diff --git a/backport-CVE-2025-4877-prevent-integer-overflow-and-potential-OOB.patch b/backport-CVE-2025-4877-prevent-integer-overflow-and-potential-OOB.patch new file mode 100644 index 0000000000000000000000000000000000000000..f3970148d09c4fa146e9e3deab3459ce1c5d6d9f --- /dev/null +++ b/backport-CVE-2025-4877-prevent-integer-overflow-and-potential-OOB.patch @@ -0,0 +1,55 @@ +From 00f09acbec55962839fc7837ef14c56fb8fbaf72 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 15 Apr 2025 11:41:24 +0200 +Subject: CVE-2025-4877 base64: Prevent integer overflow and potential +OOB + +Set maximum input to 256MB to have safe margin to the 1GB trigger point +for 32b arch. + +The OOB should not be reachable by any internal code paths as most of +the buffers and strings we use as input for this operation already have +similar limit and none really allows this much of data. + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +Conflict:NA +Reference:https://git.libssh.org/projects/libssh.git/patch/?id=00f09acbec55962839fc7837ef14c56fb8fbaf72 +--- + src/base64.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/base64.c b/src/base64.c +index 4148f49..f42e0e8 100644 +--- a/src/base64.c ++++ b/src/base64.c +@@ -29,6 +29,9 @@ + #include "libssh/priv.h" + #include "libssh/buffer.h" + ++/* Do not allow encoding more than 256MB of data */ ++#define BASE64_MAX_INPUT_LEN 256 * 1024 * 1024 ++ + static + const uint8_t alphabet[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + "abcdefghijklmnopqrstuvwxyz" +@@ -274,7 +277,15 @@ uint8_t *bin_to_base64(const uint8_t *source, size_t len) + { + uint8_t *base64 = NULL; + uint8_t *ptr = NULL; +- size_t flen = len + (3 - (len % 3)); /* round to upper 3 multiple */ ++ size_t flen = 0; ++ ++ /* Set the artificial upper limit for the input. Otherwise on 32b arch, the ++ * following line could overflow for sizes larger than SIZE_MAX / 4 */ ++ if (len > BASE64_MAX_INPUT_LEN) { ++ return NULL; ++ } ++ ++ flen = len + (3 - (len % 3)); /* round to upper 3 multiple */ + flen = (4 * flen) / 3 + 1; + + base64 = malloc(flen); +-- +2.43.0 diff --git a/backport-CVE-2025-4878-fix-uninitialized-variable-part1.patch b/backport-CVE-2025-4878-fix-uninitialized-variable-part1.patch new file mode 100644 index 0000000000000000000000000000000000000000..1db3aa54e959a901455d87ba74155dfd16414e0e --- /dev/null +++ b/backport-CVE-2025-4878-fix-uninitialized-variable-part1.patch @@ -0,0 +1,2559 @@ +From 697650caa97eaf7623924c75f9fcfec6dd423cd1 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 23 Apr 2025 17:57:11 +0200 +Subject: CVE-2025-4878 Initialize pointers where possible + +This is mostly mechanical change initializing all the pointers I was able to +find with some grep and manual review of sources and examples. + +Used the following greps (which yield some false positives though): + + git grep " \w* *\* *\w*;$" + git grep " ssh_session \w*;" + git grep " ssh_channel \w*;" + git grep " struct ssh_iterator \*\w*;" + git grep " ssh_bind \w*;" + git grep " ssh_key \w*;" + git grep " ssh_string \w*;" + git grep " ssh_buffer \w*;" + git grep " HMACCTX \w*;" + git grep " SHACTX \w*;" + grep -rinP '^(?!.*=)\s*(?:\w+\s+)*\w+\s*\*\s*\w+\s*;' + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +Conflict: adjust context +Reference:https://git.libssh.org/projects/libssh.git/commit/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1 +--- + doc/authentication.dox | 10 ++++---- + doc/command.dox | 2 +- + doc/forwarding.dox | 4 +-- + doc/guided_tour.dox | 14 +++++----- + doc/shell.dox | 2 +- + examples/authentication.c | 12 ++++----- + examples/connect_ssh.c | 2 +- + examples/exec.c | 4 +-- + examples/knownhosts.c | 2 +- + examples/libssh_scp.c | 11 ++++---- + examples/proxy.c | 18 ++++++------- + examples/samplesshd-cb.c | 10 ++++---- + examples/samplesshd-kbdint.c | 13 +++++----- + examples/scp_download.c | 4 +-- + examples/senddata.c | 4 +-- + examples/ssh_client.c | 8 +++--- + examples/sshd_direct-tcpip.c | 14 +++++----- + examples/sshnetcat.c | 6 ++--- + src/agent.c | 13 +++++----- + src/auth.c | 7 ++--- + src/bind.c | 11 ++++---- + src/bind_config.c | 4 +-- + src/buffer.c | 9 ++++--- + src/callbacks.c | 2 +- + src/chachapoly.c | 2 +- + src/channels.c | 50 ++++++++++++++++++------------------ + src/client.c | 2 +- + src/config.c | 4 +-- + src/config_parser.c | 14 +++++----- + src/connect.c | 4 +-- + src/connector.c | 5 ++-- + src/dh_crypto.c | 2 +- + src/ecdh_crypto.c | 8 +++--- + src/ecdh_gcrypt.c | 10 ++++---- + src/gcrypt_missing.c | 2 +- + src/getpass.c | 4 +-- + src/gssapi.c | 23 +++++++++-------- + src/kex.c | 4 +-- + src/known_hosts.c | 38 +++++++++++++-------------- + src/knownhosts.c | 18 ++++++------- + src/legacy.c | 43 ++++++++++++++++--------------- + src/libmbedcrypto.c | 2 +- + src/log.c | 2 +- + src/messages.c | 18 ++++++------- + src/misc.c | 24 ++++++++--------- + src/options.c | 24 ++++++++--------- + src/packet.c | 6 ++--- + src/packet_crypt.c | 2 +- + src/pki.c | 48 +++++++++++++++++----------------- + src/pki_container_openssh.c | 16 ++++++------ + src/pki_crypto.c | 6 ++--- + src/pki_ed25519.c | 6 ++--- + src/pki_ed25519_common.c | 2 +- + src/pki_gcrypt.c | 12 ++++----- + src/pki_mbedcrypto.c | 12 ++++----- + src/poll.c | 10 ++++---- + src/server.c | 17 ++++++------ + src/session.c | 12 ++++----- + src/sftpserver.c | 12 ++++----- + src/string.c | 6 ++--- + src/threads/winlocks.c | 2 +- + src/wrapper.c | 2 +- + 62 files changed, 335 insertions(+), 325 deletions(-) + +diff --git a/doc/authentication.dox b/doc/authentication.dox +index 3196f64..a3fc192 100644 +--- a/doc/authentication.dox ++++ b/doc/authentication.dox +@@ -102,7 +102,7 @@ Here is a small example of password authentication: + @code + int authenticate_password(ssh_session session) + { +- char *password; ++ char *password = NULL; + int rc; + + password = getpass("Enter your password: "); +@@ -215,7 +215,7 @@ int authenticate_kbdint(ssh_session