From patchwork Tue Nov 11 06:55:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rajeshkumar Ramasamy X-Patchwork-Id: 74138 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 454EECCF9E3 for ; Tue, 11 Nov 2025 06:56:16 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.12173.1762844167588707095 for ; Mon, 10 Nov 2025 22:56:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=XUwoPz8i; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=3410ad4b76=rajeshkumar.ramasamy@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5AB5b2vn038181 for ; Tue, 11 Nov 2025 06:56:06 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=PPS06212021; bh=gVQ7qucULfNPsBf//KL0 k8/K5GCe3BCZ+kj1migN0OY=; b=XUwoPz8iTMjMvaqlfGIRt+93hbBcILP9wTT8 6bTPzhugVYvoRPp93dwKH+GJ75uxdBB96x/re60bZSlZFwXFQOM/nKweIcy/OLXz 39edDPIkEnfcZCHIInkU5EeqwOf63Muievl6wfORly/AmWnfbnaBpKd4jU0ymRZE 5prvs56j/rU4GkFqvsWf/WiqoB9Rz6PxLicq4Zutl8Juw1gyDvh0w9US3tdvW3fZ x5HfkAAhpPUdejxrrn+4o7zdEPZkacGuMAlGFdeoHt0FXw3uVzLn6SMQ/h006S4C fUQPoElM+uihr4g/TISRrrIGJ/w8feDrI4EnImz3flSmdMNdnw== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4a9vu92wgw-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 11 Nov 2025 06:56:06 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Mon, 10 Nov 2025 22:56:03 -0800 From: Rajeshkumar Ramasamy To: Subject: [oe][meta-oe][kirkstone][PATCH 1/2] libssh: fix CVE-2025-4878 Date: Tue, 11 Nov 2025 12:25:46 +0530 Message-ID: <20251111065547.2723539-1-rajeshkumar.ramasamy@windriver.com> X-Mailer: git-send-email 2.48.1 MIME-Version: 1.0 X-Originating-IP: [10.11.232.110] X-ClientProxiedBy: ala-exchng01.corp.ad.wrs.com (10.11.224.121) To ala-exchng01.corp.ad.wrs.com (10.11.224.121) X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTExMDA1MSBTYWx0ZWRfX2XCRz3qsUspJ Dt7V8aIwbkIMlKxBjS/2Omz8lTwuSAlRiiiB5VX/158ptBpwgsT99bSysmF+gESclm/f2y8bCIw bk63hjhu5JVUpZedELN9isAeOB+/lRyFVQVFsDy+oquHDS7BR10z+2VZNYnznYVDDaSTULissP2 a/2xB8pyKiy0NbUnA4CGBmDdKz1skKSe23iytHmN43ZaW7tCEkGL+369rw3/OH+M4/5Z/bTd4fk cO8CDn4euGPVADJHkpsuJDoQDanE7U9UbRwR5V8QhK5Im13apEeW1Po9Hl9PnuNuLKZYzfWXVaO SdhDhv7CYvwqwDZQI6ROSTdluMXzpjmkJE3/ZZjlHXzOv6NTbU+2j7nC57h+9B0yR9p5L4I4Dc1 2gcP8OLbr+PjnAr5caNnEQDqd8FBSw== X-Proofpoint-GUID: uVoHXGEzMBvVYytGUF4Uq2rLN1QJXcJL X-Proofpoint-ORIG-GUID: uVoHXGEzMBvVYytGUF4Uq2rLN1QJXcJL X-Authority-Analysis: v=2.4 cv=CMknnBrD c=1 sm=1 tr=0 ts=6912de06 cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=gmxlzscTznEA:10 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=PYnjg3YJAAAA:8 a=nar8ntqeAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=_9gtbkrcAAAA:8 a=1XWaLZrsAAAA:8 a=l9wgHKbdPv7wUBevqzsA:9 a=RptMqvEBejqe73AKBt4K:22 a=FdTzh2GWekK77mhwV6Dw:22 a=mzAfeOUevkGYtpgvwSZb:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-11_01,2025-11-11_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 lowpriorityscore=0 bulkscore=0 spamscore=0 clxscore=1015 malwarescore=0 priorityscore=1501 phishscore=0 impostorscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511110051 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Nov 2025 06:56:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/121479 A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekey_from_file() function. This flaw can be triggered if the file specified by the filename doesn't exist and may lead to possible signing failures or heap corruption. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-4878 Upstream-patch: https://git.libssh.org/projects/libssh.git/commit/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1 https://git.libssh.org/projects/libssh.git/commit/?id=b35ee876adc92a208d47194772e99f9c71e0bedb Signed-off-by: Rajeshkumar Ramasamy --- .../libssh/libssh/CVE-2025-4878-1.patch | 2196 +++++++++++++++++ .../libssh/libssh/CVE-2025-4878-2.patch | 33 + .../recipes-support/libssh/libssh_0.8.9.bb | 2 + 3 files changed, 2231 insertions(+) create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-1.patch create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-2.patch diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-1.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-1.patch new file mode 100644 index 0000000000..0131be0e01 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-1.patch @@ -0,0 +1,2196 @@ +From 697650caa97eaf7623924c75f9fcfec6dd423cd1 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 23 Apr 2025 17:57:11 +0200 +Subject: [PATCH] CVE-2025-4878 Initialize pointers where possible + +This is mostly mechanical change initializing all the pointers I was able to +find with some grep and manual review of sources and examples. + +Used the following greps (which yield some false positives though): + + git grep " \w* *\* *\w*;$" + git grep " ssh_session \w*;" + git grep " ssh_channel \w*;" + git grep " struct ssh_iterator \*\w*;" + git grep " ssh_bind \w*;" + git grep " ssh_key \w*;" + git grep " ssh_string \w*;" + git grep " ssh_buffer \w*;" + git grep " HMACCTX \w*;" + git grep " SHACTX \w*;" + grep -rinP '^(?!.*=)\s*(?:\w+\s+)*\w+\s*\*\s*\w+\s*;' + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +CVE: CVE-2025-4878 + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1] + +Signed-off-by: Rajeshkumar Ramasamy +--- + doc/authentication.dox | 10 +++---- + doc/command.dox | 2 +- + doc/forwarding.dox | 4 +-- + doc/guided_tour.dox | 14 +++++----- + doc/shell.dox | 2 +- + examples/authentication.c | 12 ++++---- + examples/connect_ssh.c | 2 +- + examples/exec.c | 4 +-- + examples/knownhosts.c | 2 +- + examples/libssh_scp.c | 11 ++++---- + examples/proxy.c | 18 ++++++------ + examples/samplesshd-cb.c | 10 +++---- + examples/samplesshd-kbdint.c | 16 +++++------ + examples/scp_download.c | 4 +-- + examples/senddata.c | 4 +-- + examples/ssh_client.c | 8 +++--- + examples/sshnetcat.c | 6 ++-- + src/agent.c | 13 +++++---- + src/auth.c | 7 +++-- + src/bind.c | 9 +++--- + src/buffer.c | 9 +++--- + src/callbacks.c | 2 +- + src/chachapoly.c | 2 +- + src/channels.c | 53 ++++++++++++++++++------------------ + src/client.c | 2 +- + src/config.c | 4 +-- + src/connect.c | 4 +-- + src/connector.c | 5 ++-- + src/ecdh_crypto.c | 2 +- + src/ecdh_gcrypt.c | 10 +++---- + src/gcrypt_missing.c | 2 +- + src/getpass.c | 4 +-- + src/gssapi.c | 28 ++++++++++--------- + src/kex.c | 2 +- + src/known_hosts.c | 38 +++++++++++++------------- + src/knownhosts.c | 14 +++++----- + src/legacy.c | 43 +++++++++++++++-------------- + src/log.c | 2 +- + src/messages.c | 18 ++++++------ + src/misc.c | 22 +++++++-------- + src/options.c | 12 ++++---- + src/packet.c | 4 +-- + src/packet_crypt.c | 2 +- + src/pki.c | 48 ++++++++++++++++---------------- + src/pki_container_openssh.c | 14 +++++----- + src/pki_ed25519.c | 6 ++-- + src/pki_gcrypt.c | 2 +- + src/pki_mbedcrypto.c | 12 ++++---- + src/poll.c | 8 +++--- + src/server.c | 18 ++++++------ + src/session.c | 4 +-- + src/sftpserver.c | 12 ++++---- + src/string.c | 6 ++-- + src/threads/winlocks.c | 2 +- + src/wrapper.c | 2 +- + 55 files changed, 295 insertions(+), 281 deletions(-) + +diff --git a/doc/authentication.dox b/doc/authentication.dox +index ec6f1936..a8fbd400 100644 +--- a/doc/authentication.dox ++++ b/doc/authentication.dox +@@ -102,7 +102,7 @@ Here is a small example of password authentication: + @code + int authenticate_password(ssh_session session) + { +- char *password; ++ char *password = NULL; + int rc; + + password = getpass("Enter your password: "); +@@ -215,7 +215,7 @@ int authenticate_kbdint(ssh_session session) + rc = ssh_userauth_kbdint(session, NULL, NULL); + while (rc == SSH_AUTH_INFO) + { +- const char *name, *instruction; ++ const char *name = NULL, *instruction = NULL; + int nprompts, iprompt; + + name = ssh_userauth_kbdint_getname(session); +@@ -228,7 +228,7 @@ int authenticate_kbdint(ssh_session session) + printf("%s\n", instruction); + for (iprompt = 0; iprompt < nprompts; iprompt++) + { +- const char *prompt; ++ const char *prompt = NULL; + char echo; + + prompt = ssh_userauth_kbdint_getprompt(session, iprompt, &echo); +@@ -248,7 +248,7 @@ int authenticate_kbdint(ssh_session session) + } + else + { +- char *ptr; ++ char *ptr = NULL; + + ptr = getpass(prompt); + if (ssh_userauth_kbdint_setanswer(session, iprompt, ptr) < 0) +@@ -351,7 +351,7 @@ The following example shows how to retrieve and dispose the issue banner: + int display_banner(ssh_session session) + { + int rc; +- char *banner; ++ char *banner = NULL; + + /* + *** Does not work without calling ssh_userauth_none() first *** +diff --git a/doc/command.dox b/doc/command.dox +index 588151c6..e82748ce 100644 +--- a/doc/command.dox ++++ b/doc/command.dox +@@ -22,7 +22,7 @@ a SSH session that uses this channel: + @code + int show_remote_files(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + + channel = ssh_channel_new(session); +diff --git a/doc/forwarding.dox b/doc/forwarding.dox +index bb93c7b1..1949660c 100644 +--- a/doc/forwarding.dox ++++ b/doc/forwarding.dox +@@ -100,7 +100,7 @@ used to retrieve google's home page from the remote SSH server. + @code + int direct_forwarding(ssh_session session) + { +- ssh_channel forwarding_channel; ++ ssh_channel forwarding_channel = NULL; + int rc; + char *http_get = "GET / HTTP/1.1\nHost: www.google.com\n\n"; + int nbytes, nwritten; +@@ -161,7 +161,7 @@ local libssh application, which handles them: + int web_server(ssh_session session) + { + int rc; +- ssh_channel channel; ++ ssh_channel channel = NULL; + char buffer[256]; + int nbytes, nwritten; + int port = 0; +diff --git a/doc/guided_tour.dox b/doc/guided_tour.dox +index 2f1a9b8e..008ccb4e 100644 +--- a/doc/guided_tour.dox ++++ b/doc/guided_tour.dox +@@ -79,7 +79,7 @@ Here is a small example of how to use it: + + int main() + { +- ssh_session my_ssh_session; ++ ssh_session my_ssh_session = NULL; + int verbosity = SSH_LOG_PROTOCOL; + int port = 22; + +@@ -126,7 +126,7 @@ Here's an example: + + int main() + { +- ssh_session