mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity

libssh: fix CVE-2025-4877

Browse Source 
Upstream-Status: Backport from https://git.libssh.org/projects/libssh.git/commit/?id=6fd9cc8ce3958092a1aae11f1f2e911b2747732d

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
This commit is contained in:
Hitendra Prajapati
2025-09-01 11:06:10 +05:30
committed by Anuj Mittal
parent 97e9dee283
commit a8fdc03123
2 changed files with 58 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-support/libssh/libssh/CVE-2025-4877.patch
+57
View File
@@ -0,0 +1,57 @@
From 6fd9cc8ce3958092a1aae11f1f2e911b2747732d Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 15 Apr 2025 11:41:24 +0200
Subject: CVE-2025-4877 base64: Prevent integer overflow and potential OOB
Set maximum input to 256MB to have safe margin to the 1GB trigger point
for 32b arch.
The OOB should not be reachable by any internal code paths as most of
the buffers and strings we use as input for this operation already have
similar limit and none really allows this much of data.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 00f09acbec55962839fc7837ef14c56fb8fbaf72)
CVE: CVE-2025-4877
Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=6fd9cc8ce3958092a1aae11f1f2e911b2747732d]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
src/base64.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/base64.c b/src/base64.c
index 4148f49c..f42e0e80 100644
--- a/src/base64.c
+++ b/src/base64.c
@@ -29,6 +29,9 @@
#include "libssh/priv.h"
#include "libssh/buffer.h"
+/* Do not allow encoding more than 256MB of data */
+#define BASE64_MAX_INPUT_LEN 256 * 1024 * 1024
+
static
const uint8_t alphabet[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
@@ -274,7 +277,15 @@ uint8_t *bin_to_base64(const uint8_t *source, size_t len)
{
uint8_t *base64 = NULL;
uint8_t *ptr = NULL;
- size_t flen = len + (3 - (len % 3)); /* round to upper 3 multiple */
+ size_t flen = 0;
+
+ /* Set the artificial upper limit for the input. Otherwise on 32b arch, the
+ * following line could overflow for sizes larger than SIZE_MAX / 4 */
+ if (len > BASE64_MAX_INPUT_LEN) {
+ return NULL;
+ }
+
+ flen = len + (3 - (len % 3)); /* round to upper 3 multiple */
flen = (4 * flen) / 3 + 1;
base64 = malloc(flen);
--
2.50.1
meta-oe/recipes-support/libssh/libssh_0.10.6.bb
+1
View File
@@ -13,6 +13,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
file://CVE-2025-5318.patch \
file://CVE-2025-5351.patch \
file://CVE-2025-5372.patch \
file://CVE-2025-4877.patch \
"
SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"