3 files changed, 190 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-5351.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5351.patch
new file mode 100644
index 0000000000..09bf3d8bd5
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5351.patch
@@ -0,0 +1,38 @@
+From 6ddb730a27338983851248af59b128b995aad256 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 6 May 2025 22:43:31 +0200
+Subject: CVE-2025-5351 pki_crypto: Avoid double-free on low-memory conditions
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=6ddb730a27338983851248af59b128b995aad256]
+CVE: CVE-2025-5351
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/pki_crypto.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/src/pki_crypto.c b/src/pki_crypto.c
+index 5b0d7ded..aec49544 100644
+--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
+@@ -2023,6 +2023,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
+             bignum_safe_free(bn);
+             bignum_safe_free(be);
+             OSSL_PARAM_free(params);
+            params = NULL;
+ #endif /* OPENSSL_VERSION_NUMBER */
+             break;
+         }
+@@ -2143,6 +2144,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
+  */
+ #if 0
+                 OSSL_PARAM_free(params);
+                params = NULL;
+ #endif /* OPENSSL_VERSION_NUMBER */
+ 
+                 if (key->type == SSH_KEYTYPE_SK_ECDSA &&
+-- 
+2.49.0
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-5372.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5372.patch
new file mode 100644
index 0000000000..c9c0cfe156
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5372.patch
@@ -0,0 +1,150 @@
+From a9d8a3d44829cf9182b252bc951f35fb0d573972 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 14 May 2025 14:07:58 +0200
+Subject: CVE-2025-5372 libgcrypto: Simplify error checking and handling of
+ return codes in ssh_kdf()
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=a9d8a3d44829cf9182b252bc951f35fb0d573972]
+CVE: CVE-2025-5372
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/libcrypto.c | 62 ++++++++++++++++++++++---------------------------
+ 1 file changed, 28 insertions(+), 34 deletions(-)
+diff --git a/src/libcrypto.c b/src/libcrypto.c
+index 4f945d90..76e067d3 100644
+--- a/src/libcrypto.c
+++ b/src/libcrypto.c
+@@ -163,7 +163,7 @@ int ssh_kdf(struct ssh_crypto_struct *crypto,
+             uint8_t key_type, unsigned char *output,
+             size_t requested_len)
+ {
+-    int rc = -1;
+    int ret = SSH_ERROR, rv;
+ #if OPENSSL_VERSION_NUMBER < 0x30000000L
+     EVP_KDF_CTX *ctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF);
+ #else
+@@ -185,81 +185,75 @@ int ssh_kdf(struct ssh_crypto_struct *crypto,
+     }
+ 
+ #if OPENSSL_VERSION_NUMBER < 0x30000000L
+-    rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD,
+    rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD,
+                       sshkdf_digest_to_md(crypto->digest_type));
+-    if (rc != 1) {
+    if (rv != 1) {
+         goto out;
+     }
+-    rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len);
+-    if (rc != 1) {
+    rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len);
+    if (rv != 1) {
+         goto out;
+     }
+-    rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
+    rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
+                       crypto->secret_hash, crypto->digest_len);
+-    if (rc != 1) {
+    if (rv != 1) {
+         goto out;
+     }
+-    rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type);
+-    if (rc != 1) {
+    rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type);
+    if (rv != 1) {
+         goto out;
+     }
+-    rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
+    rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
+                       crypto->session_id, crypto->session_id_len);
+-    if (rc != 1) {
+    if (rv != 1) {
+         goto out;
+     }
+-    rc = EVP_KDF_derive(ctx, output, requested_len);
+-    if (rc != 1) {
+    rv = EVP_KDF_derive(ctx, output, requested_len);
+    if (rv != 1) {
+         goto out;
+     }
+ #else
+-    rc = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST,
+    rv = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST,
+                                          md, strlen(md));
+-    if (rc != 1) {
+-        rc = -1;
+    if (rv != 1) {
+         goto out;
+     }
+-    rc = OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY,
+    rv = OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY,
+                                           key, key_len);
+-    if (rc != 1) {
+-        rc = -1;
+    if (rv != 1) {
+         goto out;
+     }
+-    rc = OSSL_PARAM_BLD_push_octet_string(param_bld,