my_ssh_session; ++ ssh_session my_ssh_session = NULL; + int rc; + + my_ssh_session = ssh_new(); +@@ -190,8 +190,8 @@ int verify_knownhost(ssh_session session) + ssh_key srv_pubkey = NULL; + size_t hlen; + char buf[10]; +- char *hexa; +- char *p; ++ char *hexa = NULL; ++ char *p = NULL; + int cmp; + int rc; + +@@ -317,9 +317,9 @@ The example below shows an authentication with password: + + int main() + { +- ssh_session my_ssh_session; ++ ssh_session my_ssh_session = NULL; + int rc; +- char *password; ++ char *password = NULL; + + // Open session and set options + my_ssh_session = ssh_new(); +@@ -380,7 +380,7 @@ The example below shows how to execute a remote command: + @code + int show_remote_processes(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + char buffer[256]; + int nbytes; +diff --git a/doc/shell.dox b/doc/shell.dox +index 0693bbcc..03b5a575 100644 +--- a/doc/shell.dox ++++ b/doc/shell.dox +@@ -26,7 +26,7 @@ The code sample below achieves these tasks: + @code + int shell_session(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + + channel = ssh_channel_new(session); +diff --git a/examples/authentication.c b/examples/authentication.c +index 9e5b94c9..758666fc 100644 +--- a/examples/authentication.c ++++ b/examples/authentication.c +@@ -30,8 +30,8 @@ int authenticate_kbdint(ssh_session session, const char *password) + + err = ssh_userauth_kbdint(session, NULL, NULL); + while (err == SSH_AUTH_INFO) { +- const char *instruction; +- const char *name; ++ const char *instruction = NULL; ++ const char *name = NULL; + char buffer[128]; + int i, n; + +@@ -48,8 +48,8 @@ int authenticate_kbdint(ssh_session session, const char *password) + } + + for (i = 0; i < n; i++) { +- const char *answer; +- const char *prompt; ++ const char *answer = NULL; ++ const char *prompt = NULL; + char echo; + + prompt = ssh_userauth_kbdint_getprompt(session, i, &echo); +@@ -58,7 +58,7 @@ int authenticate_kbdint(ssh_session session, const char *password) + } + + if (echo) { +- char *p; ++ char *p = NULL; + + printf("%s", prompt); + +@@ -110,7 +110,7 @@ int authenticate_console(ssh_session session) + int rc; + int method; + char password[128] = {0}; +- char *banner; ++ char *banner = NULL; + + // Try to authenticate + rc = ssh_userauth_none(session, NULL); +diff --git a/examples/connect_ssh.c b/examples/connect_ssh.c +index c9e4ef6e..06094272 100644 +--- a/examples/connect_ssh.c ++++ b/examples/connect_ssh.c +@@ -22,7 +22,7 @@ clients must be made or how a client should react. + #include + + ssh_session connect_ssh(const char *host, const char *user,int verbosity){ +- ssh_session session; ++ ssh_session session = NULL; + int auth=0; + + session=ssh_new(); +diff --git a/examples/exec.c b/examples/exec.c +index 4d5e0c1a..0db84688 100644 +--- a/examples/exec.c ++++ b/examples/exec.c +@@ -5,8 +5,8 @@ + #include "examples_common.h" + + int main(void) { +- ssh_session session; +- ssh_channel channel; ++ ssh_session session = NULL; ++ ssh_channel channel = NULL; + char buffer[256]; + int nbytes; + int rc; +diff --git a/examples/knownhosts.c b/examples/knownhosts.c +index 2c538dac..44fbbd01 100644 +--- a/examples/knownhosts.c ++++ b/examples/knownhosts.c +@@ -37,7 +37,7 @@ int verify_knownhost(ssh_session session){ + char buf[10]; + unsigned char *hash = NULL; + size_t hlen; +- ssh_key srv_pubkey; ++ ssh_key srv_pubkey = NULL; + int rc; + + rc = ssh_get_server_publickey(session, &srv_pubkey); +diff --git a/examples/libssh_scp.c b/examples/libssh_scp.c +index ff38b830..b0638525 100644 +--- a/examples/libssh_scp.c ++++ b/examples/libssh_scp.c +@@ -22,9 +22,9 @@ program. + #include + #include "examples_common.h" + +-static char **sources; ++static char **sources = NULL; + static int nsources; +-static char *destination; ++static char *destination = NULL; + static int verbosity = 0; + + struct location { +@@ -114,9 +114,10 @@ static void location_free(struct location *loc) + } + } + +-static struct location *parse_location(char *loc) { +- struct location *location; +- char *ptr; ++static struct location *parse_location(char *loc) ++{ ++ struct location *location = NULL; ++ char *ptr = NULL; + + location = malloc(sizeof(struct location)); + if (location == NULL) { +diff --git a/examples/proxy.c b/examples/proxy.c +index dcf4d0d7..baebc12f 100644 +--- a/examples/proxy.c ++++ b/examples/proxy.c +@@ -31,8 +31,8 @@ clients must be made or how a client should react. + static int authenticated=0; + static int tries = 0; + static int error = 0; +-static ssh_channel chan=NULL; +-static char *username; ++static ssh_channel chan = NULL; ++static char *username = NULL; + static ssh_gssapi_creds client_creds = NULL; + + static int auth_password(ssh_session session, const char *user, +@@ -212,11 +212,12 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) { + static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + #endif /* HAVE_ARGP_H */ + +-int main(int argc, char **argv){ +- ssh_session session; +- ssh_bind sshbind; +- ssh_event mainloop; +- ssh_session client_session; ++int main(int argc, char **argv) ++{ ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; ++ ssh_event mainloop = NULL; ++ ssh_session client_session = NULL; + + struct ssh_server_callbacks_struct cb = { + .userdata = NULL, +@@ -227,7 +228,7 @@ int main(int argc, char **argv){ + + char buf[2048]; + char host[128]=""; +- char *ptr; ++ char *ptr = NULL; + int i,r, rc; + + sshbind=ssh_bind_new(); +@@ -344,4 +345,3 @@ int main(int argc, char **argv){ + ssh_finalize(); + return 0; + } +- +diff --git a/examples/samplesshd-cb.c b/examples/samplesshd-cb.c +index f93ab4b4..39efaf9a 100644 +--- a/examples/samplesshd-cb.c ++++ b/examples/samplesshd-cb.c +@@ -215,10 +215,11 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) { + static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + #endif /* HAVE_ARGP_H */ + +-int main(int argc, char **argv){ +- ssh_session session; +- ssh_bind sshbind; +- ssh_event mainloop; ++int main(int argc, char **argv) ++{ ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; ++ ssh_event mainloop = NULL; + struct ssh_server_callbacks_struct cb = { + .userdata = NULL, + .auth_password_function = auth_password, +@@ -303,4 +304,3 @@ int main(int argc, char **argv){ + ssh_finalize(); + return 0; + } +- +diff --git a/examples/samplesshd-kbdint.c b/examples/samplesshd-kbdint.c +index 522aebd6..88f0458a 100644 +--- a/examples/samplesshd-kbdint.c ++++ b/examples/samplesshd-kbdint.c +@@ -183,8 +183,8 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) { + static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + #endif /* HAVE_ARGP_H */ + +-static const char *name; +-static const char *instruction; ++static const char *name = NULL; ++static const char *instruction = NULL; + static const char *prompts[2]; + static char echo[] = { 1, 0 }; + +@@ -288,11 +288,12 @@ static int authenticate(ssh_session session) { + return 0; + } + +-int main(int argc, char **argv){ +- ssh_session session; +- ssh_bind sshbind; +- ssh_message message; +- ssh_channel chan=0; ++int main(int argc, char **argv) ++{ ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; ++ ssh_message message = NULL; ++ ssh_channel chan = NULL; + char buf[2048]; + int auth=0; + int shell=0; +@@ -422,4 +423,3 @@ int main(int argc, char **argv){ + ssh_finalize(); + return 0; + } +- +diff --git a/examples/scp_download.c b/examples/scp_download.c +index 85ccf92b..eda67764 100644 +--- a/examples/scp_download.c ++++ b/examples/scp_download.c +@@ -104,7 +104,7 @@ static int fetch_files(ssh_session session){ + int size; + char buffer[16384]; + int mode; +- char *filename; ++ char *filename = NULL; + int r; + ssh_scp scp=ssh_scp_new(session, SSH_SCP_READ | SSH_SCP_RECURSIVE, "/tmp/libssh_tests/*"); + if(ssh_scp_init(scp) != SSH_OK){ +@@ -163,7 +163,7 @@ static int fetch_files(ssh_session session){ + } + + int main(int argc, char **argv){ +- ssh_session session; ++ ssh_session session = NULL; + if(opts(argc,argv)<0) + return EXIT_FAILURE; + session=connect_ssh(host,NULL,verbosity); +diff --git a/examples/senddata.c b/examples/senddata.c +index 042b462b..1104acdc 100644 +--- a/examples/senddata.c ++++ b/examples/senddata.c +@@ -6,7 +6,7 @@ + #define LIMIT 0x100000000UL + + int main(void) { +- ssh_session session; ++ ssh_session session = NULL; + ssh_channel channel; + char buffer[1024*1024]; + int rc; +@@ -47,7 +47,7 @@ int main(void) { + if(total > LIMIT) + break; + } +- ++ + if (rc < 0) { + printf("error : %s\n",ssh_get_error(session)); + ssh_channel_close(channel); +diff --git a/examples/ssh_client.c b/examples/ssh_client.c +index b0c5a7ff..db226d53 100644 +--- a/examples/ssh_client.c ++++ b/examples/ssh_client.c +@@ -50,7 +50,7 @@ static struct termios terminal; + + static char *pcap_file = NULL; + +-static char *proxycommand; ++static char *proxycommand = NULL; + + static int auth_callback(const char *prompt, + char *buf, +@@ -238,7 +238,7 @@ static void select_loop(ssh_session session,ssh_channel channel) + + static void shell(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + struct termios terminal_local; + int interactive=isatty(0); + channel = ssh_channel_new(session); +@@ -300,7 +300,7 @@ static void batch_shell(ssh_session session) + static int client(ssh_session session) + { + int auth = 0; +- char *banner; ++ char *banner = NULL; + int state; + + if (user) { +@@ -378,7 +378,7 @@ static void cleanup_pcap(void) + + int main(int argc, char **argv) + { +- ssh_session session; ++ ssh_session session = NULL; + + session = ssh_new(); + +diff --git a/examples/sshnetcat.c b/examples/sshnetcat.c +index 28fb2765..0665d004 100644 +--- a/examples/sshnetcat.c ++++ b/examples/sshnetcat.c +@@ -34,7 +34,7 @@ clients must be made or how a client should react. + #include + + #include "examples_common.h" +-char *host; ++char *host = NULL; + const char *desthost="localhost"; + const char *port="22"; + +@@ -187,7 +187,7 @@ static void forwarding(ssh_session session){ + + static int client(ssh_session session){ + int auth=0; +- char *banner; ++ char *banner = NULL; + int state; + + if (ssh_options_set(session, SSH_OPTIONS_HOST ,host) < 0) +@@ -239,7 +239,7 @@ void cleanup_pcap(){ + #endif + + int main(int argc, char **argv){ +- ssh_session session; ++ ssh_session session = NULL; + + session = ssh_new(); + +diff --git a/src/agent.c b/src/agent.c +index 7704e8f1..cabe9b6b 100644 +--- a/src/agent.c ++++ b/src/agent.c +@@ -418,8 +418,9 @@ ssh_key ssh_agent_get_first_ident(struct ssh_session_struct *session, + + /* caller has to free commment */ + ssh_key ssh_agent_get_next_ident(struct ssh_session_struct *session, +- char **comment) { +- struct ssh_key_struct *key; ++ char **comment) ++{ ++ struct ssh_key_struct *key = NULL; + struct ssh_string_struct *blob = NULL; + struct ssh_string_struct *tmp = NULL; + int rc; +@@ -488,10 +489,10 @@ ssh_string ssh_agent_sign_data(ssh_session session, + const ssh_key pubkey, + struct ssh_buffer_struct *data) + { +- ssh_buffer request; +- ssh_buffer reply; +- ssh_string key_blob; +- ssh_string sig_blob; ++ ssh_buffer request = NULL; ++ ssh_buffer reply = NULL; ++ ssh_string key_blob = NULL; ++ ssh_string sig_blob = NULL; + unsigned int type = 0; + unsigned int flags = 0; + uint32_t dlen; +diff --git a/src/auth.c b/src/auth.c +index 993e6dfe..531ab8bd 100644 +--- a/src/auth.c ++++ b/src/auth.c +@@ -191,8 +191,9 @@ static int ssh_userauth_get_response(ssh_session session) { + * + * This banner should be shown to user prior to authentication + */ +-SSH_PACKET_CALLBACK(ssh_packet_userauth_banner) { +- ssh_string banner; ++SSH_PACKET_CALLBACK(ssh_packet_userauth_banner) ++{ ++ ssh_string banner = NULL; + (void)type; + (void)user; + +@@ -1299,7 +1300,7 @@ int ssh_userauth_agent_pubkey(ssh_session session, + const char *username, + ssh_public_key publickey) + { +- ssh_key key; ++ ssh_key key = NULL; + int rc; + + key = ssh_key_new(); +diff --git a/src/bind.c b/src/bind.c +index 63ef3a94..0cf8bea9 100644 +--- a/src/bind.c ++++ b/src/bind.c +@@ -73,7 +73,7 @@ + static socket_t bind_socket(ssh_bind sshbind, const char *hostname, + int port) { + char port_c[6]; +- struct addrinfo *ai; ++ struct addrinfo *ai = NULL; + struct addrinfo hints; + int opt = 1; + socket_t s; +@@ -129,8 +129,9 @@ static socket_t bind_socket(ssh_bind sshbind, const char *hostname, + return s; + } + +-ssh_bind ssh_bind_new(void) { +- ssh_bind ptr; ++ssh_bind ssh_bind_new(void) ++{ ++ ssh_bind ptr = NULL; + + ptr = malloc(sizeof(struct ssh_bind_struct)); + if (ptr == NULL) { +@@ -249,7 +250,7 @@ static int ssh_bind_import_keys(ssh_bind sshbind) { + } + + int ssh_bind_listen(ssh_bind sshbind) { +- const char *host; ++ const char *host = NULL; + socket_t fd; + int rc; + +diff --git a/src/buffer.c b/src/buffer.c +index da6e587f..50469e62 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -365,7 +365,8 @@ int ssh_buffer_allocate_size(struct ssh_buffer_struct *buffer, + */ + void *ssh_buffer_allocate(struct ssh_buffer_struct *buffer, uint32_t len) + { +- void *ptr; ++ void *ptr = NULL; ++ + buffer_verify(buffer); + + if (buffer->used + len < len) { +@@ -922,7 +923,7 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, + va_list ap) + { + int rc = SSH_ERROR; +- const char *p; ++ const char *p = NULL; + union { + uint8_t byte; + uint16_t word; +@@ -931,7 +932,7 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, + ssh_string string; + void *data; + } o; +- char *cstring; ++ char *cstring = NULL; + bignum b; + size_t len; + int count; +@@ -1086,7 +1087,7 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, + va_list ap) + { + int rc = SSH_ERROR; +- const char *p, *last; ++ const char *p = NULL, *last = NULL; + union { + uint8_t *byte; + uint16_t *word; +diff --git a/src/callbacks.c b/src/callbacks.c +index 3ed2f11c..6bfed62a 100644 +--- a/src/callbacks.c ++++ b/src/callbacks.c +@@ -113,7 +113,7 @@ int ssh_add_channel_callbacks(ssh_channel channel, ssh_channel_callbacks cb) + + int ssh_remove_channel_callbacks(ssh_channel channel, ssh_channel_callbacks cb) + { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + + if (channel == NULL || channel->callbacks == NULL){ + return SSH_ERROR; +diff --git a/src/chachapoly.c b/src/chachapoly.c +index 904303ef..6a3aba18 100644 +--- a/src/chachapoly.c ++++ b/src/chachapoly.c +@@ -50,7 +50,7 @@ static int chacha20_set_encrypt_key(struct ssh_cipher_struct *cipher, + void *key, + void *IV) + { +- struct chacha20_poly1305_keysched *sched; ++ struct chacha20_poly1305_keysched *sched = NULL; + uint8_t *u8key = key; + (void)IV; + +diff --git a/src/channels.c b/src/channels.c +index b94016f1..ae2f55a5 100644 +--- a/src/channels.c ++++ b/src/channels.c +@@ -141,7 +141,7 @@ uint32_t ssh_channel_new_id(ssh_session session) { + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_open_conf){ + uint32_t channelid=0; +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + (void)type; + (void)user; +@@ -202,7 +202,7 @@ error: + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){ + +- ssh_channel channel; ++ ssh_channel channel = NULL; + char *error = NULL; + uint32_t code; + int rc; +@@ -343,7 +343,7 @@ end: + /* return channel with corresponding local id, or NULL if not found */ + ssh_channel ssh_channel_from_local(ssh_session session, uint32_t id) { + struct ssh_iterator *it; +- ssh_channel channel; ++ ssh_channel channel = NULL; + + for (it = ssh_list_get_iterator(session->channels); it != NULL ; it=it->next) { + channel = ssh_iterator_value(ssh_channel, it); +@@ -423,7 +423,7 @@ error: + * unknown or the packet is invalid. + */ + static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet) { +- ssh_channel channel; ++ ssh_channel channel = NULL; + uint32_t chan; + int rc; + +@@ -445,7 +445,7 @@ static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet) { + } + + SSH_PACKET_CALLBACK(channel_rcv_change_window) { +- ssh_channel channel; ++ ssh_channel channel = NULL; + uint32_t bytes; + int rc; + (void)user; +@@ -584,7 +584,7 @@ SSH_PACKET_CALLBACK(channel_rcv_data){ + } + + SSH_PACKET_CALLBACK(channel_rcv_eof) { +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)user; + (void)type; + +@@ -611,8 +611,9 @@ SSH_PACKET_CALLBACK(channel_rcv_eof) { + return SSH_PACKET_USED; + } + +-SSH_PACKET_CALLBACK(channel_rcv_close) { +- ssh_channel channel; ++SSH_PACKET_CALLBACK(channel_rcv_close) ++{ ++ ssh_channel channel = NULL; + (void)user; + (void)type; + +@@ -812,7 +813,7 @@ SSH_PACKET_CALLBACK(channel_rcv_request) { + */ + int channel_default_bufferize(ssh_channel channel, void *data, int len, + int is_stderr) { +- ssh_session session; ++ ssh_session session = NULL; + + if(channel == NULL) { + return -1; +@@ -946,7 +947,7 @@ int ssh_channel_open_auth_agent(ssh_channel channel){ + */ + int ssh_channel_open_forward(ssh_channel channel, const char *remotehost, + int remoteport, const char *sourcehost, int localport) { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer payload = NULL; + ssh_string str = NULL; + int rc = SSH_ERROR; +@@ -1002,7 +1003,7 @@ error: + */ + void ssh_channel_free(ssh_channel channel) + { +- ssh_session session; ++ ssh_session session = NULL; + + if (channel == NULL) { + return; +@@ -1100,7 +1101,7 @@ void ssh_channel_do_free(ssh_channel channel) + * @see ssh_channel_is_eof() + */ + int ssh_channel_send_eof(ssh_channel channel){ +- ssh_session session; ++ ssh_session session = NULL; + int rc = SSH_ERROR; + int err; + +@@ -1153,7 +1154,7 @@ error: + */ + int ssh_channel_close(ssh_channel channel) + { +- ssh_session session; ++ ssh_session session = NULL; + int rc = 0; + + if(channel == NULL) { +@@ -1249,7 +1250,7 @@ static int channel_write_common(ssh_channel channel, + const void *data, + uint32_t len, int is_stderr) + { +- ssh_session session; ++ ssh_session session = NULL; + uint32_t origlen = len; + size_t effectivelen; + size_t maxpacketlen; +@@ -1503,7 +1504,7 @@ void ssh_channel_set_blocking(ssh_channel channel, int blocking) { + * @brief handle a SSH_CHANNEL_SUCCESS packet and set the channel state. + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_success){ +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)type; + (void)user; + +@@ -1533,7 +1534,7 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_success){ + * @brief Handle a SSH_CHANNEL_FAILURE packet and set the channel state. + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_failure){ +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)type; + (void)user; + +@@ -1960,7 +1961,7 @@ static ssh_channel ssh_channel_accept(ssh_session session, int channeltype, + #endif + ssh_message msg = NULL; + ssh_channel channel = NULL; +- struct ssh_iterator *iterator; ++ struct ssh_iterator *iterator = NULL; + int t; + + /* +@@ -2590,7 +2591,7 @@ error: + */ + int channel_read_buffer(ssh_channel channel, ssh_buffer buffer, uint32_t count, + int is_stderr) { +- ssh_session session; ++ ssh_session session = NULL; + char buffer_tmp[8192]; + int r; + uint32_t total=0; +@@ -2726,7 +2727,7 @@ int ssh_channel_read_timeout(ssh_channel channel, + int is_stderr, + int timeout_ms) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer stdbuf; + uint32_t len; + struct ssh_channel_read_termination_struct ctx; +@@ -2837,7 +2838,7 @@ int ssh_channel_read_timeout(ssh_channel channel, + */ + int ssh_channel_read_nonblocking(ssh_channel channel, void *dest, uint32_t count, + int is_stderr) { +- ssh_session session; ++ ssh_session session = NULL; + int to_read; + int rc; + int blocking; +@@ -2940,8 +2941,8 @@ int ssh_channel_poll(ssh_channel channel, int is_stderr){ + * @see ssh_channel_is_eof() + */ + int ssh_channel_poll_timeout(ssh_channel channel, int timeout, int is_stderr){ +- ssh_session session; +- ssh_buffer stdbuf; ++ ssh_session