session) + rc = ssh_userauth_kbdint(session, NULL, NULL); + while (rc == SSH_AUTH_INFO) + { +- const char *name, *instruction; ++ const char *name = NULL, *instruction = NULL; + int nprompts, iprompt; + + name = ssh_userauth_kbdint_getname(session); +@@ -228,7 +228,7 @@ int authenticate_kbdint(ssh_session session) + printf("%s\n", instruction); + for (iprompt = 0; iprompt < nprompts; iprompt++) + { +- const char *prompt; ++ const char *prompt = NULL; + char echo; + + prompt = ssh_userauth_kbdint_getprompt(session, iprompt, &echo); +@@ -248,7 +248,7 @@ int authenticate_kbdint(ssh_session session) + } + else + { +- char *ptr; ++ char *ptr = NULL; + + ptr = getpass(prompt); + if (ssh_userauth_kbdint_setanswer(session, iprompt, ptr) < 0) +@@ -351,7 +351,7 @@ The following example shows how to retrieve and dispose the issue banner: + int display_banner(ssh_session session) + { + int rc; +- char *banner; ++ char *banner = NULL; + + /* + *** Does not work without calling ssh_userauth_none() first *** +diff --git a/doc/command.dox b/doc/command.dox +index 588151c..e82748c 100644 +--- a/doc/command.dox ++++ b/doc/command.dox +@@ -22,7 +22,7 @@ a SSH session that uses this channel: + @code + int show_remote_files(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + + channel = ssh_channel_new(session); +diff --git a/doc/forwarding.dox b/doc/forwarding.dox +index bb93c7b..1949660 100644 +--- a/doc/forwarding.dox ++++ b/doc/forwarding.dox +@@ -100,7 +100,7 @@ used to retrieve google's home page from the remote SSH server. + @code + int direct_forwarding(ssh_session session) + { +- ssh_channel forwarding_channel; ++ ssh_channel forwarding_channel = NULL; + int rc; + char *http_get = "GET / HTTP/1.1\nHost: www.google.com\n\n"; + int nbytes, nwritten; +@@ -161,7 +161,7 @@ local libssh application, which handles them: + int web_server(ssh_session session) + { + int rc; +- ssh_channel channel; ++ ssh_channel channel = NULL; + char buffer[256]; + int nbytes, nwritten; + int port = 0; +diff --git a/doc/guided_tour.dox b/doc/guided_tour.dox +index 69576f1..60f4087 100644 +--- a/doc/guided_tour.dox ++++ b/doc/guided_tour.dox +@@ -79,7 +79,7 @@ Here is a small example of how to use it: + + int main() + { +- ssh_session my_ssh_session; ++ ssh_session my_ssh_session = NULL; + int verbosity = SSH_LOG_PROTOCOL; + int port = 22; + +@@ -126,7 +126,7 @@ Here's an example: + + int main() + { +- ssh_session my_ssh_session; ++ ssh_session my_ssh_session = NULL; + int rc; + + my_ssh_session = ssh_new(); +@@ -190,8 +190,8 @@ int verify_knownhost(ssh_session session) + ssh_key srv_pubkey = NULL; + size_t hlen; + char buf[10]; +- char *hexa; +- char *p; ++ char *hexa = NULL; ++ char *p = NULL; + int cmp; + int rc; + +@@ -317,9 +317,9 @@ The example below shows an authentication with password: + + int main() + { +- ssh_session my_ssh_session; ++ ssh_session my_ssh_session = NULL; + int rc; +- char *password; ++ char *password = NULL; + + // Open session and set options + my_ssh_session = ssh_new(); +@@ -380,7 +380,7 @@ The example below shows how to execute a remote command: + @code + int show_remote_processes(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + char buffer[256]; + int nbytes; +diff --git a/doc/shell.dox b/doc/shell.dox +index 0693bbc..03b5a57 100644 +--- a/doc/shell.dox ++++ b/doc/shell.dox +@@ -26,7 +26,7 @@ The code sample below achieves these tasks: + @code + int shell_session(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + + channel = ssh_channel_new(session); +diff --git a/examples/authentication.c b/examples/authentication.c +index 7c47c8b..31de7cf 100644 +--- a/examples/authentication.c ++++ b/examples/authentication.c +@@ -30,8 +30,8 @@ int authenticate_kbdint(ssh_session session, const char *password) + + err = ssh_userauth_kbdint(session, NULL, NULL); + while (err == SSH_AUTH_INFO) { +- const char *instruction; +- const char *name; ++ const char *instruction = NULL; ++ const char *name = NULL; + char buffer[128]; + int i, n; + +@@ -48,8 +48,8 @@ int authenticate_kbdint(ssh_session session, const char *password) + } + + for (i = 0; i < n; i++) { +- const char *answer; +- const char *prompt; ++ const char *answer = NULL; ++ const char *prompt = NULL; + char echo; + + prompt = ssh_userauth_kbdint_getprompt(session, i, &echo); +@@ -58,7 +58,7 @@ int authenticate_kbdint(ssh_session session, const char *password) + } + + if (echo) { +- char *p; ++ char *p = NULL; + + printf("%s", prompt); + +@@ -143,7 +143,7 @@ int authenticate_console(ssh_session session) + int rc; + int method; + char password[128] = {0}; +- char *banner; ++ char *banner = NULL; + + // Try to authenticate + rc = ssh_userauth_none(session, NULL); +diff --git a/examples/connect_ssh.c b/examples/connect_ssh.c +index c9e4ef6..0609427 100644 +--- a/examples/connect_ssh.c ++++ b/examples/connect_ssh.c +@@ -22,7 +22,7 @@ clients must be made or how a client should react. + #include + + ssh_session connect_ssh(const char *host, const char *user,int verbosity){ +- ssh_session session; ++ ssh_session session = NULL; + int auth=0; + + session=ssh_new(); +diff --git a/examples/exec.c b/examples/exec.c +index 7200dde..646740a 100644 +--- a/examples/exec.c ++++ b/examples/exec.c +@@ -5,8 +5,8 @@ + #include "examples_common.h" + + int main(void) { +- ssh_session session; +- ssh_channel channel; ++ ssh_session session = NULL; ++ ssh_channel channel = NULL; + char buffer[256]; + int rbytes, wbytes, total = 0; + int rc; +diff --git a/examples/knownhosts.c b/examples/knownhosts.c +index 0726bfa..2857a08 100644 +--- a/examples/knownhosts.c ++++ b/examples/knownhosts.c +@@ -38,7 +38,7 @@ int verify_knownhost(ssh_session session) + char buf[10]; + unsigned char *hash = NULL; + size_t hlen; +- ssh_key srv_pubkey; ++ ssh_key srv_pubkey = NULL; + int rc; + + rc = ssh_get_server_publickey(session, &srv_pubkey); +diff --git a/examples/libssh_scp.c b/examples/libssh_scp.c +index 