mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-15 16:07:26 +00:00
libssh: fix CVE-2025-5351 & CVE-2025-5372
* CVE-2025-5351 - Upstream-Status: Backport from https://git.libssh.org/projects/libssh.git/commit/?id=6ddb730a27338983851248af59b128b995aad256 * CVE-2025-5372 - Upstream-Status: Backport from https://git.libssh.org/projects/libssh.git/commit/?id=a9d8a3d44829cf9182b252bc951f35fb0d573972 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
committed by
Armin Kuster
parent
2c9126bd0d
commit
1b222113dc
@@ -0,0 +1,38 @@
|
|||||||
|
From 6ddb730a27338983851248af59b128b995aad256 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
Date: Tue, 6 May 2025 22:43:31 +0200
|
||||||
|
Subject: CVE-2025-5351 pki_crypto: Avoid double-free on low-memory conditions
|
||||||
|
|
||||||
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=6ddb730a27338983851248af59b128b995aad256]
|
||||||
|
CVE: CVE-2025-5351
|
||||||
|
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
|
||||||
|
---
|
||||||
|
src/pki_crypto.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/pki_crypto.c b/src/pki_crypto.c
|
||||||
|
index 5b0d7ded..aec49544 100644
|
||||||
|
--- a/src/pki_crypto.c
|
||||||
|
+++ b/src/pki_crypto.c
|
||||||
|
@@ -2023,6 +2023,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
|
||||||
|
bignum_safe_free(bn);
|
||||||
|
bignum_safe_free(be);
|
||||||
|
OSSL_PARAM_free(params);
|
||||||
|
+ params = NULL;
|
||||||
|
#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
@@ -2143,6 +2144,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
|
||||||
|
*/
|
||||||
|
#if 0
|
||||||
|
OSSL_PARAM_free(params);
|
||||||
|
+ params = NULL;
|
||||||
|
#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
|
|
||||||
|
if (key->type == SSH_KEYTYPE_SK_ECDSA &&
|
||||||
|
--
|
||||||
|
2.49.0
|
||||||
|
|
||||||
@@ -0,0 +1,150 @@
|
|||||||
|
From a9d8a3d44829cf9182b252bc951f35fb0d573972 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
Date: Wed, 14 May 2025 14:07:58 +0200
|
||||||
|
Subject: CVE-2025-5372 libgcrypto: Simplify error checking and handling of
|
||||||
|
return codes in ssh_kdf()
|
||||||
|
|
||||||
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=a9d8a3d44829cf9182b252bc951f35fb0d573972]
|
||||||
|
CVE: CVE-2025-5372
|
||||||
|
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
|
||||||
|
---
|
||||||
|
src/libcrypto.c | 62 ++++++++++++++++++++++---------------------------
|
||||||
|
1 file changed, 28 insertions(+), 34 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libcrypto.c b/src/libcrypto.c
|
||||||
|
index 4f945d90..76e067d3 100644
|
||||||
|
--- a/src/libcrypto.c
|
||||||
|
+++ b/src/libcrypto.c
|
||||||
|
@@ -163,7 +163,7 @@ int ssh_kdf(struct ssh_crypto_struct *crypto,
|
||||||
|
uint8_t key_type, unsigned char *output,
|
||||||
|
size_t requested_len)
|
||||||
|
{
|
||||||
|
- int rc = -1;
|
||||||
|
+ int ret = SSH_ERROR, rv;
|
||||||
|
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
EVP_KDF_CTX *ctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF);
|
||||||
|
#else
|
||||||
|
@@ -185,81 +185,75 @@ int ssh_kdf(struct ssh_crypto_struct *crypto,
|
||||||
|
}
|
||||||
|
|
||||||
|
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD,
|
||||||
|
+ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD,
|
||||||
|
sshkdf_digest_to_md(crypto->digest_type));
|
||||||
|
- if (rc != 1) {
|
||||||
|
+ if (rv != 1) {
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len);
|
||||||
|
- if (rc != 1) {
|
||||||
|
+ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len);
|
||||||
|
+ if (rv != 1) {
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
|
||||||
|
+ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
|
||||||
|
crypto->secret_hash, crypto->digest_len);
