From: Jackson James <[email protected]> Fix NULL pointer dereference after allocation failure. Fix was available for this CVE in kex.c, but version 0.8.9 have the vulnerable code resides in dh.c.
Upstream Repository: https://git.libssh.org/projects/libssh.git/ Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8114 Type: Security Fix CVE: CVE-2025-8114 Signed-off-by: Jackson James <[email protected]> --- .../libssh/libssh/CVE-2025-8114.patch | 52 +++++++++++++++++++ .../recipes-support/libssh/libssh_0.8.9.bb | 1 + 2 files changed, 53 insertions(+) create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch new file mode 100644 index 0000000000..27d53a012d --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch @@ -0,0 +1,52 @@ +From b67ac7d9d2dd0dfb834cc657841c32f085661a84 Mon Sep 17 00:00:00 2001 +From: Jackson James <[email protected]> +Date: Wed, 19 Nov 2025 15:29:41 +0530 +Subject: [PATCH] CVE-2025-8114: Fix NULL pointer dereference after allocation +failure + +Fix was available for this CVE in kex.c, but version 0.8.9 have the vulnerable +code resides in dh.c. + +CVE: CVE-2025-8114 +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=53ac23ded4cb] +Signed-off-by: Andreas Schneider <[email protected]> + +Comment: Patch is refreshed as per codebase of 0.8.9 +Signed-off-by: Jackson James <[email protected]> +--- + src/dh.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/dh.c b/src/dh.c +index 33883f2..607db15 100644 +--- a/src/dh.c ++++ b/src/dh.c +@@ -872,7 +872,8 @@ int ssh_make_sessionid(ssh_session session) { + #ifdef DEBUG_CRYPTO + ssh_print_hexa("hash buffer", ssh_buffer_get(buf), ssh_buffer_get_len(buf)); + #endif +- ++ /* Set rc for the following switch statement in case we goto error. */ ++ rc = SSH_ERROR; + switch (session->next_crypto->kex_type) { + case SSH_KEX_DH_GROUP1_SHA1: + case SSH_KEX_DH_GROUP14_SHA1: +@@ -925,6 +926,7 @@ int ssh_make_sessionid(ssh_session session) { + session->next_crypto->secret_hash); + break; + } ++ + /* During the first kex, secret hash and session ID are equal. However, after + * a key re-exchange, a new secret hash is calculated. This hash will not replace + * but complement existing session id. +@@ -933,6 +935,7 @@ int ssh_make_sessionid(ssh_session session) { + session->next_crypto->session_id = malloc(session->next_crypto->digest_len); + if (session->next_crypto->session_id == NULL) { + ssh_set_error_oom(session); ++ rc = SSH_ERROR; + goto error; + } + memcpy(session->next_crypto->session_id, session->next_crypto->secret_hash, +-- +2.34.1 + diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb index 891b2c38ac..3781b501cd 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb @@ -27,6 +27,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable file://CVE-2025-8277-1.patch \ file://CVE-2025-8277-2.patch \ file://CVE-2025-8277-3.patch \ + file://CVE-2025-8114.patch \ " SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#122022): https://lists.openembedded.org/g/openembedded-devel/message/122022 Mute This Topic: https://lists.openembedded.org/mt/116466002/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
