libssh: fix CVE-2025-5318

Upstream-Status: Backport from https://git.libssh.org/projects/libssh.git/commit/?id=5f4ffda88770f95482fd0e66aa44106614dbf466 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2025-06-26 10:44:47 +0530
committer: Armin Kuster <akuster808@gmail.com> 2025-07-06 19:46:54 -0400
commit: c32d12b95044db8f86f90d9f4d6c0f39e7884772 (patch)
tree: 35bfc550ef41381ab3ea67117069e3bd3ba737b4
parent: f69d50cfe0358296cc7a457dc38ca99802b988c9 (diff)
download: meta-openembedded-c32d12b95044db8f86f90d9f4d6c0f39e7884772.tar.gz
2 files changed, 32 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-5318.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5318.patch
new file mode 100644
index 0000000000..02efc7a8f3
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5318.patch
@@ -0,0 +1,31 @@
+From 5f4ffda88770f95482fd0e66aa44106614dbf466 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 22 Apr 2025 21:18:44 +0200
+Subject: CVE-2025-5318: sftpserver: Fix possible buffer overrun
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=5f4ffda88770f95482fd0e66aa44106614dbf466]
+CVE: CVE-2025-5318
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/sftpserver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/sftpserver.c b/src/sftpserver.c
+index 9117f155..b3349e16 100644
+--- a/src/sftpserver.c
+++ b/src/sftpserver.c
+@@ -538,7 +538,7 @@ void *sftp_handle(sftp_session sftp, ssh_string handle){
+ 
+   memcpy(&val, ssh_string_data(handle), sizeof(uint32_t));
+ 
+-  if (val > SFTP_HANDLES) {
+  if (val >= SFTP_HANDLES) {
+     return NULL;
+   }
+ 
+-- 
+2.49.0
diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
index 31f29c1b7d..3123500f51 100644
--- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
+++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
@@ -10,6 +10,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
           file://0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch \
           file://0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch \
           file://run-ptest \
+           file://CVE-2025-5318.patch \
          "
 SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"
author	Hitendra Prajapati <hprajapati@mvista.com>	2025-06-26 10:44:47 +0530
committer	Armin Kuster <akuster808@gmail.com>	2025-07-06 19:46:54 -0400
commit	c32d12b95044db8f86f90d9f4d6c0f39e7884772 (patch)
tree	35bfc550ef41381ab3ea67117069e3bd3ba737b4
parent	f69d50cfe0358296cc7a457dc38ca99802b988c9 (diff)
download	meta-openembedded-c32d12b95044db8f86f90d9f4d6c0f39e7884772.tar.gz

diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-5318.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5318.patch new file mode 100644 index 0000000000..02efc7a8f3 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5318.patch
@@ -0,0 +1,31 @@
		1	From 5f4ffda88770f95482fd0e66aa44106614dbf466 Mon Sep 17 00:00:00 2001
		2	From: Jakub Jelen <jjelen@redhat.com>
		3	Date: Tue, 22 Apr 2025 21:18:44 +0200
		4	Subject: CVE-2025-5318: sftpserver: Fix possible buffer overrun
		5
		6	Signed-off-by: Jakub Jelen <jjelen@redhat.com>
		7	Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
		8
		9	Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=5f4ffda88770f95482fd0e66aa44106614dbf466]
		10	CVE: CVE-2025-5318
		11	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		12	---
		13	src/sftpserver.c \| 2 +-
		14	1 file changed, 1 insertion(+), 1 deletion(-)
		15
		16	diff --git a/src/sftpserver.c b/src/sftpserver.c
		17	index 9117f155..b3349e16 100644
		18	--- a/src/sftpserver.c
		19	+++ b/src/sftpserver.c
		20	@@ -538,7 +538,7 @@ void *sftp_handle(sftp_session sftp, ssh_string handle){
		21
		22	memcpy(&val, ssh_string_data(handle), sizeof(uint32_t));
		23
		24	- if (val > SFTP_HANDLES) {
		25	+ if (val >= SFTP_HANDLES) {
		26	return NULL;
		27	}
		28
		29	--
		30	2.49.0
		31


diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb index 31f29c1b7d..3123500f51 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
@@ -10,6 +10,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
10	file://0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch \	10	file://0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch \
11	file://0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch \	11	file://0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch \
12	file://run-ptest \	12	file://run-ptest \
		13	file://CVE-2025-5318.patch \
13	"	14	"
14	SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"	15	SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"
15		16