7e08642..984ba85 100644 +--- a/examples/libssh_scp.c ++++ b/examples/libssh_scp.c +@@ -22,9 +22,9 @@ program. + #include + #include "examples_common.h" + +-static char **sources; ++static char **sources = NULL; + static int nsources; +-static char *destination; ++static char *destination = NULL; + static int verbosity = 0; + + struct location { +@@ -114,9 +114,10 @@ static void location_free(struct location *loc) + } + } + +-static struct location *parse_location(char *loc) { +- struct location *location; +- char *ptr; ++static struct location *parse_location(char *loc) ++{ ++ struct location *location = NULL; ++ char *ptr = NULL; + + location = malloc(sizeof(struct location)); + if (location == NULL) { +diff --git a/examples/proxy.c b/examples/proxy.c +index dcf4d0d..baebc12 100644 +--- a/examples/proxy.c ++++ b/examples/proxy.c +@@ -31,8 +31,8 @@ clients must be made or how a client should react. + static int authenticated=0; + static int tries = 0; + static int error = 0; +-static ssh_channel chan=NULL; +-static char *username; ++static ssh_channel chan = NULL; ++static char *username = NULL; + static ssh_gssapi_creds client_creds = NULL; + + static int auth_password(ssh_session session, const char *user, +@@ -212,11 +212,12 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) { + static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + #endif /* HAVE_ARGP_H */ + +-int main(int argc, char **argv){ +- ssh_session session; +- ssh_bind sshbind; +- ssh_event mainloop; +- ssh_session client_session; ++int main(int argc, char **argv) ++{ ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; ++ ssh_event mainloop = NULL; ++ ssh_session client_session = NULL; + + struct ssh_server_callbacks_struct cb = { + .userdata = NULL, +@@ -227,7 +228,7 @@ int main(int argc, char **argv){ + + char buf[2048]; + char host[128]=""; +- char *ptr; ++ char *ptr = NULL; + int i,r, rc; + + sshbind=ssh_bind_new(); +@@ -344,4 +345,3 @@ int main(int argc, char **argv){ + ssh_finalize(); + return 0; + } +- +diff --git a/examples/samplesshd-cb.c b/examples/samplesshd-cb.c +index 947ddb6..04dd7fa 100644 +--- a/examples/samplesshd-cb.c ++++ b/examples/samplesshd-cb.c +@@ -219,10 +219,11 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) { + static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + #endif /* HAVE_ARGP_H */ + +-int main(int argc, char **argv){ +- ssh_session session; +- ssh_bind sshbind; +- ssh_event mainloop; ++int main(int argc, char **argv) ++{ ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; ++ ssh_event mainloop = NULL; + struct ssh_server_callbacks_struct cb = { + .userdata = NULL, + .auth_password_function = auth_password, +@@ -312,4 +313,3 @@ int main(int argc, char **argv){ + ssh_finalize(); + return 0; + } +- +diff --git a/examples/samplesshd-kbdint.c b/examples/samplesshd-kbdint.c +index 522aebd..33c82c7 100644 +--- a/examples/samplesshd-kbdint.c ++++ b/examples/samplesshd-kbdint.c +@@ -183,8 +183,8 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) { + static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + #endif /* HAVE_ARGP_H */ + +-static const char *name; +-static const char *instruction; ++static const char *name = NULL; ++static const char *instruction = NULL; + static const char *prompts[2]; + static char echo[] = { 1, 0 }; + +@@ -289,10 +289,10 @@ static int authenticate(ssh_session session) { + } + + int main(int argc, char **argv){ +- ssh_session session; +- ssh_bind sshbind; +- ssh_message message; +- ssh_channel chan=0; ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; ++ ssh_message message = NULL; ++ ssh_channel chan = NULL; + char buf[2048]; + int auth=0; + int shell=0; +@@ -422,4 +422,3 @@ int main(int argc, char **argv){ + ssh_finalize(); + return 0; + } +- +diff --git a/examples/scp_download.c b/examples/scp_download.c +index 85ccf92..eda6776 100644 +--- a/examples/scp_download.c ++++ b/examples/scp_download.c +@@ -104,7 +104,7 @@ static int fetch_files(ssh_session session){ + int size; + char buffer[16384]; + int mode; +- char *filename; ++ char *filename = NULL; + int r; + ssh_scp scp=ssh_scp_new(session, SSH_SCP_READ | SSH_SCP_RECURSIVE, "/tmp/libssh_tests/*"); + if(ssh_scp_init(scp) != SSH_OK){ +@@ -163,7 +163,7 @@ static int fetch_files(ssh_session session){ + } + + int main(int argc, char **argv){ +- ssh_session session; ++ ssh_session session = NULL; + if(opts(argc,argv)<0) + return EXIT_FAILURE; + session=connect_ssh(host,NULL,verbosity); +diff --git a/examples/senddata.c b/examples/senddata.c +index 042b462..1104acd 100644 +--- a/examples/senddata.c ++++ b/examples/senddata.c +@@ -6,7 +6,7 @@ + #define LIMIT 0x100000000UL + + int main(void) { +- ssh_session session; ++ ssh_session session = NULL; + ssh_channel channel; + char buffer[1024*1024]; + int rc; +@@ -47,7 +47,7 @@ int main(void) { + if(total > LIMIT) + break; + } +- ++ + if (rc < 0) { + printf("error : %s\n",ssh_get_error(session)); + ssh_channel_close(channel); +diff --git a/examples/ssh_client.c b/examples/ssh_client.c +index 54ecd30..fedab27 100644 +--- a/examples/ssh_client.c ++++ b/examples/ssh_client.c +@@ -51,7 +51,7 @@ static struct termios terminal; + + static char *pcap_file = NULL; + +-static char *proxycommand; ++static char *proxycommand = NULL; + + static int auth_callback(const char *prompt, + char *buf, +@@ -243,7 +243,7 @@ static void select_loop(ssh_session session,ssh_channel channel) + + static void shell(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + struct termios terminal_local; + int interactive=isatty(0); + +@@ -318,7 +318,7 @@ static void batch_shell(ssh_session session) + static int client(ssh_session session) + { + int auth = 0; +- char *banner; ++ char *banner = NULL; + int state; + + if (user) { +@@ -396,7 +396,7 @@ static void cleanup_pcap(void) + + int main(int argc, char **argv) + { +- ssh_session session; ++ ssh_session session = NULL; + + session = ssh_new(); + +diff --git a/examples/sshd_direct-tcpip.c b/examples/sshd_direct-tcpip.c +index 8ad2150..9525697 100644 +--- a/examples/sshd_direct-tcpip.c ++++ b/examples/sshd_direct-tcpip.c +@@ -351,7 +351,7 @@ my_fd_data_function(UNUSED_PARAM(socket_t fd), + { + struct event_fd_data_struct *event_fd_data = (struct event_fd_data_struct *)userdata; + ssh_channel channel = event_fd_data->channel; +- ssh_session session; ++ ssh_session session = NULL; + int len, i, wr; + char buf[16384]; + int blocking; +@@ -445,8 +445,8 @@ open_tcp_socket(ssh_message msg) + { + struct sockaddr_in sin; + int forwardsock = -1; +- struct hostent *host; +- const char *dest_hostname; ++ struct hostent *host = NULL; ++ const char *dest_hostname = NULL; + int dest_port; + + forwardsock = socket(AF_INET, SOCK_STREAM, 0); +@@ -489,8 +489,8 @@ message_callback(UNUSED_PARAM(ssh_session session), + UNUSED_PARAM(void *userdata)) + { + ssh_channel channel; +- int socket_fd, *pFd; +- struct ssh_channel_callbacks_struct *cb_chan; ++ int socket_fd, *pFd = NULL; ++ struct ssh_channel_callbacks_struct *cb_chan = NULL; + struct event_fd_data_struct *event_fd_data; + + _ssh_log(SSH_LOG_PACKET, "=== message_callback", "Message type: %d", +@@ -658,8 +658,8 @@ static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + int + main(int argc, char **argv) + { +- ssh_session session; +- ssh_bind sshbind; ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; + struct ssh_server_callbacks_struct cb = { + .userdata = NULL, + .auth_password_function = auth_password, +diff --git a/examples/sshnetcat.c b/examples/sshnetcat.c +index ccc72c8..1fcab79 100644 +--- a/examples/sshnetcat.c ++++ b/examples/sshnetcat.c +@@ -34,7 +34,7 @@ clients must be made or how a client should react. + #include + + #include "examples_common.h" +-char *host; ++char *host = NULL; + const char *desthost="localhost"; + const char *port="22"; + +@@ -188,7 +188,7 @@ static void forwarding(ssh_session session){ + + static int client(ssh_session session){ + int auth=0; +- char *banner; ++ char *banner = NULL; + int state; + + if (ssh_options_set(session, SSH_OPTIONS_HOST ,host) < 0) +@@ -240,7 +240,7 @@ void cleanup_pcap(){ + #endif + + int main(int argc, char **argv){ +- ssh_session session; ++ ssh_session session = NULL; + + session = ssh_new(); + +diff --git a/src/agent.c b/src/agent.c +index 62b0093..bf32552 100644 +--- a/src/agent.c ++++ b/src/agent.c +@@ -406,8 +406,9 @@ ssh_key ssh_agent_get_first_ident(struct ssh_session_struct *session, + + /* caller has to free commment */ + ssh_key ssh_agent_get_next_ident(struct ssh_session_struct *session, +- char **comment) { +- struct ssh_key_struct *key; ++ char **comment) ++{ ++ struct ssh_key_struct *key = NULL; + struct ssh_string_struct *blob = NULL; + struct ssh_string_struct *tmp = NULL; + int rc; +@@ -476,10 +477,10 @@ ssh_string ssh_agent_sign_data(ssh_session session, + const ssh_key pubkey, + struct ssh_buffer_struct *data) + { +- ssh_buffer request; +- ssh_buffer reply; +- ssh_string key_blob; +- ssh_string sig_blob; ++ ssh_buffer request = NULL; ++ ssh_buffer reply = NULL; ++ ssh_string key_blob = NULL; ++ ssh_string sig_blob = NULL; + unsigned int type = 0; + unsigned int flags = 0; + uint32_t dlen; +diff --git a/src/auth.c b/src/auth.c +index 7be0a44..14b12e3 100644 +--- a/src/auth.c ++++ b/src/auth.c +@@ -192,8 +192,9 @@ static int ssh_userauth_get_response(ssh_session session) { + * + * This banner should be shown to user prior to authentication + */ +-SSH_PACKET_CALLBACK(ssh_packet_userauth_banner) { +- ssh_string banner; ++SSH_PACKET_CALLBACK(ssh_packet_userauth_banner) ++{ ++ ssh_string banner = NULL; + (void)type; + (void)user; + +@@ -1301,7 +1302,7 @@ int ssh_userauth_agent_pubkey(ssh_session session, + const char *username, + ssh_public_key publickey) + { +- ssh_key key; ++ ssh_key key = NULL; + int rc; + + key = ssh_key_new(); +diff --git a/src/bind.c b/src/bind.c +index fa8df9e..9e83177 100644 +--- a/src/bind.c ++++ b/src/bind.c +@@ -74,7 +74,7 @@ + static socket_t bind_socket(ssh_bind sshbind, const char *hostname, + int port) { + char port_c[6]; +- struct addrinfo *ai; ++ struct addrinfo *ai = NULL; + struct addrinfo hints; + int opt = 1; + socket_t s; +@@ -130,8 +130,9 @@ static socket_t bind_socket(ssh_bind sshbind, const char *hostname, + return s; + } + +-ssh_bind ssh_bind_new(void) { +- ssh_bind ptr; ++ssh_bind ssh_bind_new(void) ++{ ++ ssh_bind ptr = NULL; + + ptr = calloc(1, sizeof(struct ssh_bind_struct)); + if (ptr == NULL) { +@@ -249,7 +250,7 @@ static int ssh_bind_import_keys(ssh_bind sshbind) { + } + + int ssh_bind_listen(ssh_bind sshbind) { +- const char *host; ++ const char *host = NULL; + socket_t fd; + int rc; + +@@ -469,7 +470,7 @@ int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd){ + return SSH_ERROR; + } + } else { +- char *p; ++ char *p = NULL; + /* If something was set to the session prior to calling this + * function, keep only what is allowed by the options set in + * sshbind */ +diff --git a/src/bind_config.c b/src/bind_config.c +index 8434846..89256f1 100644 +--- a/src/bind_config.c ++++ b/src/bind_config.c +@@ -194,7 +194,7 @@ static void local_parse_file(ssh_bind bind, + uint32_t *parser_flags, + uint8_t *seen) + { +- FILE *f; ++ FILE *f = NULL; + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; + int rv; +@@ -611,7 +611,7 @@ int ssh_bind_config_parse_file(ssh_bind bind, const char *filename) + { + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; +- FILE *f; ++ FILE *f = NULL; + uint32_t parser_flags; + int rv; + +diff --git a/src/buffer.c b/src/buffer.c +index ce12f49..e601c2c 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -370,7 +370,8 @@ int ssh_buffer_allocate_size(struct ssh_buffer_struct *buffer, + */ + void *ssh_buffer_allocate(struct ssh_buffer_struct *buffer, uint32_t len) + { +- void *ptr; ++ void *ptr = NULL; ++ + buffer_verify(buffer); + + if (buffer->used + len < len) { +@@ -923,7 +924,7 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, + va_list ap) + { + int rc = SSH_ERROR; +- const char *p; ++ const char *p = NULL; + union { + uint8_t byte; + uint16_t word; +@@ -932,7 +933,7 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, + ssh_string string; + void *data; + } o; +- char *cstring; ++ char *cstring = NULL; + bignum b; + size_t len; + size_t count; +@@ -1091,7 +1092,7 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, + va_list ap) + { + int rc = SSH_ERROR; +- const char *p = format, *last; ++ const char *p = format, *last = NULL; + union { + uint8_t *byte; + uint16_t *word; +diff --git a/src/callbacks.c b/src/callbacks.c +index 3ed2f11..6bfed62 100644 +--- a/src/callbacks.c ++++ b/src/callbacks.c +@@ -113,7 +113,7 @@ int ssh_add_channel_callbacks(ssh_channel channel, ssh_channel_callbacks cb) + + int ssh_remove_channel_callbacks(ssh_channel channel, ssh_channel_callbacks cb) + { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + + if (channel == NULL || channel->callbacks == NULL){ + return SSH_ERROR; +diff --git a/src/chachapoly.c b/src/chachapoly.c +index 820e7f6..986be67 100644 +--- a/src/chachapoly.c ++++ b/src/chachapoly.c +@@ -50,7 +50,7 @@ static int chacha20_set_encrypt_key(struct ssh_cipher_struct *cipher, + void *key, + void *IV) + { +- struct chacha20_poly1305_keysched *sched; ++ struct chacha20_poly1305_keysched *sched = NULL; + uint8_t *u8key = key; + (void)IV; + +diff --git a/src/channels.c b/src/channels.c +index a4ca0e8..d483773 100644 +--- a/src/channels.c ++++ b/src/channels.c +@@ -160,7 +160,7 @@ uint32_t ssh_channel_new_id(ssh_session session) { + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_open_conf){ + uint32_t channelid=0; +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + (void)type; + (void)user; +@@ -221,7 +221,7 @@ error: + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){ + +- ssh_channel channel; ++ ssh_channel channel = NULL; + char *error = NULL; + uint32_t code; + int rc; +@@ -380,7 +380,7 @@ end: + /* return channel with corresponding local id, or NULL if not found */ + ssh_channel ssh_channel_from_local(ssh_session session, uint32_t id) { + struct ssh_iterator *it; +- ssh_channel channel; ++ ssh_channel channel = NULL; + + for (it = ssh_list_get_iterator(session->channels); it != NULL ; it=it->next) { + channel = ssh_iterator_value(ssh_channel, it); +@@ -464,7 +464,7 @@ error: + * unknown or the packet is invalid. + */ + static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet) { +- ssh_channel channel; ++ ssh_channel channel = NULL; + uint32_t chan; + int rc; + +@@ -486,7 +486,7 @@ static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet) { + } + + SSH_PACKET_CALLBACK(channel_rcv_change_window) { +- ssh_channel channel; ++ ssh_channel channel = NULL; + uint32_t bytes; + int rc; + (void)user; +@@ -625,7 +625,7 @@ SSH_PACKET_CALLBACK(channel_rcv_data){ + } + + SSH_PACKET_CALLBACK(channel_rcv_eof) { +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)user; + (void)type; + +@@ -653,7 +653,7 @@ SSH_PACKET_CALLBACK(channel_rcv_eof) { + } + + SSH_PACKET_CALLBACK(channel_rcv_close) { +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)user; + (void)type; + +@@ -859,7 +859,7 @@ int channel_default_bufferize(ssh_channel channel, + void *data, size_t len, + bool is_stderr) + { +- ssh_session session; ++ ssh_session session = NULL; + + if(channel == NULL) { + return -1; +@@ -995,7 +995,7 @@ int ssh_channel_open_auth_agent(ssh_channel channel){ + */ + int ssh_channel_open_forward(ssh_channel channel, const char *remotehost, + int remoteport, const char *sourcehost, int localport) { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer payload = NULL; + ssh_string str = NULL; + int rc = SSH_ERROR; +@@ -1133,7 +1133,7 @@ error: + */ + void ssh_channel_free(ssh_channel channel) + { +- ssh_session session; ++ ssh_session session = NULL; + + if (channel == NULL) { + return; +@@ -1234,7 +1234,7 @@ void ssh_channel_do_free(ssh_channel channel) + */ + int ssh_channel_send_eof(ssh_channel channel) + { +- ssh_session session; ++ ssh_session session = NULL; + int rc = SSH_ERROR; + int err; + +@@ -1295,7 +1295,7 @@ error: + */ + int ssh_channel_close(ssh_channel channel) + { +- ssh_session session; ++ ssh_session session = NULL; + int rc = 0; + + if(channel == NULL) { +@@ -1388,7 +1388,7 @@ static int channel_write_common(ssh_channel channel, + const void *data, + uint32_t len, int is_stderr) + { +- ssh_session session; ++ ssh_session session = NULL; + uint32_t origlen = len; + size_t effectivelen; + size_t maxpacketlen; +@@ -1642,7 +1642,7 @@ void ssh_channel_set_blocking(ssh_channel channel, int blocking) { + * @brief handle a SSH_CHANNEL_SUCCESS packet and set the channel state. + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_success){ +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)type; + (void)user; + +@@ -1672,7 +1672,7 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_success){ + * @brief Handle a SSH_CHANNEL_FAILURE packet and set the channel state. + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_failure){ +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)type; + (void)user; + +@@ -1807,7 +1807,7 @@ error: + */ + int ssh_channel_request_pty_size(ssh_channel channel, const char *terminal, + int col, int row) { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer buffer = NULL; + int rc = SSH_ERROR; + +@@ -2110,7 +2110,7 @@ static ssh_channel ssh_channel_accept(ss + #endif + ssh_message msg = NULL; + ssh_channel channel = NULL; +- struct ssh_iterator *iterator; ++ struct ssh_iterator *iterator = NULL; + int t; + + /* +@@ -2741,7 +2741,7 @@ error: + */ + int channel_read_buffer(ssh_channel channel, ssh_buffer buffer, uint32_t count, + int is_stderr) { +- ssh_session session; ++ ssh_session session = NULL; + char buffer_tmp[8192]; + int r; + uint32_t total=0; +@@ -2877,7 +2877,7 @@ int