session = NULL; ++ ssh_buffer stdbuf = NULL; + struct ssh_channel_read_termination_struct ctx; + int rc; + +@@ -3042,7 +3043,7 @@ int ssh_channel_get_exit_status(ssh_channel channel) { + */ + static int channel_protocol_select(ssh_channel *rchans, ssh_channel *wchans, + ssh_channel *echans, ssh_channel *rout, ssh_channel *wout, ssh_channel *eout) { +- ssh_channel chan; ++ ssh_channel chan = NULL; + int i; + int j = 0; + +@@ -3121,7 +3122,7 @@ static int count_ptrs(ssh_channel *ptrs) { + */ + int ssh_channel_select(ssh_channel *readchans, ssh_channel *writechans, + ssh_channel *exceptchans, struct timeval * timeout) { +- ssh_channel *rchans, *wchans, *echans; ++ ssh_channel *rchans = NULL, *wchans = NULL, *echans = NULL; + ssh_channel dummy = NULL; + ssh_event event = NULL; + int rc; +@@ -3305,7 +3306,7 @@ int ssh_channel_write_stderr(ssh_channel channel, const void *data, uint32_t len + */ + int ssh_channel_open_reverse_forward(ssh_channel channel, const char *remotehost, + int remoteport, const char *sourcehost, int localport) { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer payload = NULL; + int rc = SSH_ERROR; + +@@ -3368,7 +3369,7 @@ error: + */ + int ssh_channel_open_x11(ssh_channel channel, + const char *orig_addr, int orig_port) { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer payload = NULL; + int rc = SSH_ERROR; + +diff --git a/src/client.c b/src/client.c +index 1132c0a0..5ece34b8 100644 +--- a/src/client.c ++++ b/src/client.c +@@ -656,7 +656,7 @@ int ssh_get_openssh_version(ssh_session session) { + * @param[in] session The SSH session to use. + */ + void ssh_disconnect(ssh_session session) { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + int rc; + + if (session == NULL) { +diff --git a/src/config.c b/src/config.c +index 7dd3ae8c..8bf2c1a8 100644 +--- a/src/config.c ++++ b/src/config.c +@@ -229,7 +229,7 @@ static enum ssh_config_opcode_e ssh_config_get_opcode(char *keyword) { + } + + static void local_parse_file(ssh_session session, const char *filename, int *parsing, int seen[]) { +- FILE *f; ++ FILE *f = NULL; + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; + +@@ -730,7 +730,7 @@ static int ssh_config_parse_line(ssh_session session, const char *line, + int ssh_config_parse_file(ssh_session session, const char *filename) { + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; +- FILE *f; ++ FILE *f = NULL; + int parsing; + int seen[SOC_END - SOC_UNSUPPORTED] = {0}; + +diff --git a/src/connect.c b/src/connect.c +index d45be04b..a58bd4b0 100644 +--- a/src/connect.c ++++ b/src/connect.c +@@ -355,8 +355,8 @@ socket_t ssh_connect_host_nonblocking(ssh_session session, const char *host, + } + + if (bind_addr) { +- struct addrinfo *bind_ai; +- struct addrinfo *bind_itr; ++ struct addrinfo *bind_ai = NULL; ++ struct addrinfo *bind_itr = NULL; + + SSH_LOG(SSH_LOG_PACKET, "Resolving %s", bind_addr); + +diff --git a/src/connector.c b/src/connector.c +index 0062785c..868ba1ec 100644 +--- a/src/connector.c ++++ b/src/connector.c +@@ -622,8 +622,9 @@ error: + return rc; + } + +-int ssh_connector_remove_event(ssh_connector connector) { +- ssh_session session; ++int ssh_connector_remove_event(ssh_connector connector) ++{ ++ ssh_session session = NULL; + + if (connector->in_poll != NULL) { + ssh_event_remove_poll(connector->event, connector->in_poll); +diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c +index 7e5f0cc7..43d7fec2 100644 +--- a/src/ecdh_crypto.c ++++ b/src/ecdh_crypto.c +@@ -204,7 +204,7 @@ int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet){ + const EC_POINT *ecdh_pubkey; + bignum_CTX ctx; + /* SSH host keys (rsa,dsa,ecdsa) */ +- ssh_key privkey; ++ ssh_key privkey = NULL; + ssh_string sig_blob = NULL; + ssh_string pubkey_blob = NULL; + int curve; +diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c +index c1db7f5d..789b06b9 100644 +--- a/src/ecdh_gcrypt.c ++++ b/src/ecdh_gcrypt.c +@@ -128,9 +128,9 @@ int ecdh_build_k(ssh_session session) + #else + size_t k_len = 0; + enum ssh_key_exchange_e kex_type = session->next_crypto->kex_type; +- ssh_string s; ++ ssh_string s = NULL; + #endif +- ssh_string pubkey_raw; ++ ssh_string pubkey_raw = NULL; + gcry_sexp_t pubkey = NULL; + ssh_string privkey = NULL; + int rc = SSH_ERROR; +@@ -261,12 +261,12 @@ int ecdh_build_k(ssh_session session) + int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet) { + gpg_error_t err; + /* ECDH keys */ +- ssh_string q_c_string; +- ssh_string q_s_string; ++ ssh_string q_c_string = NULL; ++ ssh_string q_s_string = NULL; + gcry_sexp_t param = NULL; + gcry_sexp_t key = NULL; + /* SSH host keys (rsa,dsa,ecdsa) */ +- ssh_key privkey; ++ ssh_key privkey = NULL; + ssh_string sig_blob = NULL; + ssh_string pubkey_blob = NULL; + int rc = SSH_ERROR; +diff --git a/src/gcrypt_missing.c b/src/gcrypt_missing.c +index 80562317..60d6181c 100644 +--- a/src/gcrypt_missing.c ++++ b/src/gcrypt_missing.c +@@ -47,7 +47,7 @@ int ssh_gcry_dec2bn(bignum *bn, const char *data) { + + char *ssh_gcry_bn2dec(bignum bn) { + bignum bndup, num, ten; +- char *ret; ++ char *ret = NULL; + int count, count2; + int size, rsize; + char decnum; +diff --git a/src/getpass.c b/src/getpass.c +index 99627665..dceaf4dd 100644 +--- a/src/getpass.c ++++ b/src/getpass.c +@@ -45,7 +45,7 @@ + * @return 1 on success, 0 on error. + */ + static int ssh_gets(const char *prompt, char *buf, size_t len, int verify) { +- char *tmp; ++ char *tmp = NULL; + char *ptr = NULL; + int ok = 0; + +@@ -77,7 +77,7 @@ static int ssh_gets(const char *prompt, char *buf, size_t len, int verify) { + } + + if (verify) { +- char *key_string; ++ char *key_string = NULL; + + key_string = calloc(1, len); + if (key_string == NULL) { +diff --git a/src/gssapi.c b/src/gssapi.c +index e1b37c76..8bbfc0c8 100644 +--- a/src/gssapi.c ++++ b/src/gssapi.c +@@ -190,7 +190,7 @@ int ssh_gssapi_handle_userauth(ssh_session session, const char *user, uint32_t n + gss_name_t server_name; /* local server fqdn */ + OM_uint32 maj_stat, min_stat; + size_t i; +- char *ptr; ++ char *ptr = NULL; + gss_OID_set supported; /* oids supported by server */ + gss_OID_set both_supported; /* oids supported by both client and server */ + gss_OID_set selected; /* oid selected for authentication */ +@@ -313,7 +313,7 @@ int ssh_gssapi_handle_userauth(ssh_session session, const char *user, uint32_t n + static char *ssh_gssapi_name_to_char(gss_name_t name){ + gss_buffer_desc buffer; + OM_uint32 maj_stat, min_stat; +- char *ptr; ++ char *ptr = NULL; + maj_stat = gss_display_name(&min_stat, name, &buffer, NULL); + ssh_gssapi_log_error(SSH_LOG_WARNING, + "converting name", +@@ -327,9 +327,10 @@ static char *ssh_gssapi_name_to_char(gss_name_t name){ + + } + +-SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server){ +- ssh_string token; +- char *hexa; ++SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server) ++{ ++ ssh_string token = NULL; ++ char *hexa = NULL; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER; + gss_name_t client_name = GSS_C_NO_NAME; +@@ -353,7 +354,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server){ + } + + if (ssh_callbacks_exists(session->server_callbacks, gssapi_accept_sec_ctx_function)){ +- ssh_string out_token=NULL; ++ ssh_string out_token = NULL; + rc = session->server_callbacks->gssapi_accept_sec_ctx_function(session, + token, &out_token, session->server_callbacks->userdata); + if (rc == SSH_ERROR){ +@@ -457,7 +458,7 @@ static ssh_buffer ssh_gssapi_build_mic(ssh_session session){ + + SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_mic) + { +- ssh_string mic_token; ++ ssh_string mic_token = NULL; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc mic_buf = GSS_C_EMPTY_BUFFER; + gss_buffer_desc mic_token_buf = GSS_C_EMPTY_BUFFER; +@@ -616,7 +617,7 @@ static int ssh_gssapi_match(ssh_session session, gss_OID_set *valid_oids) + gss_name_t client_id = GSS_C_NO_NAME; + gss_OID oid; + unsigned int i; +- char *ptr; ++ char *ptr = NULL; + int ret; + + if (session->gssapi->client.client_deleg_creds == NULL) { +@@ -789,11 +790,11 @@ static gss_OID ssh_gssapi_oid_from_string(ssh_string oid_s){ + } + + SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){ +- ssh_string oid_s; ++ ssh_string oid_s = NULL; + gss_uint32 maj_stat, min_stat; + gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; + gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; +- char *hexa; ++ char *hexa = NULL; + (void)type; + (void)user; + +@@ -899,9 +900,10 @@ static int ssh_gssapi_send_mic(ssh_session session){ + return ssh_packet_send(session); + } + +-SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client){ +- ssh_string token; +- char *hexa; ++SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client) ++{ ++ ssh_string token = NULL; ++ char *hexa = NULL; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER; + (void)user; +diff --git a/src/kex.c b/src/kex.c +index c100d908..35272b14 100644 +--- a/src/kex.c ++++ b/src/kex.c +@@ -765,7 +765,7 @@ char *ssh_client_select_hostkeys(ssh_session session) + int ssh_set_client_kex(ssh_session session) + { + struct ssh_kex_struct *client= &session->next_crypto->client_kex; +- const char *wanted; ++ const char *wanted = NULL; + int ok; + int i; + +diff --git a/src/known_hosts.c b/src/known_hosts.c +index 407e1de5..dddfd8a5 100644 +--- a/src/known_hosts.c ++++ b/src/known_hosts.c +@@ -98,8 +98,8 @@ static void tokens_free(char **tokens) { + static char **ssh_get_knownhost_line(FILE **file, const char *filename, + const char **found_type) { + char buffer[4096] = {0}; +- char *ptr; +- char **tokens; ++ char *ptr = NULL; ++ char **tokens = NULL; + + if(*file == NULL){ + *file = fopen(filename,"r"); +@@ -165,7 +165,7 @@ static char **ssh_get_knownhost_line(FILE **file, const char *filename, + static int check_public_key(ssh_session session, char **tokens) { + ssh_string pubkey_blob = NULL; + ssh_buffer pubkey_buffer; +- char *pubkey_64; ++ char *pubkey_64 = NULL; + int rc; + + /* ssh-dss or ssh-rsa */ +@@ -221,11 +221,11 @@ static int match_hashed_host(const char *host, const char *sourcehash) + * hash := HMAC_SHA1(key=salt,data=host) + */ + unsigned char buffer[256] = {0}; +- ssh_buffer salt; +- ssh_buffer hash; +- HMACCTX mac; +- char *source; +- char *b64hash; ++ ssh_buffer salt = NULL; ++ ssh_buffer hash = NULL; ++ HMACCTX mac = NULL; ++ char *source = NULL; ++ char *b64hash = NULL; + int match; + unsigned int size; + +@@ -308,12 +308,12 @@ static int match_hashed_host(const char *host, const char *sourcehash) + int ssh_is_server_known(ssh_session session) { + FILE *file = NULL; + char **tokens; +- char *host; +- char *hostport; +- const char *type; ++ char *host = NULL; ++ char *hostport = NULL; ++ const char *type = NULL; + int match; + int i=0; +- char * files[3]; ++ char * files[3] = {0}; + int ret = SSH_SERVER_NOT_KNOWN; + + if (session->opts.knownhosts == NULL) { +@@ -445,11 +445,11 @@ int ssh_is_server_known(ssh_session session) { + */ + char * ssh_dump_knownhost(ssh_session session) { + ssh_key server_pubkey = NULL; +- char *host; +- char *hostport; ++ char *host = NULL; ++ char *hostport = NULL; + size_t len = 4096; +- char *buffer; +- char *b64_key; ++ char *buffer = NULL; ++ char *b64_key = NULL; + int rc; + + if (session->opts.host == NULL) { +@@ -513,9 +513,9 @@ char * ssh_dump_knownhost(ssh_session session) { + * @brief This function is deprecated + */ + int ssh_write_knownhost(ssh_session session) { +- FILE *file; +- char *buffer; +- char *dir; ++ FILE *file = NULL; ++ char *buffer = NULL; ++ char *dir = NULL; + + if (session->opts.knownhosts == NULL) { + if (ssh_options_apply(session) < 0) { +diff --git a/src/knownhosts.c b/src/knownhosts.c +index 3ea22970..2abdb4b6 100644 +--- a/src/knownhosts.c ++++ b/src/knownhosts.c +@@ -55,7 +55,7 @@ static int hash_hostname(const char *name, + unsigned char **hash, + unsigned int *hash_size) + { +- HMACCTX mac_ctx; ++ HMACCTX mac_ctx = NULL; + + mac_ctx = hmac_init(salt, salt_size, SSH_HMAC_SHA1); + if (mac_ctx == NULL) { +@@ -70,8 +70,8 @@ static int hash_hostname(const char *name, + + static int match_hashed_hostname(const char *host, const char *hashed_host) + { +- char *hashed; +- char *b64_hash; ++ char *hashed = NULL; ++ char *b64_hash = NULL; + ssh_buffer salt = NULL; + ssh_buffer hash = NULL; + unsigned char hashed_buf[256] = {0}; +@@ -195,7 +195,7 @@ static int ssh_known_hosts_read_entries(const char *match, + char line[8192]; + size_t lineno = 0; + size_t len = 0; +- FILE *fp; ++ FILE *fp = NULL; + int rc; + + fp = fopen(filename, "r"); +@@ -253,8 +253,8 @@ error: + + static char *ssh_session_get_host_port(ssh_session session) + { +- char *host_port; +- char *host; ++ char *host_port = NULL; ++ char *host = NULL; + + if (session->opts.host == NULL) { + ssh_set_error(session, +@@ -410,7 +410,7 @@ int ssh_known_hosts_parse_line(const char *hostname, + { + struct ssh_knownhosts_entry *e = NULL; + char *known_host = NULL; +- char *p; ++ char *p = NULL; + enum ssh_keytypes_e key_type; + int match = 0; + int rc = SSH_OK; +diff --git a/src/legacy.c b/src/legacy.c +index c35ec337..b1c8e150 100644 +--- a/src/legacy.c ++++ b/src/legacy.c +@@ -48,7 +48,7 @@ int ssh_auth_list(ssh_session session) { + int ssh_userauth_offer_pubkey(ssh_session session, const char *username, + int type, ssh_string publickey) + { +- ssh_key key; ++ ssh_key key = NULL; + int rc; + + (void) type; /* unused */ +@@ -70,7 +70,7 @@ int ssh_userauth_pubkey(ssh_session session, + ssh_string publickey, + ssh_private_key privatekey) + { +- ssh_key key; ++ ssh_key key = NULL; + int rc; + + (void) publickey; /* unused */ +@@ -373,10 +373,11 @@ void publickey_free(ssh_public_key key) { + SAFE_FREE(key); + } + +-ssh_public_key publickey_from_privatekey(ssh_private_key prv) { +- struct ssh_public_key_struct *p; +- ssh_key privkey; +- ssh_key pubkey; ++ssh_public_key publickey_from_privatekey(ssh_private_key prv) ++{ ++ struct ssh_public_key_struct *p = NULL; ++ ssh_key privkey = NULL; ++ ssh_key pubkey = NULL; + int rc; + + privkey = ssh_key_new(); +@@ -410,8 +411,8 @@ ssh_private_key privatekey_from_file(ssh_session session, + const char *passphrase) { + ssh_auth_callback auth_fn = NULL; + void *auth_data = NULL; +- ssh_private_key privkey; +- ssh_key key; ++ ssh_private_key privkey = NULL; ++ ssh_key key = NULL; + int rc; + + (void) type; /* unused */ +@@ -476,7 +477,7 @@ void privatekey_free(ssh_private_key prv) { + + ssh_string publickey_from_file(ssh_session session, const char *filename, + int *type) { +- ssh_key key; ++ ssh_key key = NULL; + ssh_string key_str = NULL; + int rc; + +@@ -509,9 +510,10 @@ int ssh_type_from_name(const char *name) { + return ssh_key_type_from_name(name); + } + +-ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) { +- struct ssh_public_key_struct *pubkey; +- ssh_key key; ++ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) ++{ ++ struct ssh_public_key_struct *pubkey = NULL; ++ ssh_key key = NULL; + int rc; + + (void) session; /* unused */ +@@ -540,9 +542,10 @@ ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) { + return pubkey; + } + +-ssh_string publickey_to_string(ssh_public_key pubkey) { +- ssh_key key; +- ssh_string key_blob; ++ssh_string publickey_to_string(ssh_public_key pubkey) ++{ ++ ssh_key key = NULL; ++ ssh_string key_blob = NULL; + int rc; + + key = ssh_key_new(); +@@ -573,11 +576,11 @@ int ssh_publickey_to_file(ssh_session session, + ssh_string pubkey, + int type) + { +- FILE *fp; +- char *user; ++ FILE *fp = NULL; ++ char *user = NULL; + char buffer[1024]; + char host[256]; +- unsigned char *pubkey_64; ++ unsigned char *pubkey_64 = NULL; + size_t len; + int rc; + if(session==NULL) +@@ -640,9 +643,9 @@ int ssh_try_publickey_from_file(ssh_session session, + const char *keyfile, + ssh_string *publickey, + int *type) { +- char *pubkey_file; ++ char *pubkey_file = NULL; + size_t len; +- ssh_string pubkey_string; ++ ssh_string pubkey_string = NULL; + int pubkey_type; + + if (session == NULL || keyfile == NULL || publickey == NULL || type == NULL) { +diff --git a/src/log.c b/src/log.c +index a8664b16..b26ed8be 100644 +--- a/src/log.c ++++ b/src/log.c +@@ -40,7 +40,7 @@ + + static LIBSSH_THREAD int ssh_log_level; + static LIBSSH_THREAD ssh_logging_callback ssh_log_cb; +-static LIBSSH_THREAD void *ssh_log_userdata; ++static LIBSSH_THREAD void *ssh_log_userdata = NULL; + + /** + * @defgroup libssh_log The SSH logging functions. +diff --git a/src/messages.c b/src/messages.c +index 400b8e9b..a0e185bb 100644 +--- a/src/messages.c ++++ b/src/messages.c +@@ -452,7 +452,7 @@ void ssh_message_queue(ssh_session session, ssh_message message){ + */ + ssh_message ssh_message_pop_head(ssh_session session){ + ssh_message msg=NULL; +- struct ssh_iterator *i; ++ struct ssh_iterator *i = NULL; + if(session->ssh_message_list == NULL) + return NULL; + i=ssh_list_get_iterator(session->ssh_message_list); +@@ -466,7 +466,7 @@ ssh_message ssh_message_pop_head(ssh_session session){ + /* Returns 1 if there is a message available */ + static int ssh_message_termination(void *s){ + ssh_session session = s; +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + if(session->session_state == SSH_SESSION_STATE_ERROR) + return 1; + it = ssh_list_get_iterator(session->ssh_message_list); +@@ -658,7 +658,7 @@ static ssh_buffer ssh_msg_userauth_build_digest(ssh_session session, + struct ssh_crypto_struct *crypto = + session->current_crypto ? session->current_crypto : + session->next_crypto; +- ssh_buffer buffer; ++ ssh_buffer buffer = NULL; + ssh_string str=NULL; + int rc; + +@@ -867,9 +867,9 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){ + #ifdef WITH_GSSAPI + if (strcmp(method, "gssapi-with-mic") == 0) { + uint32_t n_oid; +- ssh_string *oids; +- ssh_string oid; +- char *hexa; ++ ssh_string *oids = NULL; ++ ssh_string oid = NULL; ++ char *hexa = NULL; + int i; + ssh_buffer_get_u32(packet, &n_oid); + n_oid=ntohl(n_oid); +@@ -953,7 +953,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){ + SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){ + uint32_t nanswers; + uint32_t i; +- ssh_string tmp; ++ ssh_string tmp = NULL; + int rc; + + ssh_message msg = NULL; +@@ -1175,7 +1175,7 @@ end: + } + + int ssh_message_channel_request_open_reply_accept_channel(ssh_message msg, ssh_channel chan) { +- ssh_session session; ++ ssh_session session = NULL; + int rc; + + if (msg == NULL) { +@@ -1216,7 +1216,7 @@ int ssh_message_channel_request_open_reply_accept_channel(ssh_message msg, ssh_c + + + ssh_channel ssh_message_channel_request_open_reply_accept(ssh_message msg) { +- ssh_channel chan; ++ ssh_channel chan = NULL; + int rc; + + if (msg == NULL) { +diff --git a/src/misc.c b/src/misc.c +index 9842b7f4..3601ffb5 100644 +--- a/src/misc.c ++++ b/src/misc.c +@@ -334,7 +334,7 @@ int ssh_is_ipaddr(const char *str) { + #endif /* _WIN32 */ + + char *ssh_lowercase(const char* str) { +- char *new, *p; ++ char *new = NULL, *p = NULL; + + if (str == NULL) { + return NULL; +@@ -407,7 +407,7 @@ struct ssh_list *ssh_list_new(void) { + } + + void ssh_list_free(struct ssh_list *list){ +- struct ssh_iterator *ptr,*next; ++ struct ssh_iterator *ptr = NULL, *next = NULL; + if(!list) + return; + ptr=list->root; +@@ -426,7 +426,7 @@ struct ssh_iterator *ssh_list_get_iterator(const struct ssh_list *list){ + } + + struct ssh_iterator *ssh_list_find(const struct ssh_list *list, void *value){ +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + for(it = ssh_list_get_iterator(list); it != NULL ;it=it->next) + if(it->data==value) + return it; +@@ -496,7 +496,7 @@ int ssh_list_prepend(struct ssh_list *list, const void *data){ + } + + void ssh_list_remove(struct ssh_list *list, struct ssh_iterator *iterator){ +- struct ssh_iterator *ptr,*prev; ++ struct ssh_iterator *ptr = NULL, *prev = NULL; + prev=NULL; + ptr=list->root; + while(ptr && ptr != iterator){ +@@ -616,7 +616,7 @@ char *ssh_dirname (const char *path) { + */ + char *ssh_basename (const char *path) { + char *new = NULL; +- const char *s; ++ const char *s = NULL; + size_t len; + + if (path == NULL || *path == '\0') { +@@ -685,8 +685,8 @@ int ssh_mkdir(const char *pathname, mode_t mode) { + * @return The expanded directory, NULL on error. + */ + char *ssh_path_expand_tilde(const char *d) { +- char *h = NULL, *r; +- const char *p; ++ char *h = NULL, *r = NULL; ++ const char *p = NULL; + size_t ld; + size_t lh = 0; + +@@ -701,7 +701,7 @@ char *ssh_path_expand_tilde(const char *d) { + #ifdef _WIN32 + return strdup(d); + #else +- struct passwd *pw; ++ struct passwd *pw = NULL; + size_t s = p - d; + char u[128]; + +@@ -757,7 +757,7 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) { + char host[NI_MAXHOST]; + char buf[MAX_BUF_SIZE]; + char *r, *x = NULL; +- const char *p; ++ const char *p = NULL; + size_t i, l; + + r = ssh_path_expand_tilde(s); +@@ -867,8 +867,8 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) { + */ + int ssh_analyze_banner(ssh_session session, int server) + { +- const char *banner; +- const char *openssh; ++ const char *banner = NULL; ++ const char *openssh = NULL; + + if (server) { + banner = session->clientbanner; +diff --git a/src/options.c b/src/options.c +index 5f9d3c26..6d0f111a 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -63,7 +63,7 @@ + * @see ssh_session_connect() + */ + int ssh_options_copy(ssh_session src, ssh_session *dest) { +- ssh_session new; ++ ssh_session new = NULL; + int i; + + if (src == NULL || dest == NULL) { +@@ -399,8 +399,8 @@ int ssh_options_set_algo(ssh_session session, + */ + int ssh_options_set(ssh_session session, enum ssh_options_e type, + const void *value) { +- const char *v; +- char *p, *q; ++ const char *v = NULL; ++ char *p = NULL, *q = NULL; + long int i; + unsigned int u; + int rc; +@@ -987,7 +987,7 @@ int ssh_options_get_port(ssh_session session, unsigned int* port_target) { + */ + int ssh_options_get(ssh_session session, enum ssh_options_e type, char** value) + { +- char* src = NULL; ++ char *src = NULL; + + if (session == NULL) { + return SSH_ERROR; +@@ -1248,7 +1248,7 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv) + * @see ssh_options_set_host() + */ + int ssh_options_parse_config(ssh_session session, const char *filename) { +- char *expanded_filename; ++ char *expanded_filename = NULL; + int r; + + if (session == NULL) { +@@ -1292,7 +1292,7 @@ out: + + int ssh_options_apply(ssh_session session) { + struct ssh_iterator *it; +- char *tmp; ++ char *tmp = NULL; + int rc; + + if (session->opts.sshdir == NULL) { +diff --git a/src/packet.c b/src/packet.c +index 8025a7ff..aa0535e9 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -1218,8 +1218,8 @@ error: + static void ssh_packet_socket_controlflow_callback(int code, void *userdata) + { + ssh_session session = userdata; +- struct ssh_iterator *it; +- ssh_channel channel; ++ struct ssh_iterator *it = NULL; ++ ssh_channel channel = NULL; + + if (code == SSH_SOCKET_FLOW_WRITEWONTBLOCK) { + SSH_LOG(SSH_LOG_TRACE, "sending channel_write_wontblock callback"); +diff --git a/src/packet_crypt.c b/src/packet_crypt.c +index ba1d4af9..63eb6443 100644 +--- a/src/packet_crypt.c ++++ b/src/packet_crypt.c +@@ -205,7 +205,7 @@ int ssh_packet_hmac_verify(ssh_session session, + enum ssh_hmac_e type) + { + unsigned char hmacbuf[DIGEST_MAX_LEN] = {0}; +- HMACCTX ctx; ++ HMACCTX ctx = NULL; + unsigned int len; + uint32_t seq; + +diff --git a/src/pki.c b/src/pki.c +index 620ac1dd..4c4380ee 100644 +--- a/src/pki.c ++++ b/src/pki.c +@@ -283,7 +283,7 @@ static enum ssh_digest_e ssh_key_hash_from_name(const char *name) + */ + int ssh_key_algorithm_allowed(ssh_session session, const char *type) + { +- const char *allowed_list; ++ const char *allowed_list = NULL; + + allowed_list = session->opts.pubkey_accepted_types; + if (allowed_list == NULL) { +@@ -480,7 +480,7 @@ int ssh_key_cmp(const ssh_key k1, + + ssh_signature ssh_signature_new(void) + { +- struct ssh_signature_struct *sig; ++ struct ssh_signature_struct *sig = NULL; + + sig = malloc(sizeof(struct ssh_signature_struct)); + if (sig == NULL) { +@@ -561,7 +561,7 @@ int ssh_pki_import_privkey_base64(const char *b64_key, + void *auth_data, + ssh_key *pkey) + { +- ssh_key key; ++ ssh_key key = NULL; + int cmp; + + if (b64_key == NULL || pkey == NULL) { +@@ -681,8 +681,8 @@ int ssh_pki_import_privkey_file(const char *filename, + void *auth_data, + ssh_key *pkey) { + struct stat sb; +- char *key_buf; +- FILE *file; ++ char *key_buf = NULL; ++ FILE *file = NULL; + off_t size; + int rc; + +@@ -820,8 +820,8 @@ int ssh_pki_export_privkey_file(const ssh_key privkey, + + /* temporary function to migrate seemlessly to ssh_key */ + ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key) { +- ssh_public_key pub; +- ssh_key tmp; ++ ssh_public_key pub = NULL; ++ ssh_key tmp = NULL; + + if(key == NULL) { + return NULL; +@@ -853,7 +853,7 @@ ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key) { + } + + ssh_private_key ssh_pki_convert_key_to_privatekey(const ssh_key key) { +- ssh_private_key privkey; ++ ssh_private_key privkey = NULL; + + privkey = malloc(sizeof(struct ssh_private_key_struct)); + if (privkey == NULL) { +@@ -1190,9 +1190,9 @@ fail: + static int pki_import_cert_buffer(ssh_buffer buffer, + enum ssh_keytypes_e type, + ssh_key *pkey) { +- ssh_buffer cert; +- ssh_string type_s; +- ssh_key key; ++ ssh_buffer cert = NULL; ++ ssh_string type_s = NULL; ++ ssh_key key = NULL; + int rc; + + key = ssh_key_new(); +@@ -1615,7 +1615,7 @@ error: + int ssh_pki_export_privkey_to_pubkey(const ssh_key privkey, + ssh_key *pkey) + { +- ssh_key pubkey; ++ ssh_key pubkey = NULL; + + if (privkey == NULL || !ssh_key_is_private(privkey)) { + return SSH_ERROR; +@@ -1653,7 +1653,7 @@ int ssh_pki_export_privkey_to_pubkey(const ssh_key privkey, + int ssh_pki_export_pubkey_blob(const ssh_key key, + ssh_string *pblob) + { +- ssh_string blob; ++ ssh_string blob = NULL; + + if (key == NULL) { + return SSH_OK; +@@ -1683,8 +1683,8 @@ int ssh_pki_export_pubkey_blob(const ssh_key key, + int ssh_pki_export_pubkey_base64(const ssh_key key, + char **b64_key) + { +- ssh_string key_blob; +- unsigned char *b64; ++ ssh_string key_blob = NULL; ++ unsigned char *b64 = NULL; + + if (key == NULL || b64_key == NULL) { + return SSH_ERROR; +@@ -1711,9 +1711,9 @@ int ssh_pki_export_pubkey_file(const ssh_key key, + { + char key_buf[4096]; + char host[256]; +- char *b64_key; +- char *user; +- FILE *fp; ++ char *b64_key = NULL; ++ char *user = NULL; ++ FILE *fp = NULL; + int rc; + + if (key == NULL || filename == NULL || *filename == '\0') { +@@ -1774,7 +1774,7 @@ int ssh_pki_export_pubkey_file(const ssh_key key, + * @returns SSH_OK on success, SSH_ERROR otherwise. + **/ + int ssh_pki_copy_cert_to_privkey(const ssh_key certkey, ssh_key privkey) { +- ssh_buffer cert_buffer; ++ ssh_buffer cert_buffer = NULL; + int rc; + + if (certkey == NULL || privkey == NULL) { +@@ -1809,7 +1809,7 @@ int ssh_pki_export_signature_blob(const ssh_signature sig, + ssh_string *sig_blob) + { + ssh_buffer buf = NULL; +- ssh_string str; ++ ssh_string str = NULL; + int rc; + + if (sig == NULL || sig_blob == NULL) { +@@ -1869,7 +1869,7 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob, + enum ssh_keytypes_e type; + enum ssh_digest_e hash_type; + ssh_string algorithm = NULL, blob = NULL; +- ssh_buffer buf; ++ ssh_buffer buf = NULL; + const char *alg = NULL; + int rc; + +@@ -2143,9 +2143,9 @@ ssh_string ssh_pki_do_sign_agent(ssh_session session, + struct ssh_buffer_struct *buf, + const ssh_key pubkey) { + struct ssh_crypto_struct *crypto; +- ssh_string session_id; +- ssh_string sig_blob; +- ssh_buffer sig_buf; ++ ssh_string session_id = NULL; ++ ssh_string sig_blob = NULL; ++ ssh_buffer sig_buf = NULL; + int rc; + + if (session->current_crypto) { +diff --git a/src/pki_container_openssh.c b/src/pki_container_openssh.c +index 3ef54f83..6e473899 100644 +--- a/src/pki_container_openssh.c ++++ b/src/pki_container_openssh.c +@@ -234,12 +234,12 @@ ssh_pki_openssh_import(const char *text_key, + bool private) + { + const char *ptr=text_key; +- const char *end; +- char *base64; ++ const char *end = NULL; ++ char *base64 = NULL; + int cmp; + int rc; + int i; +- ssh_buffer buffer = NULL, privkey_buffer=NULL; ++ ssh_buffer buffer = NULL, privkey_buffer = NULL; + char *magic = NULL, *ciphername = NULL, *kdfname = NULL; + uint32_t nkeys = 0, checkint1 = 0, checkint2 = 0xFFFF; + ssh_string kdfoptions = NULL; +@@ -535,14 +535,14 @@ ssh_string ssh_pki_openssh_privkey_export(const ssh_key privkey, + { + ssh_buffer buffer; + ssh_string str = NULL; +- ssh_string pubkey_s=NULL; ++ ssh_string pubkey_s = NULL; + ssh_buffer privkey_buffer = NULL; + uint32_t rnd; + uint32_t rounds = 16; +- ssh_string salt=NULL; +- ssh_string kdf_options=NULL; ++ ssh_string salt = NULL; ++ ssh_string kdf_options = NULL; + int to_encrypt=0; +- unsigned char *b64; ++ unsigned char *b64 = NULL; + uint32_t str_len, len; + uint8_t padding = 1; + int ok; +diff --git a/src/pki_ed25519.c b/src/pki_ed25519.c +index 981a74b6..c9f07386 100644 +--- a/src/pki_ed25519.c ++++ b/src/pki_ed25519.c +@@ -84,7 +84,7 @@ int pki_ed25519_sign(const ssh_key privkey, + size_t hlen) + { + int rc; +- uint8_t *buffer; ++ uint8_t *buffer = NULL; + unsigned long long dlen = 0; + + buffer = malloc(hlen + ED25519_SIG_LEN); +@@ -126,8 +126,8 @@ int pki_ed25519_verify(const ssh_key pubkey, + size_t hlen) + { + unsigned long long mlen = 0; +- uint8_t *buffer; +- uint8_t *buffer2; ++ uint8_t *buffer = NULL; ++ uint8_t *buffer2 = NULL; + int rc; + + if (pubkey == NULL || sig == NULL || +diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c +index