+    rv = OSSL_PARAM_BLD_push_octet_string(param_bld,
+                                           OSSL_KDF_PARAM_SSHKDF_XCGHASH,
+                                           crypto->secret_hash,
+                                           crypto->digest_len);
+-    if (rc != 1) {
+-        rc = -1;
+    if (rv != 1) {
+         goto out;
+     }
+-    rc = OSSL_PARAM_BLD_push_octet_string(param_bld,
+    rv = OSSL_PARAM_BLD_push_octet_string(param_bld,
+                                           OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
+                                           crypto->session_id,
+                                           crypto->session_id_len);
+-    if (rc != 1) {
+-        rc = -1;
+    if (rv != 1) {
+         goto out;
+     }
+-    rc = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE,
+    rv = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE,
+                                          (const char*)&key_type, 1);
+-    if (rc != 1) {
+-        rc = -1;
+    if (rv != 1) {
+         goto out;
+     }
+ 
+     params = OSSL_PARAM_BLD_to_param(param_bld);
+     if (params == NULL) {
+-        rc = -1;
+         goto out;
+     }
+ 
+-    rc = EVP_KDF_derive(ctx, output, requested_len, params);
+-    if (rc != 1) {
+-        rc = -1;
+    rv = EVP_KDF_derive(ctx, output, requested_len, params);
+    if (rv != 1) {
+         goto out;
+     }
+ #endif /* OPENSSL_VERSION_NUMBER */
+    ret = SSH_OK;
+ 
+ out:
+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L
+@@ -267,8 +261,8 @@ out:
+     OSSL_PARAM_free(params);
+ #endif
+     EVP_KDF_CTX_free(ctx);
+-    if (rc < 0) {
+-        return rc;
+    if (ret < 0) {
+        return ret;
+     }
+     return 0;
+ }
+-- 
+2.49.0
diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
index 3123500f51..64835c5e08 100644
--- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
+++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
@@ -11,6 +11,8 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
           file://0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch \
           file://run-ptest \
           file://CVE-2025-5318.patch \
+           file://CVE-2025-5351.patch \
+           file://CVE-2025-5372.patch \
          "
 SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"

diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-5351.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5351.patch new file mode 100644 index 0000000000..09bf3d8bd5 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5351.patch
@@ -0,0 +1,38 @@
		1	From 6ddb730a27338983851248af59b128b995aad256 Mon Sep 17 00:00:00 2001
		2	From: Jakub Jelen <jjelen@redhat.com>
		3	Date: Tue, 6 May 2025 22:43:31 +0200
		4	Subject: CVE-2025-5351 pki_crypto: Avoid double-free on low-memory conditions
		5
		6	Signed-off-by: Jakub Jelen <jjelen@redhat.com>
		7	Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
		8
		9	Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=6ddb730a27338983851248af59b128b995aad256]
		10	CVE: CVE-2025-5351
		11	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		12	---
		13	src/pki_crypto.c \| 2 ++
		14	1 file changed, 2 insertions(+)
		15
		16	diff --git a/src/pki_crypto.c b/src/pki_crypto.c
		17	index 5b0d7ded..aec49544 100644
		18	--- a/src/pki_crypto.c
		19	+++ b/src/pki_crypto.c
		20	@@ -2023,6 +2023,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
		21	bignum_safe_free(bn);
		22	bignum_safe_free(be);
		23	OSSL_PARAM_free(params);
		24	+ params = NULL;
		25	#endif /* OPENSSL_VERSION_NUMBER */
		26	break;
		27	}
		28	@@ -2143,6 +2144,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
		29	*/
		30	#if 0
		31	OSSL_PARAM_free(params);
		32	+ params = NULL;
		33	#endif /* OPENSSL_VERSION_NUMBER */
		34
		35	if (key->type == SSH_KEYTYPE_SK_ECDSA &&
		36	--
		37	2.49.0
		38


diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-5372.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5372.patch new file mode 100644 index 0000000000..c9c0cfe156 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5372.patch
@@ -0,0 +1,150 @@
		1	From a9d8a3d44829cf9182b252bc951f35fb0d573972 Mon Sep 17 00:00:00 2001
		2	From: Jakub Jelen <jjelen@redhat.com>
		3	Date: Wed, 14 May 2025 14:07:58 +0200
		4	Subject: CVE-2025-5372 libgcrypto: Simplify error checking and handling of
		5	return codes in ssh_kdf()
		6
		7	Signed-off-by: Jakub Jelen <jjelen@redhat.com>
		8	Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
		9
		10	Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=a9d8a3d44829cf9182b252bc951f35fb0d573972]
		11	CVE: CVE-2025-5372
		12	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		13	---
