diff options
| author | Divya Chellam <divya.chellam@windriver.com> | 2025-09-11 16:07:05 +0530 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@intel.com> | 2025-09-23 09:59:05 +0800 |
| commit | 3702195a7ebb1947c8dfc9bba1196d6b42ae6253 (patch) | |
| tree | 158e0057e0b027267a1a83c2bca12e3d50a229fd /meta-oe | |
| parent | 71b601e3d721fd8edc0e98b627331e14f8ff7a23 (diff) | |
| download | meta-openembedded-3702195a7ebb1947c8dfc9bba1196d6b42ae6253.tar.gz | |
libssh: fix CVE-2025-5987
A flaw was found in libssh when using the ChaCha20 cipher with the
OpenSSL library. If an attacker manages to exhaust the heap space,
this error is not detected and may lead to libssh using a partially
initialized cipher context. This occurs because the OpenSSL error
code returned aliases with the SSH_OK code, resulting in libssh not
properly detecting the error returned by the OpenSSL library.
This issue can lead to undefined behavior, including compromised
data confidentiality and integrity or crashes.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5987
Upstream-patch:
https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=90b4845e0c98574bbf7bea9e97796695f064bf57
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Diffstat (limited to 'meta-oe')
| -rw-r--r-- | meta-oe/recipes-support/libssh/libssh/CVE-2025-5987.patch | 37 | ||||
| -rw-r--r-- | meta-oe/recipes-support/libssh/libssh_0.10.6.bb | 1 |
2 files changed, 38 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-5987.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5987.patch new file mode 100644 index 0000000000..08395e0e7d --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5987.patch | |||
| @@ -0,0 +1,37 @@ | |||
| 1 | From 90b4845e0c98574bbf7bea9e97796695f064bf57 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jakub Jelen <jjelen@redhat.com> | ||
| 3 | Date: Tue, 6 May 2025 22:51:41 +0200 | ||
| 4 | Subject: [PATCH] CVE-2025-5987 libcrypto: Correctly detect failures of chacha | ||
| 5 | initialization | ||
| 6 | |||
| 7 | Signed-off-by: Jakub Jelen <jjelen@redhat.com> | ||
| 8 | Reviewed-by: Andreas Schneider <asn@cryptomilk.org> | ||
| 9 | |||
| 10 | CVE: CVE-2025-5987 | ||
| 11 | |||
| 12 | Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=90b4845e0c98574bbf7bea9e97796695f064bf57] | ||
| 13 | |||
| 14 | Signed-off-by: Divya Chellam <divya.chellam@windriver.com> | ||
| 15 | --- | ||
| 16 | src/libcrypto.c | 4 ++-- | ||
| 17 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
| 18 | |||
| 19 | diff --git a/src/libcrypto.c b/src/libcrypto.c | ||
| 20 | index 76e067d3..69a850de 100644 | ||
| 21 | --- a/src/libcrypto.c | ||
| 22 | +++ b/src/libcrypto.c | ||
| 23 | @@ -771,9 +771,9 @@ chacha20_poly1305_set_key(struct ssh_cipher_struct *cipher, | ||
| 24 | SSH_LOG(SSH_LOG_WARNING, "EVP_CIPHER_CTX_new failed"); | ||
| 25 | goto out; | ||
| 26 | } | ||
| 27 | - ret = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL, | ||
| 28 | + rv = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL, | ||
| 29 | u8key + CHACHA20_KEYLEN, NULL); | ||
| 30 | - if (ret != 1) { | ||
| 31 | + if (rv != 1) { | ||
| 32 | SSH_LOG(SSH_LOG_WARNING, "EVP_CipherInit failed"); | ||
| 33 | goto out; | ||
| 34 | } | ||
| 35 | -- | ||
| 36 | 2.40.0 | ||
| 37 | |||
diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb index 6932da5175..bf91e69bc8 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb | |||
| @@ -16,6 +16,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable | |||
| 16 | file://CVE-2025-4877.patch \ | 16 | file://CVE-2025-4877.patch \ |
| 17 | file://CVE-2025-4878-0001.patch \ | 17 | file://CVE-2025-4878-0001.patch \ |
| 18 | file://CVE-2025-4878-0002.patch \ | 18 | file://CVE-2025-4878-0002.patch \ |
| 19 | file://CVE-2025-5987.patch \ | ||
| 19 | " | 20 | " |
| 20 | SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6" | 21 | SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6" |
| 21 | 22 | ||