cf9ac781..6c1cb537 100644 +--- a/src/pki_gcrypt.c ++++ b/src/pki_gcrypt.c +@@ -152,7 +152,7 @@ static ssh_string asn1_get_int(ssh_buffer buffer) { + + static ssh_string asn1_get_bit_string(ssh_buffer buffer) + { +- ssh_string str; ++ ssh_string str = NULL; + unsigned char type; + uint32_t size; + unsigned char unused, last, *p; +diff --git a/src/pki_mbedcrypto.c b/src/pki_mbedcrypto.c +index 57a4ffae..abf36f4e 100644 +--- a/src/pki_mbedcrypto.c ++++ b/src/pki_mbedcrypto.c +@@ -774,9 +774,9 @@ ssh_string pki_signature_to_blob(const ssh_signature sig) + sig_blob = ssh_string_copy(sig->rsa_sig); + break; + case SSH_KEYTYPE_ECDSA: { +- ssh_string r; +- ssh_string s; +- ssh_buffer b; ++ ssh_string r = NULL; ++ ssh_string s = NULL; ++ ssh_buffer b = NULL; + int rc; + + b = ssh_buffer_new(); +@@ -923,9 +923,9 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, + sig->type_c = ssh_key_signature_to_char(type, hash_type); + break; + case SSH_KEYTYPE_ECDSA: { +- ssh_buffer b; +- ssh_string r; +- ssh_string s; ++ ssh_buffer b = NULL; ++ ssh_string r = NULL; ++ ssh_string s = NULL; + size_t rlen; + + b = ssh_buffer_new(); +diff --git a/src/poll.c b/src/poll.c +index 0ee8db20..cbeff3df 100644 +--- a/src/poll.c ++++ b/src/poll.c +@@ -468,8 +468,8 @@ void ssh_poll_ctx_free(ssh_poll_ctx ctx) { + } + + static int ssh_poll_ctx_resize(ssh_poll_ctx ctx, size_t new_size) { +- ssh_poll_handle *pollptrs; +- ssh_pollfd_t *pollfds; ++ ssh_poll_handle *pollptrs = NULL; ++ ssh_pollfd_t *pollfds = NULL; + + pollptrs = realloc(ctx->pollptrs, sizeof(ssh_poll_handle) * new_size); + if (pollptrs == NULL) { +@@ -741,7 +741,7 @@ static int ssh_event_fd_wrapper_callback(ssh_poll_handle p, socket_t fd, int rev + int ssh_event_add_fd(ssh_event event, socket_t fd, short events, + ssh_event_callback cb, void *userdata) { + ssh_poll_handle p; +- struct ssh_event_fd_wrapper *pw; ++ struct ssh_event_fd_wrapper *pw = NULL; + + if(event == NULL || event->ctx == NULL || cb == NULL + || fd == SSH_INVALID_SOCKET) { +@@ -810,7 +810,7 @@ void ssh_event_remove_poll(ssh_event event, ssh_poll_handle p) + int ssh_event_add_session(ssh_event event, ssh_session session) { + ssh_poll_handle p; + #ifdef WITH_SERVER +- struct ssh_iterator *iterator; ++ struct ssh_iterator *iterator = NULL; + #endif + + if(event == NULL || event->ctx == NULL || session == NULL) { +diff --git a/src/server.c b/src/server.c +index f3d24a7b..90677441 100644 +--- a/src/server.c ++++ b/src/server.c +@@ -85,7 +85,7 @@ static int dh_handshake_server(ssh_session session); + static int server_set_kex(ssh_session session) { + struct ssh_kex_struct *server = &session->next_crypto->server_kex; + int i, j, rc; +- const char *wanted; ++ const char *wanted = NULL; + char hostkeys[128] = {0}; + enum ssh_keytypes_e keytype; + size_t len; +@@ -204,9 +204,10 @@ static int ssh_server_kexdh_init(ssh_session session, ssh_buffer packet){ + return SSH_OK; + } + +-static int ssh_server_send_extensions(ssh_session session) { ++static int ssh_server_send_extensions(ssh_session session) ++{ + int rc; +- const char *hostkey_algorithms; ++ const char *hostkey_algorithms = NULL; + + SSH_LOG(SSH_LOG_PACKET, "Sending SSH_MSG_EXT_INFO"); + /* +@@ -289,8 +290,8 @@ error: + } + + int ssh_get_key_params(ssh_session session, ssh_key *privkey){ +- ssh_key pubkey; +- ssh_string pubkey_blob; ++ ssh_key pubkey = NULL; ++ ssh_string pubkey_blob = NULL; + int rc; + + switch(session->srv.hostkey) { +@@ -780,8 +781,9 @@ static int ssh_message_service_request_reply_default(ssh_message msg) { + return ssh_message_service_reply_success(msg); + } + +-int ssh_message_service_reply_success(ssh_message msg) { +- ssh_session session; ++int ssh_message_service_reply_success(ssh_message msg) ++{ ++ ssh_session session = NULL; + int rc; + + if (msg == NULL) { +@@ -1111,7 +1113,7 @@ int ssh_message_auth_reply_pk_ok(ssh_message msg, ssh_string algo, ssh_string pu + } + + int ssh_message_auth_reply_pk_ok_simple(ssh_message msg) { +- ssh_string algo; ++ ssh_string algo = NULL; + ssh_string pubkey_blob = NULL; + int ret; + +diff --git a/src/session.c b/src/session.c +index 3953fe76..daa30fe2 100644 +--- a/src/session.c ++++ b/src/session.c +@@ -56,7 +56,7 @@ + * @returns A new ssh_session pointer, NULL on error. + */ + ssh_session ssh_new(void) { +- ssh_session session; ++ ssh_session session = NULL; + char *id = NULL; + int rc; + +@@ -252,7 +252,7 @@ void ssh_free(ssh_session session) { + + /* options */ + if (session->opts.identity) { +- char *id; ++ char *id = NULL; + + for (id = ssh_list_pop_head(char *, session->opts.identity); + id != NULL; +diff --git a/src/sftpserver.c b/src/sftpserver.c +index dee51534..4a15d032 100644 +--- a/src/sftpserver.c ++++ b/src/sftpserver.c +@@ -291,8 +291,8 @@ void sftp_client_message_free(sftp_client_message msg) { + + int sftp_reply_name(sftp_client_message msg, const char *name, + sftp_attributes attr) { +- ssh_buffer out; +- ssh_string file; ++ ssh_buffer out = NULL; ++ ssh_string file = NULL; + + out = ssh_buffer_new(); + if (out == NULL) { +@@ -361,7 +361,7 @@ int sftp_reply_attr(sftp_client_message msg, sftp_attributes attr) { + + int sftp_reply_names_add(sftp_client_message msg, const char *file, + const char *longname, sftp_attributes attr) { +- ssh_string name; ++ ssh_string name = NULL; + + name = ssh_string_from_char(file); + if (name == NULL) { +@@ -427,8 +427,8 @@ int sftp_reply_names(sftp_client_message msg) { + + int sftp_reply_status(sftp_client_message msg, uint32_t status, + const char *message) { +- ssh_buffer out; +- ssh_string s; ++ ssh_buffer out = NULL; ++ ssh_string s = NULL; + + out = ssh_buffer_new(); + if (out == NULL) { +@@ -484,7 +484,7 @@ int sftp_reply_data(sftp_client_message msg, const void *data, int len) { + * valid info (or worse). + */ + ssh_string sftp_handle_alloc(sftp_session sftp, void *info) { +- ssh_string ret; ++ ssh_string ret = NULL; + uint32_t val; + int i; + +diff --git a/src/string.c b/src/string.c +index acd3cf48..3e044374 100644 +--- a/src/string.c ++++ b/src/string.c +@@ -106,7 +106,7 @@ int ssh_string_fill(struct ssh_string_struct *s, const void *data, size_t len) { + * @note The nul byte is not copied nor counted in the ouput string. + */ + struct ssh_string_struct *ssh_string_from_char(const char *what) { +- struct ssh_string_struct *ptr; ++ struct ssh_string_struct *ptr = NULL; + size_t len; + + if(what == NULL) { +@@ -180,7 +180,7 @@ const char *ssh_string_get_char(struct ssh_string_struct *s) + */ + char *ssh_string_to_char(struct ssh_string_struct *s) { + size_t len; +- char *new; ++ char *new = NULL; + + if (s == NULL) { + return NULL; +@@ -219,7 +219,7 @@ void ssh_string_free_char(char *s) { + * @return Newly allocated copy of the string, NULL on error. + */ + struct ssh_string_struct *ssh_string_copy(struct ssh_string_struct *s) { +- struct ssh_string_struct *new; ++ struct ssh_string_struct *new = NULL; + size_t len; + + if (s == NULL) { +diff --git a/src/threads/winlocks.c b/src/threads/winlocks.c +index a1799531..c1bf1011 100644 +--- a/src/threads/winlocks.c ++++ b/src/threads/winlocks.c +@@ -81,7 +81,7 @@ static struct ssh_threads_callbacks_struct ssh_threads_winlock = + + void ssh_mutex_lock(SSH_MUTEX *mutex) + { +- void *rc; ++ void *rc = NULL; + + CRITICAL_SECTION *mutex_tmp = NULL; + +diff --git a/src/wrapper.c b/src/wrapper.c +index e580e1cc..6e15d54e 100644 +--- a/src/wrapper.c ++++ b/src/wrapper.c +@@ -133,7 +133,7 @@ static void cipher_free(struct ssh_cipher_struct *cipher) { + } + + struct ssh_crypto_struct *crypto_new(void) { +- struct ssh_crypto_struct *crypto; ++ struct ssh_crypto_struct *crypto = NULL; + + crypto = malloc(sizeof(struct ssh_crypto_struct)); + if (crypto == NULL) { +-- +2.35.5 + diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-2.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-2.patch new file mode 100644 index 0000000000..d5c88dd1d6 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-2.patch @@ -0,0 +1,33 @@ +From b35ee876adc92a208d47194772e99f9c71e0bedb Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 28 Apr 2025 11:04:55 +0200 +Subject: [PATCH] CVE-2025-4878 legacy: Properly check return value to avoid + NULL pointer dereference + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +CVE: CVE-2025-4878 + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=b35ee876adc92a208d47194772e99f9c71e0bedb] + +Signed-off-by: Rajeshkumar Ramasamy +--- + src/legacy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/legacy.c b/src/legacy.c +index b1c8e150..ecbaf039 100644 +--- a/src/legacy.c ++++ b/src/legacy.c +@@ -428,7 +428,7 @@ ssh_private_key privatekey_from_file(ssh_session session, + auth_fn, + auth_data, + &key); +- if (rc == SSH_ERROR) { ++ if (rc != SSH_OK) { + return NULL; + } + +-- +2.48.1 diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb index fee711e191..28e3fe2588 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb @@ -22,6 +22,8 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable file://run-ptest \ file://CVE-2025-5318.patch \ file://CVE-2025-4877.patch \ + file://CVE-2025-4878-1.patch \ + file://CVE-2025-4878-2.patch \ " SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8" From patchwork Tue Nov 11 06:55:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rajeshkumar Ramasamy X-Patchwork-Id: 74137 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3433CCCFA18 for ; Tue, 11 Nov 2025 06:56:16 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.11993.1762844167934830209 for ; Mon, 10 Nov 2025 22:56:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=BSNYp7wP; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=3410ad4b76=rajeshkumar.ramasamy@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5AB5b2vo038181 for ; Tue, 11 Nov 2025 06:56:07 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=yCIqgo4W0Krv1EbNzYgGIln82Z6rxQ8BB9AKBV5ZehY=; b=BSNYp7wPdtgZ eJBBlKdYCS59hsNYbcRP2qI7VL2puwpw33qOPyo7JVn2Zn+DF8kX4xoWyRms7aoV 7bjpxHEphbqpO7sye9Dz/WH/4Z+ug4wG7/0K7pVrXe+QQubGBCWsXeBrsvOJGb4n GO8foq/VrOQIMzz+K9BQv+n+IkBW6zZt0c3TOddA1GNhoyWW5Lm85xqeUcn9iX3g Juq2yoxjygrfo8zTmVlCfZ1rJ358eaDyCkkVpKJGYCZuWOsieZT6hkhqLyIQ0MWz jnsNZbO9FjnClbIJdTaKZZG3Xjreokrtx3Bj/DsxvbpXYYM49FheO3PFdSwBIdO5 nDSmqjgYvA== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4a9vu92wgw-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 11 Nov 2025 06:56:06 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Mon, 10 Nov 2025 22:56:05 -0800 From: Rajeshkumar Ramasamy To: Subject: [oe][meta-oe][kirkstone][PATCH 2/2] libssh: fix CVE-2025-8277 Date: Tue, 11 Nov 2025 12:25:47 +0530 Message-ID: <20251111065547.2723539-2-rajeshkumar.ramasamy@windriver.