * @return Newly allocated copy of the string, NULL on error. + */ + struct ssh_string_struct *ssh_string_copy(struct ssh_string_struct *s) { +- struct ssh_string_struct *new; ++ struct ssh_string_struct *new = NULL; + size_t len; + + if (s == NULL) { +diff --git a/src/threads/winlocks.c b/src/threads/winlocks.c +index da600418..e63635e7 100644 +--- a/src/threads/winlocks.c ++++ b/src/threads/winlocks.c +@@ -82,7 +82,7 @@ static struct ssh_threads_callbacks_struct ssh_threads_winlock = + + void ssh_mutex_lock(SSH_MUTEX *mutex) + { +- void *rc; ++ void *rc = NULL; + + CRITICAL_SECTION *mutex_tmp = NULL; + +diff --git a/src/wrapper.c b/src/wrapper.c +index d317dc4c..43bf2137 100644 +--- a/src/wrapper.c ++++ b/src/wrapper.c +@@ -152,7 +152,7 @@ static void cipher_free(struct ssh_cipher_struct *cipher) { + + struct ssh_crypto_struct *crypto_new(void) + { +- struct ssh_crypto_struct *crypto; ++ struct ssh_crypto_struct *crypto = NULL; + + crypto = malloc(sizeof(struct ssh_crypto_struct)); + if (crypto == NULL) { +-- +2.40.0 + diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0002.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0002.patch new file mode 100644 index 0000000000..2c280d258d --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0002.patch @@ -0,0 +1,34 @@ +From b35ee876adc92a208d47194772e99f9c71e0bedb Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 28 Apr 2025 11:04:55 +0200 +Subject: [PATCH] CVE-2025-4878 legacy: Properly check return value to avoid + NULL pointer dereference + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +CVE: CVE-2025-4878 + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=b35ee876adc92a208d47194772e99f9c71e0bedb] + +Signed-off-by: Divya Chellam +--- + src/legacy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/legacy.c b/src/legacy.c +index 7359040c..f73ef6cc 100644 +--- a/src/legacy.c ++++ b/src/legacy.c +@@ -452,7 +452,7 @@ ssh_private_key privatekey_from_file(ssh_session session, + auth_fn, + auth_data, + &key); +- if (rc == SSH_ERROR) { ++ if (rc != SSH_OK) { + return NULL; + } + +-- +2.40.0 + diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb index 64835c5e08..357b59ec98 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb @@ -13,6 +13,8 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable file://CVE-2025-5318.patch \ file://CVE-2025-5351.patch \ file://CVE-2025-5372.patch \ + file://CVE-2025-4878-0001.patch \ + file://CVE-2025-4878-0002.patch \ " SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6" From patchwork Thu Sep 11 10:37:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: dchellam X-Patchwork-Id: 70016 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 725C8CAC58D for ; Thu, 11 Sep 2025 10:37:49 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.43266.1757587067757298195 for ; Thu, 11 Sep 2025 03:37:48 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=ZNyGM5l2; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=13490b2759=divya.chellam@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 58BAJI1o3186447 for ; Thu, 11 Sep 2025 10:37:46 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=wctrVgaHdvAe8EIdNE6/aXbpvmr+zq0Nr3cSNPTn7c4=; b=ZNyGM5l2BiU+ zy6Cc+qXrteUGRNh6xPYwOjZHGW3IsItW/cNP4e5u+eW/spJ2CV2CclpNhHJzV7g qtsmX14FiPf0rUtWMPvSvWgwUmV41SBaPUMmZiCzs2NCW9RUJokBbbnaBFEqdDJh h0ZDXMjER3NUOdtYLfIt+EDauxe6xT96Ax8yOHInPVFM9FHXRHzfY/miZEHL82xZ 8BlT5+Gi8kuJD3HaU4NEhTpUSq32Ga2IaFAvDQg6oTjwIrdbhCIHfgjFvl8FFksq GdvOgVq6raFe1+1Iclpf7SRvoww1ebxLMpXaodSiv+Rjgtodlb44LYICKvM3lnNc mJLqYW1IyQ== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 490a5w5s3x-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 11 Sep 2025 10:37:46 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.58; Thu, 11 Sep 2025 03:37:42 -0700 From: dchellam To: Subject: [oe][meta-oe][scarthgap][PATCH 2/2] libssh: fix CVE-2025-5987 Date: Thu, 11 Sep 2025 16:07:05 +0530 Message-ID: <20250911103705.252836-2-divya.chellam@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250911103705.252836-1-divya.chellam@windriver.com> References: <20250911103705.252836-1-divya.chellam@windriver.com> MIME-Version: 