ssh_channel_read_timeout(ssh_channel channel, + int is_stderr, + int timeout_ms) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer stdbuf; + uint32_t len; + struct ssh_channel_read_termination_struct ctx; +@@ -2997,7 +2997,7 @@ int ssh_channel_read_nonblocking(ssh_channel channel, + uint32_t count, + int is_stderr) + { +- ssh_session session; ++ ssh_session session = NULL; + ssize_t to_read; + int rc; + int blocking; +@@ -3104,8 +3104,8 @@ int ssh_channel_poll(ssh_channel channel, int is_stderr){ + */ + int ssh_channel_poll_timeout(ssh_channel channel, int timeout, int is_stderr) + { +- ssh_session session; +- ssh_buffer stdbuf; ++ ssh_session session = NULL; ++ ssh_buffer stdbuf = NULL; + struct ssh_channel_read_termination_struct ctx; + size_t len; + int rc; +@@ -3226,7 +3226,7 @@ int ssh_channel_get_exit_status(ssh_channel channel) { + */ + static int channel_protocol_select(ssh_channel *rchans, ssh_channel *wchans, + ssh_channel *echans, ssh_channel *rout, ssh_channel *wout, ssh_channel *eout) { +- ssh_channel chan; ++ ssh_channel chan = NULL; + int i; + int j = 0; + +@@ -3306,7 +3306,7 @@ static size_t count_ptrs(ssh_channel *ptrs) + */ + int ssh_channel_select(ssh_channel *readchans, ssh_channel *writechans, + ssh_channel *exceptchans, struct timeval * timeout) { +- ssh_channel *rchans, *wchans, *echans; ++ ssh_channel *rchans = NULL, *wchans = NULL, *echans = NULL; + ssh_channel dummy = NULL; + ssh_event event = NULL; + int rc; +@@ -3490,7 +3490,7 @@ int ssh_channel_write_stderr(ssh_channel channel, const void *data, uint32_t len + */ + int ssh_channel_open_reverse_forward(ssh_channel channel, const char *remotehost, + int remoteport, const char *sourcehost, int localport) { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer payload = NULL; + int rc = SSH_ERROR; + +@@ -3553,7 +3553,7 @@ error: + */ + int ssh_channel_open_x11(ssh_channel channel, + const char *orig_addr, int orig_port) { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer payload = NULL; + int rc = SSH_ERROR; + +diff --git a/src/client.c b/src/client.c +index 04f7c53..50f594d 100644 +--- a/src/client.c ++++ b/src/client.c +@@ -698,7 +698,7 @@ int ssh_get_openssh_version(ssh_session session) { + * @param[in] session The SSH session to use. + */ + void ssh_disconnect(ssh_session session) { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + int rc; + + if (session == NULL) { +diff --git a/src/config.c b/src/config.c +index 0122b79..7fc082a 100644 +--- a/src/config.c ++++ b/src/config.c +@@ -200,7 +200,7 @@ local_parse_file(ssh_session session, + const char *filename, + int *parsing) + { +- FILE *f; ++ FILE *f = NULL; + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; + int rv; +@@ -1017,7 +1017,7 @@ int ssh_config_parse_file(ssh_session session, const char *filename) + { + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; +- FILE *f; ++ FILE *f = NULL; + int parsing, rv; + + f = fopen(filename, "r"); +diff --git a/src/config_parser.c b/src/config_parser.c +index a2da0a6..1b50c79 100644 +--- a/src/config_parser.c ++++ b/src/config_parser.c +@@ -34,8 +34,8 @@ + + char *ssh_config_get_cmd(char **str) + { +- register char *c; +- char *r; ++ register char *c = NULL; ++ char *r = NULL; + + /* Ignore leading spaces */ + for (c = *str; *c; c++) { +@@ -68,8 +68,8 @@ out: + + char *ssh_config_get_token(char **str) + { +- register char *c; +- char *r; ++ register char *c = NULL; ++ char *r = NULL; + + c = ssh_config_get_cmd(str); + +@@ -88,7 +88,7 @@ out: + + long ssh_config_get_long(char **str, long notfound) + { +- char *p, *endp; ++ char *p = NULL, *endp = NULL; + long i; + + p = ssh_config_get_token(str); +@@ -105,7 +105,7 @@ long ssh_config_get_long(char **str, long notfound) + + const char *ssh_config_get_str_tok(char **str, const char *def) + { +- char *p; ++ char *p = NULL; + + p = ssh_config_get_token(str); + if (p && *p) { +@@ -117,7 +117,7 @@ const char *ssh_config_get_str_tok(char **str, const char *def) + + int ssh_config_get_yesno(char **str, int notfound) + { +- const char *p; ++ const char *p = NULL; + + p = ssh_config_get_str_tok(str, NULL); + if (p == NULL) { +diff --git a/src/connect.c b/src/connect.c +index ca62dcf..2c72892 100644 +--- a/src/connect.c ++++ b/src/connect.c +@@ -192,8 +192,8 @@ socket_t ssh_connect_host_nonblocking(ssh_session session, const char *host, + } + + if (bind_addr) { +- struct addrinfo *bind_ai; +- struct addrinfo *bind_itr; ++ struct addrinfo *bind_ai = NULL; ++ struct addrinfo *bind_itr = NULL; + + SSH_LOG(SSH_LOG_PACKET, "Resolving %s", bind_addr); + +diff --git a/src/connector.c b/src/connector.c +index ac84133..494d058 100644 +--- a/src/connector.c ++++ b/src/connector.c +@@ -627,8 +627,9 @@ error: + return rc; + } + +-int ssh_connector_remove_event(ssh_connector connector) { +- ssh_session session; ++int ssh_connector_remove_event(ssh_connector connector) ++{ ++ ssh_session session = NULL; + + if (connector->in_poll != NULL) { + ssh_event_remove_poll(connector->event, connector->in_poll); +diff --git a/src/dh_crypto.c b/src/dh_crypto.c +index 3b3495c..17917f0 100644 +--- a/src/dh_crypto.c ++++ b/src/dh_crypto.c +@@ -165,7 +165,7 @@ done: + */ + int ssh_dh_init_common(struct ssh_crypto_struct *crypto) + { +- struct dh_ctx *ctx; ++ struct dh_ctx *ctx = NULL; + int rc; + + ctx = calloc(1, sizeof(*ctx)); +diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c +index 62578c1..b4e89c9 100644 +--- a/src/ecdh_crypto.c ++++ b/src/ecdh_crypto.c +@@ -200,12 +200,12 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){ + /* ECDH keys */ + ssh_string q_c_string; + ssh_string q_s_string; +- EC_KEY *ecdh_key; +- const EC_GROUP *group; +- const EC_POINT *ecdh_pubkey; ++ EC_KEY *ecdh_key = NULL; ++ const EC_GROUP *group = NULL; ++ const EC_POINT *ecdh_pubkey = NULL; + bignum_CTX ctx; + /* SSH host keys (rsa,dsa,ecdsa) */ +- ssh_key privkey; ++ ssh_key privkey = NULL; + enum ssh_digest_e digest = SSH_DIGEST_AUTO; + ssh_string