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20251111065547.2723539-1-rajeshkumar.ramasamy@windriver.com> References: <20251111065547.2723539-1-rajeshkumar.ramasamy@windriver.com> MIME-Version: 1.0 X-Originating-IP: [10.11.232.110] X-ClientProxiedBy: ala-exchng01.corp.ad.wrs.com (10.11.224.121) To ala-exchng01.corp.ad.wrs.com (10.11.224.121) X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTExMDA1MSBTYWx0ZWRfX84d20PO6pjoc 2H7keibJMU5c8DqZKYWDb0hZ4apF10WQOnd+xN8TQu0WKDibPPo0UAyUJNb+F+N3tWC9Qjasa7i JohC+bIqRBAj5p6DbcUILlswdbBiAcsP9i0O+SRn/JSqEPJnohxRSJQve2JD95ZFhEsYotswKvQ 4wb/3agstcWDbJyG+O5N+6nl/VW2ROSYN1eLBH1MeFNuj/d1Cuk68BBvtSpmWuRf1pGR12VEOo9 kN3tXosuGvfnqGBRN+hytYtg31WR0ow4T1oYla51lNOY4lPbkpAVq/yJJMGCDiwsG3SDpfLeIrY vXMGW+8IeaXTsICMGCEwCM0klPha8r9y+sJ/w5GWlt+tvWBj8//PNLkmqROVhEc8RnX7v1dwNBf QWzHfMXXPd4rC5fKf/Fw8tmPMB6yDA== X-Proofpoint-GUID: IiHtRlT7xlDHeuZoHVoDiieXACm3aKWZ X-Proofpoint-ORIG-GUID: IiHtRlT7xlDHeuZoHVoDiieXACm3aKWZ X-Authority-Analysis: v=2.4 cv=CMknnBrD c=1 sm=1 tr=0 ts=6912de07 cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=gmxlzscTznEA:10 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=PYnjg3YJAAAA:8 a=nar8ntqeAAAA:8 a=t7CeM3EgAAAA:8 a=pGLkceISAAAA:8 a=_9gtbkrcAAAA:8 a=20KFwNOVAAAA:8 a=ChA6VurdLZCkuldovTIA:9 a=RptMqvEBejqe73AKBt4K:22 a=FdTzh2GWekK77mhwV6Dw:22 a=mzAfeOUevkGYtpgvwSZb:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-11_01,2025-11-11_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 lowpriorityscore=0 bulkscore=0 spamscore=0 clxscore=1015 malwarescore=0 priorityscore=1501 phishscore=0 impostorscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511110051 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Nov 2025 06:56:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/121478 A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. The library fails to free memory during these rekey operations, which can gradually exhaust system memory. This issue can lead to crashes on the client side, particularly when using libgcrypt, which impacts application stability and availability. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-8277 Upstream-patch: https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=266174a6d36687b65cf90174f06af90b8b27c65f https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=8e4d67aa9eda455bfad9ac610e54b7a548d0aa08 https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=1c763e29d138db87665e98983f468d2dd0f286c1 Signed-off-by: Rajeshkumar Ramasamy --- .../libssh/libssh/CVE-2025-8277-1.patch | 57 +++++++++++++++++++ .../libssh/libssh/CVE-2025-8277-2.patch | 50 ++++++++++++++++ .../libssh/libssh/CVE-2025-8277-3.patch | 50 ++++++++++++++++ .../recipes-support/libssh/libssh_0.8.9.bb | 3 + 4 files changed, 160 insertions(+) create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-8277-1.patch create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-8277-2.patch create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-8277-3.patch diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-8277-1.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-8277-1.patch new file mode 100644 index 0000000000..30198df0f4 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-8277-1.patch @@ -0,0 +1,57 @@ +From 266174a6d36687b65cf90174f06af90b8b27c65f Mon Sep 17 00:00:00 2001 +From: Francesco Rollo +Date: Thu, 24 Jul 2025 16:30:07 +0300 +Subject: [PATCH 1/3] CVE-2025-8277: Fix memory leak of unused ephemeral key + pair after client's wrong KEX guess + +Signed-off-by: Francesco Rollo +Reviewed-by: Andreas Schneider +(cherry picked from commit ccff22d3787c1355b3f0dcd09fe54d90acc55bf1) + +CVE: CVE-2025-8277 + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=266174a6d36687b65cf90174f06af90b8b27c65f] + +Signed-off-by: Rajeshkumar Ramasamy +--- + src/ecdh_gcrypt.c | 6 ++++++ + src/ecdh_mbedcrypto.c | 6 ++++++ + 2 files changed, 12 insertions(+) + +diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c +index bc45adf7..b2e5390c 100644 +--- a/src/ecdh_gcrypt.c ++++ b/src/ecdh_gcrypt.c +@@ -101,6 +101,12 @@ int ssh_client_ecdh_init(ssh_session session) + goto out; + } + ++ /* Free any previously allocated privkey */ ++ if (session->next_crypto->ecdh_privkey != NULL) { ++ gcry_sexp_release(session->next_crypto->ecdh_privkey); ++ session->next_crypto->ecdh_privkey = NULL; ++ } ++ + session->next_crypto->ecdh_privkey = key; + key = NULL; + session->next_crypto->ecdh_client_pubkey = client_pubkey; +diff --git a/src/ecdh_mbedcrypto.c b/src/ecdh_mbedcrypto.c +index fa350028..f7b0301b 100644 +--- a/src/ecdh_mbedcrypto.c ++++ b/src/ecdh_mbedcrypto.c +@@ -65,6 +65,12 @@ int ssh_client_ecdh_init(ssh_session session) + return SSH_ERROR; + } + ++ /* Free any previously allocated privkey */ ++ if (session->next_crypto->ecdh_privkey != NULL) { ++ mbedtls_ecp_keypair_free(session->next_crypto->ecdh_privkey); ++ SAFE_FREE(session->next_crypto->ecdh_privkey); ++ } ++ + session->next_crypto->ecdh_privkey = malloc(sizeof(mbedtls_ecp_keypair)); + if (session->next_crypto->ecdh_privkey == NULL) { + return SSH_ERROR; +-- +2.48.1 + diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-8277-2.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-8277-2.patch new file mode 100644 index 0000000000..87a4b684a4 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-8277-2.patch @@ -0,0 +1,50 @@ +From 8e4d67aa9eda455bfad9ac610e54b7a548d0aa08 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 6 Aug 2025 11:10:38 +0200 +Subject: [PATCH 2/3] CVE-2025-8277: ecdh: Free previously allocated pubkeys + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider +(cherry picked from commit c9d95ab0c7a52b231bcec09afbea71944ed0d852) + +CVE: CVE-2025-8277 + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=8e4d67aa9eda455bfad9ac610e54b7a548d0aa08] + +Signed-off-by: Rajeshkumar Ramasamy +--- + src/ecdh_crypto.c | 1 + + src/ecdh_gcrypt.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c +index a3c78469..bb4c3fc0 100644 +--- a/src/ecdh_crypto.c ++++ b/src/ecdh_crypto.c +@@ -106,6 +106,7 @@ int ssh_client_ecdh_init(ssh_session session){ + } + + session->next_crypto->ecdh_privkey = key; ++ ssh_string_free(session->next_crypto->ecdh_client_pubkey); + session->next_crypto->ecdh_client_pubkey = client_pubkey; + + rc = ssh_packet_send(session); +diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c +index b2e5390c..e998a582 100644 +--- a/src/ecdh_gcrypt.c ++++ b/src/ecdh_gcrypt.c +@@ -106,9 +106,10 @@ int ssh_client_ecdh_init(ssh_session session) + gcry_sexp_release(session->next_crypto->ecdh_privkey); + session->next_crypto->ecdh_privkey = NULL; + } +- + session->next_crypto->ecdh_privkey = key; + key = NULL; ++ ++ SSH_STRING_FREE(session->next_crypto->ecdh_client_pubkey); + session->next_crypto->ecdh_client_pubkey = client_pubkey; + client_pubkey = NULL; + +-- +2.48.1 + diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-8277-3.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-8277-3.patch new file mode 100644 index 0000000000..9e1519072f --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-8277-3.patch @@ -0,0 +1,50 @@ +From 1c763e29d138db87665e98983f468d2dd0f286c1 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 6 Aug 2025 15:32:56 +0200 +Subject: [PATCH 3/3] CVE-2025-8277: mbedtls: Avoid leaking ecdh keys + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider +(cherry picked from commit ffed80f8c078122990a4eba2b275facd56dd43e0) + +CVE: CVE-2025-8277 + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=1c763e29d138db87665e98983f468d2dd0f286c1] + +Signed-off-by: Rajeshkumar Ramasamy +--- + src/ecdh_mbedcrypto.c | 1 + + src/wrapper.c | 5 ++++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/ecdh_mbedcrypto.c b/src/ecdh_mbedcrypto.c +index f7b0301b..ab323a7e 100644 +--- a/src/ecdh_mbedcrypto.c ++++ b/src/ecdh_mbedcrypto.c +@@ -109,6 +109,7 @@ int ssh_client_ecdh_init(ssh_session session) + goto out; + } + ++ SSH_STRING_FREE(session->next_crypto->ecdh_client_pubkey); + session->next_crypto->ecdh_client_pubkey = client_pubkey; + client_pubkey = NULL; + +diff --git a/src/wrapper.c b/src/wrapper.c +index 6e15d54e..fc1110f4 100644 +--- a/src/wrapper.c ++++ b/src/wrapper.c +@@ -169,7 +169,10 @@ void crypto_free(struct ssh_crypto_struct *crypto) + EC_KEY_free(crypto->ecdh_privkey); + #elif defined HAVE_GCRYPT_ECC + gcry_sexp_release(crypto->ecdh_privkey); +-#endif ++#elif defined HAVE_LIBMBEDCRYPTO ++ mbedtls_ecp_keypair_free(crypto->ecdh_privkey); ++ SAFE_FREE(crypto->ecdh_privkey); ++#endif /* HAVE_LIBGCRYPT */ + crypto->ecdh_privkey = NULL; + } + #endif +-- +2.48.1 + diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb index 28e3fe2588..891b2c38ac 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb @@ -24,6 +24,9 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable file://CVE-2025-4877.patch \ file://CVE-2025-4878-1.patch \ file://CVE-2025-4878-2.patch \ + file://CVE-2025-8277-1.patch \ + file://CVE-2025-8277-2.patch \ + file://CVE-2025-8277-3.patch \ " SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8"