1.0 X-Originating-IP: [10.11.232.110] X-ClientProxiedBy: ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) To ala-exchng01.corp.ad.wrs.com (10.11.224.121) X-Proofpoint-GUID: v-GXWUQUPO8wy2piYLXkugvkkqZybM3e X-Proofpoint-ORIG-GUID: v-GXWUQUPO8wy2piYLXkugvkkqZybM3e X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTExMDA5NiBTYWx0ZWRfX2l77UHh/gf4c fGCzuNMk/6ty30/avHJVtJJcJRJga4S5FkHgtB3khy7KaCxwMTGB0a5s0/fM/rrR/7ePewpWGf4 stfIRXcflSDfQvKPPmeTITSasieBYA0y+8XDTxy0gZMtutaEnZSNadvFcodYmujs6lwhMiCW09V I7gQ3G81YYRXjUDOwqSrYJVLgQVDV0J6CqJh07Lo6VYcQxFHBw6lD+Mmf0MG8AspCztlqWA0bxL ImopM72v239K6+8OG9cS9ODuNa6hhdAwKw++HsvBVM2E8sk4YScsMkb9Nat2pbHPbIbE+jb/yRJ 7UUglcZ5WnT03tz/jjfPbWjpjf98Ee+8eI16LmFAWZD8Bqg11qBmoTDj1n+2lw= X-Authority-Analysis: v=2.4 cv=AMtZH25w c=1 sm=1 tr=0 ts=68c2a67a cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=gmxlzscTznEA:10 a=yJojWOMRYYMA:10 a=xNf9USuDAAAA:8 a=nar8ntqeAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=_9gtbkrcAAAA:8 a=1E69uE0ZlsvtWQdOJBwA:9 a=RptMqvEBejqe73AKBt4K:22 a=FdTzh2GWekK77mhwV6Dw:22 a=mzAfeOUevkGYtpgvwSZb:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-10_04,2025-09-11_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 suspectscore=0 priorityscore=1501 clxscore=1015 phishscore=0 malwarescore=0 spamscore=0 adultscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2507300000 definitions=firstrun List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 11 Sep 2025 10:37:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/119360 From: Divya Chellam A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library. If an attacker manages to exhaust the heap space, this error is not detected and may lead to libssh using a partially initialized cipher context. This occurs because the OpenSSL error code returned aliases with the SSH_OK code, resulting in libssh not properly detecting the error returned by the OpenSSL library. This issue can lead to undefined behavior, including compromised data confidentiality and integrity or crashes. Reference: https://security-tracker.debian.org/tracker/CVE-2025-5987 Upstream-patch: https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=90b4845e0c98574bbf7bea9e97796695f064bf57 Signed-off-by: Divya Chellam --- .../libssh/libssh/CVE-2025-5987.patch | 37 +++++++++++++++++++ .../recipes-support/libssh/libssh_0.10.6.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-5987.patch diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-5987.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5987.patch new file mode 100644 index 0000000000..08395e0e7d --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5987.patch @@ -0,0 +1,37 @@ +From 90b4845e0c98574bbf7bea9e97796695f064bf57 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 6 May 2025 22:51:41 +0200 +Subject: [PATCH] CVE-2025-5987 libcrypto: Correctly detect failures of chacha + initialization + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +CVE: CVE-2025-5987 + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=90b4845e0c98574bbf7bea9e97796695f064bf57] + +Signed-off-by: Divya Chellam +--- + src/libcrypto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libcrypto.c b/src/libcrypto.c +index 76e067d3..69a850de 100644 +--- a/src/libcrypto.c ++++ b/src/libcrypto.c +@@ -771,9 +771,9 @@ chacha20_poly1305_set_key(struct ssh_cipher_struct *cipher, + SSH_LOG(SSH_LOG_WARNING, "EVP_CIPHER_CTX_new failed"); + goto out; + } +- ret = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL, ++ rv = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL, + u8key + CHACHA20_KEYLEN, NULL); +- if (ret != 1) { ++ if (rv != 1) { + SSH_LOG(SSH_LOG_WARNING, "EVP_CipherInit failed"); + goto out; + } +-- +2.40.0 + diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb index 357b59ec98..aa69d3a3e2 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb @@ -15,6 +15,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable file://CVE-2025-5372.patch \ file://CVE-2025-4878-0001.patch \ file://CVE-2025-4878-0002.patch \ + file://CVE-2025-5987.patch \ " SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"