From a54dadba536781924df27681dfa5222825dcdb58 Mon Sep 17 00:00:00 2001
From: yangjinlin01 <yangjinlin01@inspur.com>
Date: Wed, 9 Jul 2025 15:06:26 +0800
Subject: [PATCH] [CVE] FIX CVE-2025-5351

to #22423
Commit fix cve-2025-5351
Project: TC2024080204
Signed-off-by: yangjinlin01 <yangjinlin01@inspur.com>
---
 ...double-free-on-low-memory-conditions.patch | 34 +++++++++++++++++++
 libssh.spec                                   |  7 +++-
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 0023-CVE-2025-5351-pki_crypto-Avoid-double-free-on-low-memory-conditions.patch

diff --git a/0023-CVE-2025-5351-pki_crypto-Avoid-double-free-on-low-memory-conditions.patch b/0023-CVE-2025-5351-pki_crypto-Avoid-double-free-on-low-memory-conditions.patch
new file mode 100644
index 0000000..132f1b1
--- /dev/null
+++ b/0023-CVE-2025-5351-pki_crypto-Avoid-double-free-on-low-memory-conditions.patch
@@ -0,0 +1,34 @@
+From 6ddb730a27338983851248af59b128b995aad256 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 6 May 2025 22:43:31 +0200
+Subject: CVE-2025-5351 pki_crypto: Avoid double-free on low-memory conditions
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ src/pki_crypto.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/pki_crypto.c b/src/pki_crypto.c
+index 1a294493..42ff2271 100644
+--- a/src/pki_crypto.c
++++ b/src/pki_crypto.c
+@@ -1632,6 +1632,7 @@ ssh_string pki_key_to_blob(const ssh_key key, enum ssh_key_e type)
+             bignum_safe_free(bn);
+             bignum_safe_free(be);
+             OSSL_PARAM_free(params);
++            params = NULL;
+ #endif /* OPENSSL_VERSION_NUMBER */
+             break;
+         }
+@@ -1803,6 +1804,7 @@ ssh_string pki_key_to_blob(const ssh_key key, enum ssh_key_e type)
+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L
+                 bignum_safe_free(bd);
+                 OSSL_PARAM_free(params);
++                params = NULL;
+ #endif /* OPENSSL_VERSION_NUMBER */
+                 break;
+             }
+-- 
+cgit v1.2.3
+
diff --git a/libssh.spec b/libssh.spec
index 467b782..ef8ace8 100644
--- a/libssh.spec
+++ b/libssh.spec
@@ -1,4 +1,4 @@
-%define anolis_release 5
+%define anolis_release 6
 %global _smp_build_ncpus 1
 
 Name:           libssh
@@ -38,6 +38,8 @@ Patch0019:      0019-CVE-2023-6004-torture_config-Allow-multiple-in-usern.patch
 Patch0020:      0020-Fix-regression-in-IPv6-addresses-in-hostname-parsing.patch
 Patch0021:      0021-tests-Increase-test-coverage-for-IPv6-address-parsin.patch
 Patch0022:      0022-libssh-0.10.6-rekey-timeout.patch
+#upstream       https://git.libssh.org/projects/libssh.git/commit/?id=acb158e8277adad473ed32ea1640a3d0b70d733b
+Patch0023:      0023-CVE-2025-5351-pki_crypto-Avoid-double-free-on-low-memory-conditions.patch
 
 BuildRequires:  cmake gcc-c++
 BuildRequires:  openssl-devel zlib-devel krb5-devel libcmocka-devel
@@ -148,6 +150,9 @@ popd
 %doc AUTHORS CHANGELOG README
 
 %changelog
+* Wed Jul 9 2025 yangjinlin01 <yangjinlin01@inspur.com> - 0.10.5-6
+- fix CVE-2025-5351
+
 * Tue Jun 10 2025 Yihao Yan <yan.yihao@zte.com.cn> - 0.10.5-5
 - fix rekey test timeout
 
-- 
Gitee