mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-13 17:39:57 +00:00
Code Issues Projects Releases Wiki Activity

libssh : fix CVE-2025-8114

Browse Source 
A flaw was found in libssh, a library that implements the SSH protocol.
When calculating the session ID during the key exchange (KEX) process,
an allocation failure in cryptographic functions may lead to a NULL
pointer dereference. This issue can cause the client or server to crash.

Reference:
https://security-tracker.debian.org/tracker/CVE-2025-8114

Upstream-patch:
https://git.libssh.org/projects/libssh.git/commit/?id=53ac23ded4cb2c5463f6c4cd1525331bd578812d

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Divya Chellam
2025-11-18 16:50:48 +05:30
committed by Gyorgy Sarvari
parent 44689d795c
commit 4ae2ec4620
2 changed files with 51 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch
+50
View File
@@ -0,0 +1,50 @@
From 53ac23ded4cb2c5463f6c4cd1525331bd578812d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 6 Aug 2025 15:17:59 +0200
Subject: [PATCH] CVE-2025-8114: Fix NULL pointer dereference after allocation
failure
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
CVE: CVE-2025-8114
Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=53ac23ded4cb2c5463f6c4cd1525331bd578812d]
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
---
src/dh.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/dh.c b/src/dh.c
index 33883f2d..7116d1dc 100644
--- a/src/dh.c
+++ b/src/dh.c
@@ -873,6 +873,8 @@ int ssh_make_sessionid(ssh_session session) {
ssh_print_hexa("hash buffer", ssh_buffer_get(buf), ssh_buffer_get_len(buf));
#endif
+ /* Set rc for the following switch statement in case we goto error. */
+ rc = SSH_ERROR;
switch (session->next_crypto->kex_type) {
case SSH_KEX_DH_GROUP1_SHA1:
case SSH_KEX_DH_GROUP14_SHA1:
@@ -925,6 +927,7 @@ int ssh_make_sessionid(ssh_session session) {
session->next_crypto->secret_hash);
break;
}
+
/* During the first kex, secret hash and session ID are equal. However, after
* a key re-exchange, a new secret hash is calculated. This hash will not replace
* but complement existing session id.
@@ -933,6 +936,7 @@ int ssh_make_sessionid(ssh_session session) {
session->next_crypto->session_id = malloc(session->next_crypto->digest_len);
if (session->next_crypto->session_id == NULL) {
ssh_set_error_oom(session);
+ rc = SSH_ERROR;
goto error;
}
memcpy(session->next_crypto->session_id, session->next_crypto->secret_hash,
--
2.40.0
meta-oe/recipes-support/libssh/libssh_0.8.9.bb
+1
View File
@@ -27,6 +27,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
file://CVE-2025-8277-1.patch \
file://CVE-2025-8277-2.patch \
file://CVE-2025-8277-3.patch \
file://CVE-2025-8114.patch \
"
SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8"