|
||||||
|
- if (rc != 1) {
|
||||||
|
+ if (rv != 1) {
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type);
|
||||||
|
- if (rc != 1) {
|
||||||
|
+ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type);
|
||||||
|
+ if (rv != 1) {
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
|
||||||
|
+ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
|
||||||
|
crypto->session_id, crypto->session_id_len);
|
||||||
|
- if (rc != 1) {
|
||||||
|
+ if (rv != 1) {
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
- rc = EVP_KDF_derive(ctx, output, requested_len);
|
||||||
|
- if (rc != 1) {
|
||||||
|
+ rv = EVP_KDF_derive(ctx, output, requested_len);
|
||||||
|
+ if (rv != 1) {
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
- rc = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST,
|
||||||
|
+ rv = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST,
|
||||||
|
md, strlen(md));
|
||||||
|
- if (rc != 1) {
|
||||||
|
- rc = -1;
|
||||||
|
+ if (rv != 1) {
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
- rc = OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY,
|
||||||
|
+ rv = OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY,
|
||||||
|
key, key_len);
|
||||||
|
- if (rc != 1) {
|
||||||
|
- rc = -1;
|
||||||
|
+ if (rv != 1) {
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
- rc = OSSL_PARAM_BLD_push_octet_string(param_bld,
|
||||||
|
+ rv = OSSL_PARAM_BLD_push_octet_string(param_bld,
|
||||||
|
OSSL_KDF_PARAM_SSHKDF_XCGHASH,
|
||||||
|
crypto->secret_hash,
|
||||||
|
crypto->digest_len);
|
||||||
|
- if (rc != 1) {
|
||||||
|
- rc = -1;
|
||||||
|
+ if (rv != 1) {
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
- rc = OSSL_PARAM_BLD_push_octet_string(param_bld,
|
||||||
|
+ rv = OSSL_PARAM_BLD_push_octet_string(param_bld,
|
||||||
|
OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
|
||||||
|
crypto->session_id,
|
||||||
|
crypto->session_id_len);
|
||||||
|
- if (rc != 1) {
|
||||||
|
- rc = -1;
|
||||||
|
+ if (rv != 1) {
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
- rc = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE,
|
||||||
|
+ rv = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE,
|
||||||
|
(const char*)&key_type, 1);
|
||||||
|
- if (rc != 1) {
|
||||||
|
- rc = -1;
|
||||||
|
+ if (rv != 1) {
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
params = OSSL_PARAM_BLD_to_param(param_bld);
|
||||||
|
if (params == NULL) {
|
||||||
|
- rc = -1;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
- rc = EVP_KDF_derive(ctx, output, requested_len, params);
|
||||||
|
- if (rc != 1) {
|
||||||
|
- rc = -1;
|
||||||
|
+ rv = EVP_KDF_derive(ctx, output, requested_len, params);
|
||||||
|
+ if (rv != 1) {
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
|
+ ret = SSH_OK;
|
||||||
|
|
||||||
|
out:
|
||||||
|
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
|
@@ -267,8 +261,8 @@ out:
|
||||||
|
OSSL_PARAM_free(params);
|
||||||
|
#endif
|
||||||
|
EVP_KDF_CTX_free(ctx);
|
||||||
|
- if (rc < 0) {
|
||||||
|
- return rc;
|
||||||
|
+ if (ret < 0) {
|
||||||
|
+ return ret;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.49.0
|
||||||
|
|
||||||
@@ -11,6 +11,8 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
|
|||||||
file://0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch \
|
file://0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch \
|
||||||
file://run-ptest \
|
file://run-ptest \
|
||||||
file://CVE-2025-5318.patch \
|
file://CVE-2025-5318.patch \
|
||||||
|
file://CVE-2025-5351.patch \
|
||||||
|
file://CVE-2025-5372.patch \
|
||||||
"
|
"
|
||||||
SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"
|
SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user