From: Divya Chellam <[email protected]> A flaw was found in libssh, a library that implements the SSH protocol. When calculating the session ID during the key exchange (KEX) process, an allocation failure in cryptographic functions may lead to a NULL pointer dereference. This issue can cause the client or server to crash.
Reference: https://security-tracker.debian.org/tracker/CVE-2025-8114 Upstream-patch: https://git.libssh.org/projects/libssh.git/commit/?id=53ac23ded4cb2c5463f6c4cd1525331bd578812d Signed-off-by: Divya Chellam <[email protected]> --- .../libssh/libssh/CVE-2025-8114.patch | 50 +++++++++++++++++++ .../recipes-support/libssh/libssh_0.8.9.bb | 1 + 2 files changed, 51 insertions(+) create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch new file mode 100644 index 0000000000..44964e17ff --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch @@ -0,0 +1,50 @@ +From 53ac23ded4cb2c5463f6c4cd1525331bd578812d Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <[email protected]> +Date: Wed, 6 Aug 2025 15:17:59 +0200 +Subject: [PATCH] CVE-2025-8114: Fix NULL pointer dereference after allocation + failure + +Signed-off-by: Andreas Schneider <[email protected]> +Reviewed-by: Jakub Jelen <[email protected]> + +CVE: CVE-2025-8114 + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=53ac23ded4cb2c5463f6c4cd1525331bd578812d] + +Signed-off-by: Divya Chellam <[email protected]> +--- + src/dh.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/dh.c b/src/dh.c +index 33883f2d..7116d1dc 100644 +--- a/src/dh.c ++++ b/src/dh.c +@@ -873,6 +873,8 @@ int ssh_make_sessionid(ssh_session session) { + ssh_print_hexa("hash buffer", ssh_buffer_get(buf), ssh_buffer_get_len(buf)); + #endif + ++ /* Set rc for the following switch statement in case we goto error. */ ++ rc = SSH_ERROR; + switch (session->next_crypto->kex_type) { + case SSH_KEX_DH_GROUP1_SHA1: + case SSH_KEX_DH_GROUP14_SHA1: +@@ -925,6 +927,7 @@ int ssh_make_sessionid(ssh_session session) { + session->next_crypto->secret_hash); + break; + } ++ + /* During the first kex, secret hash and session ID are equal. However, after + * a key re-exchange, a new secret hash is calculated. This hash will not replace + * but complement existing session id. +@@ -933,6 +936,7 @@ int ssh_make_sessionid(ssh_session session) { + session->next_crypto->session_id = malloc(session->next_crypto->digest_len); + if (session->next_crypto->session_id == NULL) { + ssh_set_error_oom(session); ++ rc = SSH_ERROR; + goto error; + } + memcpy(session->next_crypto->session_id, session->next_crypto->secret_hash, +-- +2.40.0 + diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb index 891b2c38ac..3781b501cd 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb @@ -27,6 +27,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable file://CVE-2025-8277-1.patch \ file://CVE-2025-8277-2.patch \ file://CVE-2025-8277-3.patch \ + file://CVE-2025-8114.patch \ " SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8" -- 2.40.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#121858): https://lists.openembedded.org/g/openembedded-devel/message/121858 Mute This Topic: https://lists.openembedded.org/mt/116354406/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
