From 3702195a7ebb1947c8dfc9bba1196d6b42ae6253 Mon Sep 17 00:00:00 2001
From: Divya Chellam <divya.chellam@windriver.com>
Date: Thu, 11 Sep 2025 16:07:05 +0530
Subject: [PATCH] libssh: fix CVE-2025-5987

A flaw was found in libssh when using the ChaCha20 cipher with the
OpenSSL library. If an attacker manages to exhaust the heap space,
this error is not detected and may lead to libssh using a partially
initialized cipher context. This occurs because the OpenSSL error
code returned aliases with the SSH_OK code, resulting in libssh not
properly detecting the error returned by the OpenSSL library.
This issue can lead to undefined behavior, including compromised
data confidentiality and integrity or crashes.

Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5987

Upstream-patch:
https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=90b4845e0c98574bbf7bea9e97796695f064bf57

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../libssh/libssh/CVE-2025-5987.patch         | 37 +++++++++++++++++++
 .../recipes-support/libssh/libssh_0.10.6.bb   |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-5987.patch

diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-5987.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5987.patch
new file mode 100644
index 0000000000..08395e0e7d
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5987.patch
@@ -0,0 +1,37 @@
+From 90b4845e0c98574bbf7bea9e97796695f064bf57 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 6 May 2025 22:51:41 +0200
+Subject: [PATCH] CVE-2025-5987 libcrypto: Correctly detect failures of chacha
+ initialization
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+
+CVE: CVE-2025-5987
+
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=90b4845e0c98574bbf7bea9e97796695f064bf57]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ src/libcrypto.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcrypto.c b/src/libcrypto.c
+index 76e067d3..69a850de 100644
+--- a/src/libcrypto.c
++++ b/src/libcrypto.c
+@@ -771,9 +771,9 @@ chacha20_poly1305_set_key(struct ssh_cipher_struct *cipher,
+         SSH_LOG(SSH_LOG_WARNING, "EVP_CIPHER_CTX_new failed");
+         goto out;
+     }
+-    ret = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL,
++    rv = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL,
+                              u8key + CHACHA20_KEYLEN, NULL);
+-    if (ret != 1) {
++    if (rv != 1) {
+         SSH_LOG(SSH_LOG_WARNING, "EVP_CipherInit failed");
+         goto out;
+     }
+-- 
+2.40.0
+
diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
index 6932da5175..bf91e69bc8 100644
--- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
+++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
@@ -16,6 +16,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
            file://CVE-2025-4877.patch \
            file://CVE-2025-4878-0001.patch \
            file://CVE-2025-4878-0002.patch \
+           file://CVE-2025-5987.patch \
           "
 SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"