Upstream-Status: Backport from https://git.libssh.org/projects/libssh.git/commit/?id=6fd9cc8ce3958092a1aae11f1f2e911b2747732d
Signed-off-by: Hitendra Prajapati <[email protected]> --- .../libssh/libssh/CVE-2025-4877.patch | 57 +++++++++++++++++++ .../recipes-support/libssh/libssh_0.8.9.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-4877.patch diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-4877.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4877.patch new file mode 100644 index 0000000000..6866fd2328 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4877.patch @@ -0,0 +1,57 @@ +From 6fd9cc8ce3958092a1aae11f1f2e911b2747732d Mon Sep 17 00:00:00 2001 +From: Jakub Jelen <[email protected]> +Date: Tue, 15 Apr 2025 11:41:24 +0200 +Subject: CVE-2025-4877 base64: Prevent integer overflow and potential OOB + +Set maximum input to 256MB to have safe margin to the 1GB trigger point +for 32b arch. + +The OOB should not be reachable by any internal code paths as most of +the buffers and strings we use as input for this operation already have +similar limit and none really allows this much of data. + +Signed-off-by: Jakub Jelen <[email protected]> +Reviewed-by: Andreas Schneider <[email protected]> +(cherry picked from commit 00f09acbec55962839fc7837ef14c56fb8fbaf72) + +CVE: CVE-2025-4877 +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=6fd9cc8ce3958092a1aae11f1f2e911b2747732d] +Signed-off-by: Hitendra Prajapati <[email protected]> +--- + src/base64.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/base64.c b/src/base64.c +index 372dc65f..7bb8efb1 100644 +--- a/src/base64.c ++++ b/src/base64.c +@@ -29,6 +29,9 @@ + #include "libssh/priv.h" + #include "libssh/buffer.h" + ++/* Do not allow encoding more than 256MB of data */ ++#define BASE64_MAX_INPUT_LEN 256 * 1024 * 1024 ++ + static char alphabet[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + "abcdefghijklmnopqrstuvwxyz" + "0123456789+/"; +@@ -269,7 +272,15 @@ static void _bin_to_base64(unsigned char *dest, const unsigned char source[3], + unsigned char *bin_to_base64(const unsigned char *source, int len) { + unsigned char *base64; + unsigned char *ptr; +- int flen = len + (3 - (len % 3)); /* round to upper 3 multiple */ ++ int flen = 0; ++ ++ /* Set the artificial upper limit for the input. Otherwise on 32b arch, the ++ * following line could overflow for sizes larger than SIZE_MAX / 4 */ ++ if (len > BASE64_MAX_INPUT_LEN) { ++ return NULL; ++ } ++ ++ flen = len + (3 - (len % 3)); /* round to upper 3 multiple */ + flen = (4 * flen) / 3 + 1; + + base64 = malloc(flen); +-- +2.50.1 + diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb index 67e03c4081..fee711e191 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb @@ -21,6 +21,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable file://0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch \ file://run-ptest \ file://CVE-2025-5318.patch \ + file://CVE-2025-4877.patch \ " SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8" -- 2.50.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#119153): https://lists.openembedded.org/g/openembedded-devel/message/119153 Mute This Topic: https://lists.openembedded.org/mt/115002511/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