		14	src/libcrypto.c \| 62 ++++++++++++++++++++++---------------------------
		15	1 file changed, 28 insertions(+), 34 deletions(-)
		16
		17	diff --git a/src/libcrypto.c b/src/libcrypto.c
		18	index 4f945d90..76e067d3 100644
		19	--- a/src/libcrypto.c
		20	+++ b/src/libcrypto.c
		21	@@ -163,7 +163,7 @@ int ssh_kdf(struct ssh_crypto_struct *crypto,
		22	uint8_t key_type, unsigned char *output,
		23	size_t requested_len)
		24	{
		25	- int rc = -1;
		26	+ int ret = SSH_ERROR, rv;
		27	#if OPENSSL_VERSION_NUMBER < 0x30000000L
		28	EVP_KDF_CTX *ctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF);
		29	#else
		30	@@ -185,81 +185,75 @@ int ssh_kdf(struct ssh_crypto_struct *crypto,
		31	}
		32
		33	#if OPENSSL_VERSION_NUMBER < 0x30000000L
		34	- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD,
		35	+ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD,
		36	sshkdf_digest_to_md(crypto->digest_type));
		37	- if (rc != 1) {
		38	+ if (rv != 1) {
		39	goto out;
		40	}
		41	- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len);
		42	- if (rc != 1) {
		43	+ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len);
		44	+ if (rv != 1) {
		45	goto out;
		46	}
		47	- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
		48	+ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
		49	crypto->secret_hash, crypto->digest_len);
		50	- if (rc != 1) {
		51	+ if (rv != 1) {
		52	goto out;
		53	}
		54	- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type);
		55	- if (rc != 1) {
		56	+ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type);
		57	+ if (rv != 1) {
		58	goto out;
		59	}
		60	- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
		61	+ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
		62	crypto->session_id, crypto->session_id_len);
		63	- if (rc != 1) {
		64	+ if (rv != 1) {
		65	goto out;
		66	}
		67	- rc = EVP_KDF_derive(ctx, output, requested_len);
		68	- if (rc != 1) {
		69	+ rv = EVP_KDF_derive(ctx, output, requested_len);
		70	+ if (rv != 1) {
		71	goto out;
		72	}
		73	#else
		74	- rc = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST,
		75	+ rv = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST,
		76	md, strlen(md));
		77	- if (rc != 1) {
		78	- rc = -1;
		79	+ if (rv != 1) {
		80	goto out;
		81	}
		82	- rc = OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY,
		83	+ rv = OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY,
		84	key, key_len);
		85	- if (rc != 1) {
		86	- rc = -1;
		87	+ if (rv != 1) {
		88	goto out;
		89	}
		90	- rc = OSSL_PARAM_BLD_push_octet_string(param_bld,
		91	+ rv = OSSL_PARAM_BLD_push_octet_string(param_bld,
		92	OSSL_KDF_PARAM_SSHKDF_XCGHASH,
		93	crypto->secret_hash,
		94	crypto->digest_len);
		95	- if (rc != 1) {
		96	- rc = -1;
		97	+ if (rv != 1) {
		98	goto out;
		99	}
		100	- rc = OSSL_PARAM_BLD_push_octet_string(param_bld,
		101	+ rv = OSSL_PARAM_BLD_push_octet_string(param_bld,
		102	OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
		103	crypto->session_id,
		104	crypto->session_id_len);
		105	- if (rc != 1) {
		106	- rc = -1;
		107	+ if (rv != 1) {
		108	goto out;
		109	}
		110	- rc = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE,
		111	+ rv = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE,
		112	(const char*)&key_type, 1);
		113	- if (rc != 1) {
		114	- rc = -1;
		115	+ if (rv != 1) {
		116	goto out;
		117	}
		118
		119	params = OSSL_PARAM_BLD_to_param(param_bld);
		120	if (params == NULL) {
		121	- rc = -1;
		122	goto out;
		123	}
		124
		125	- rc = EVP_KDF_derive(ctx, output, requested_len, params);
		126	- if (rc != 1) {
		127	- rc = -1;
		128	+ rv = EVP_KDF_derive(ctx, output, requested_len, params);
		129	+ if (rv != 1) {
		130	goto out;
		131	}
		132	#endif /* OPENSSL_VERSION_NUMBER */
		133	+ ret = SSH_OK;
		134
		135	out:
		136	#if OPENSSL_VERSION_NUMBER >= 0x30000000L
		137	@@ -267,8 +261,8 @@ out:
		138	OSSL_PARAM_free(params);
		139	#endif
		140	EVP_KDF_CTX_free(ctx);
		141	- if (rc < 0) {
		142	- return rc;
		143	+ if (ret < 0) {
		144	+ return ret;
		145	}
		146	return 0;
		147	}
		148	--
		149	2.49.0
		150


diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb index 3123500f51..64835c5e08 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
@@ -11,6 +11,8 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
11	file://0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch \	11	file://0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch \
12	file://run-ptest \	12	file://run-ptest \
13	file://CVE-2025-5318.patch \	13	file://CVE-2025-5318.patch \
		14	file://CVE-2025-5351.patch \
		15	file://CVE-2025-5372.patch \
14	"	16	"
15	SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"	17	SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"
16		18