sig_blob = NULL; + ssh_string pubkey_blob = NULL; +diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c +index dd4332d..1a2d288 100644 +--- a/src/ecdh_gcrypt.c ++++ b/src/ecdh_gcrypt.c +@@ -132,9 +132,9 @@ int ecdh_build_k(ssh_session session) + #else + size_t k_len = 0; + enum ssh_key_exchange_e kex_type = session->next_crypto->kex_type; +- ssh_string s; ++ ssh_string s = NULL; + #endif +- ssh_string pubkey_raw; ++ ssh_string pubkey_raw = NULL; + gcry_sexp_t pubkey = NULL; + ssh_string privkey = NULL; + int rc = SSH_ERROR; +@@ -267,12 +267,12 @@ int ecdh_build_k(ssh_session session) + SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){ + gpg_error_t err; + /* ECDH keys */ +- ssh_string q_c_string; +- ssh_string q_s_string; ++ ssh_string q_c_string = NULL; ++ ssh_string q_s_string = NULL; + gcry_sexp_t param = NULL; + gcry_sexp_t key = NULL; + /* SSH host keys (rsa,dsa,ecdsa) */ +- ssh_key privkey; ++ ssh_key privkey = NULL; + enum ssh_digest_e digest = SSH_DIGEST_AUTO; + ssh_string sig_blob = NULL; + ssh_string pubkey_blob = NULL; +diff --git a/src/gcrypt_missing.c b/src/gcrypt_missing.c +index e931ec5..56dcfb6 100644 +--- a/src/gcrypt_missing.c ++++ b/src/gcrypt_missing.c +@@ -47,7 +47,7 @@ int ssh_gcry_dec2bn(bignum *bn, const char *data) { + + char *ssh_gcry_bn2dec(bignum bn) { + bignum bndup, num, ten; +- char *ret; ++ char *ret = NULL; + int count, count2; + int size, rsize; + char decnum; +diff --git a/src/getpass.c b/src/getpass.c +index c00d0f5..9ffe696 100644 +--- a/src/getpass.c ++++ b/src/getpass.c +@@ -45,7 +45,7 @@ + * @return 1 on success, 0 on error. + */ + static int ssh_gets(const char *prompt, char *buf, size_t len, int verify) { +- char *tmp; ++ char *tmp = NULL; + char *ptr = NULL; + int ok = 0; + +@@ -77,7 +77,7 @@ static int ssh_gets(const char *prompt, char *buf, size_t len, int verify) { + } + + if (verify) { +- char *key_string; ++ char *key_string = NULL; + + key_string = calloc(1, len); + if (key_string == NULL) { +diff --git a/src/gssapi.c b/src/gssapi.c +index 1d0fb6a..43e36c5 100644 +--- a/src/gssapi.c ++++ b/src/gssapi.c +@@ -190,7 +190,7 @@ int ssh_gssapi_handle_userauth(ssh_session session, const char *user, uint32_t n + gss_name_t server_name; /* local server fqdn */ + OM_uint32 maj_stat, min_stat; + size_t i; +- char *ptr; ++ char *ptr = NULL; + gss_OID_set supported; /* oids supported by server */ + gss_OID_set both_supported; /* oids supported by both client and server */ + gss_OID_set selected; /* oid selected for authentication */ +@@ -330,7 +330,7 @@ int ssh_gssapi_handle_userauth(ssh_session session, const char *user, uint32_t n + static char *ssh_gssapi_name_to_char(gss_name_t name){ + gss_buffer_desc buffer; + OM_uint32 maj_stat, min_stat; +- char *ptr; ++ char *ptr = NULL; + maj_stat = gss_display_name(&min_stat, name, &buffer, NULL); + ssh_gssapi_log_error(SSH_LOG_WARNING, + "converting name", +@@ -347,9 +347,10 @@ static char *ssh_gssapi_name_to_char(gss_name_t name){ + + } + +-SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server){ +- ssh_string token; +- char *hexa; ++SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server) ++{ ++ ssh_string token = NULL; ++ char *hexa = NULL; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER; + gss_name_t client_name = GSS_C_NO_NAME; +@@ -373,7 +374,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server){ + } + + if (ssh_callbacks_exists(session->server_callbacks, gssapi_accept_sec_ctx_function)){ +- ssh_string out_token=NULL; ++ ssh_string out_token = NULL; + rc = session->server_callbacks->gssapi_accept_sec_ctx_function(session, + token, &out_token, session->server_callbacks->userdata); + if (rc == SSH_ERROR){ +@@ -484,7 +485,7 @@ static ssh_buffer ssh_gssapi_build_mic(ssh_session session) + + SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_mic) + { +- ssh_string mic_token; ++ ssh_string mic_token = NULL; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc mic_buf = GSS_C_EMPTY_BUFFER; + gss_buffer_desc mic_token_buf = GSS_C_EMPTY_BUFFER; +@@ -643,7 +644,7 @@ static int ssh_gssapi_match(ssh_session session, gss_OID_set *valid_oids) + gss_name_t client_id = GSS_C_NO_NAME; + gss_OID oid; + unsigned int i; +- char *ptr; ++ char *ptr = NULL; + int ret; + + if (session->gssapi->client.client_deleg_creds == NULL) { +@@ -834,11 +835,11 @@ static gss_OID ssh_gssapi_oid_from_strin + } + + SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){ +- ssh_string oid_s; ++ ssh_string oid_s = NULL; + gss_uint32 maj_stat, min_stat; + gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; + gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; +- char *hexa; ++ char *hexa = NULL; + (void)type; + (void)user; + +@@ -945,8 +946,8 @@ static int ssh_gssapi_send_mic(ssh_sessi + } + + SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client){ +- ssh_string token; +- char *hexa; ++ ssh_string token = NULL; ++ char *hexa = NULL; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER; + (void)user; +diff --git a/src/kex.c b/src/kex.c +index ef3c94b..b8958b5 100644 +--- a/src/kex.c ++++ b/src/kex.c +@@ -305,7 +305,7 @@ static int cmp_first_kex_algo(const char *client_str, + size_t client_kex_len; + size_t server_kex_len; + +- char *colon; ++ char *colon = NULL; + + int is_wrong = 1; + +@@ -727,7 +727,7 @@ char *ssh_client_select_hostkeys(ssh_session session) + int ssh_set_client_kex(ssh_session session) + { + struct ssh_kex_struct *client = &session->next_crypto->client_kex; +- const char *wanted; ++ const char *wanted = NULL; + int ok; + int i; + +diff --git a/src/known_hosts.c b/src/known_hosts.c +index ec6da30..990379c 100644 +--- a/src/known_hosts.c ++++ b/src/known_hosts.c +@@ -75,8 +75,8 @@ static struct ssh_tokens_st *ssh_get_knownhost_line(FILE **file, + const char **found_type) + { + char buffer[4096] = {0}; +- char *ptr; +- struct ssh_tokens_st *tokens; ++ char *ptr = NULL; ++ struct ssh_tokens_st *tokens = NULL; + + if (*file == NULL) { + *file = fopen(filename,"r"); +@@ -145,7 +145,7 @@ static struct ssh_tokens_st *ssh_get_knownhost_line(FILE **file, + static int check_public_key(ssh_session session, char **tokens) { + ssh_string pubkey_blob = NULL; + ssh_buffer pubkey_buffer; +- char *pubkey_64; ++ char *pubkey_64 = NULL; + int rc; + + /* ssh-dss or ssh-rsa */ +@@ -201,11 +201,11 @@ static int match_hashed_host(const char *host, const char *sourcehash) + * hash := HMAC_SHA1(key=salt,data=host) + */ + unsigned char buffer[256] = {0}; +- ssh_buffer salt; +- ssh_buffer hash; +- HMACCTX mac; +- char *source; +- char *b64hash; ++ ssh_buffer salt = NULL; ++ ssh_buffer hash = NULL; ++ HMACCTX mac = NULL; ++ char *source = NULL; ++ char *b64hash = NULL; + int match; + unsigned int size; + +@@ -288,14 +288,14 @@ static int match_hashed_host(const char *host, const char *sourcehash) + int ssh_is_server_known(ssh_session session) + { + FILE *file = NULL; +- char *host; +- char *hostport; +- const char *type; ++ char *host = NULL; ++ char *hostport = NULL; ++ const char *type = NULL; + int match; + int i = 0; +- char *files[3]; ++ char *files[3] = {0}; + +- struct ssh_tokens_st *tokens; ++ struct ssh_tokens_st *tokens = NULL; + + int ret = SSH_SERVER_NOT_KNOWN; + +@@ -429,11 +429,11 @@ int ssh_is_server_known(ssh_session session) + */ + char * ssh_dump_knownhost(ssh_session session) { + ssh_key server_pubkey = NULL; +- char *host; +- char *hostport; ++ char *host = NULL; ++ char *hostport = NULL; + size_t len = 4096; +- char *buffer; +- char *b64_key; ++ char *buffer = NULL; ++ char *b64_key = NULL; + int rc; + + if (session->opts.host == NULL) { +@@ -498,9 +498,9 @@ char * ssh_dump_knownhost(ssh_session session) { + */ + int ssh_write_knownhost(ssh_session session) + { +- FILE *file; ++ FILE *file = NULL; + char *buffer = NULL; +- char *dir; ++ char *dir = NULL; + int rc; + + if (session->opts.knownhosts == NULL) { +diff --git a/src/knownhosts.c b/src/knownhosts.c +index a4c974d..02f72ab 100644 +--- a/src/knownhosts.c ++++ b/src/knownhosts.c +@@ -56,7 +56,7 @@ static int hash_hostname(const char *name, + unsigned char **hash, + unsigned int *hash_size) + { +- HMACCTX mac_ctx; ++ HMACCTX mac_ctx = NULL; + + mac_ctx = hmac_init(salt, salt_size, SSH_HMAC_SHA1); + if (mac_ctx == NULL) { +@@ -71,8 +71,8 @@ static int hash_hostname(const char *name, + + static int match_hashed_hostname(const char *host, const char *hashed_host) + { +- char *hashed; +- char *b64_hash; ++ char *hashed = NULL; ++ char *b64_hash = NULL; + ssh_buffer salt = NULL; + ssh_buffer hash = NULL; + unsigned char hashed_buf[256] = {0}; +@@ -219,7 +219,7 @@ static int ssh_known_hosts_read_entries(const char *match, + char line[8192]; + size_t lineno = 0; + size_t len = 0; +- FILE *fp; ++ FILE *fp = NULL; + int rc; + + fp = fopen(filename, "r"); +@@ -277,7 +277,7 @@ static int ssh_known_hosts_read_entries(const char *match, + for (it = ssh_list_get_iterator(*entries); + it != NULL; + it = it->next) { +- struct ssh_knownhosts_entry *entry2; ++ struct ssh_knownhosts_entry *entry2 = NULL; + int cmp; + entry2 = ssh_iterator_value(struct ssh_knownhosts_entry *, it); + cmp = ssh_known_hosts_entries_compare(entry, entry2); +@@ -301,8 +301,8 @@ error: + + static char *ssh_session_get_host_port(ssh_session session) + { +- char *host_port; +- char *host; ++ char *host_port = NULL; ++ char *host = NULL; + + if (session->opts.host == NULL) { + ssh_set_error(session, +@@ -510,7 +510,7 @@ char *ssh_known_hosts_get_algorithms_names(ssh_session session) + char *host_port = NULL; + size_t count; + bool needcomma = false; +- char *names; ++ char *names = NULL; + + int rc; + +@@ -616,7 +616,7 @@ int ssh_known_hosts_parse_line(const cha + { + struct ssh_knownhosts_entry *e = NULL; + char *known_host = NULL; +- char *p; ++ char *p = NULL; + enum ssh_keytypes_e key_type; + int match = 0; + int rc = SSH_OK; +--- a/src/legacy.c ++++ b/src/legacy.c +@@ -48,7 +48,7 @@ int ssh_auth_list(ssh_session session) { + int ssh_userauth_offer_pubkey(ssh_session session, const char *username, + int type, ssh_string publickey) + { +- ssh_key key; ++ ssh_key key = NULL; + int rc; + + (void) type; /* unused */ +@@ -70,7 +70,7 @@ int ssh_userauth_pubkey(ssh_session session, + ssh_string publickey, + ssh_private_key privatekey) + { +- ssh_key key; ++ ssh_key key = NULL; + int rc; + + (void) publickey; /* unused */ +@@ -373,10 +373,11 @@ void publickey_free(ssh_public_key key) { + SAFE_FREE(key); + } + +-ssh_public_key publickey_from_privatekey(ssh_private_key prv) { +- struct ssh_public_key_struct *p; +- ssh_key privkey; +- ssh_key pubkey; ++ssh_public_key publickey_from_privatekey(ssh_private_key prv) ++{ ++ struct ssh_public_key_struct *p = NULL; ++ ssh_key privkey = NULL; ++ ssh_key pubkey = NULL; + int rc; + + privkey = ssh_key_new(); +@@ -410,8 +411,8 @@ ssh_private_key privatekey_from_file(ssh_session session, + const char *passphrase) { + ssh_auth_callback auth_fn = NULL; + void *auth_data = NULL; +- ssh_private_key privkey; +- ssh_key key; ++ ssh_private_key privkey = NULL; ++ ssh_key key = NULL; + int rc; + + (void) type; /* unused */ +@@ -476,7 +477,7 @@ void privatekey_free(ssh_private_key prv) { + + ssh_string publickey_from_file(ssh_session session, const char *filename, + int *type) { +- ssh_key key; ++ ssh_key key = NULL; + ssh_string key_str = NULL; + int rc; + +@@ -509,9 +510,10 @@ int ssh_type_from_name(const char *name) { + return ssh_key_type_from_name(name); + } + +-ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) { +- struct ssh_public_key_struct *pubkey; +- ssh_key key; ++ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) ++{ ++ struct ssh_public_key_struct *pubkey = NULL; ++ ssh_key key = NULL; + int rc; + + (void) session; /* unused */ +@@ -540,9 +542,10 @@ ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) { + return pubkey; + } + +-ssh_string publickey_to_string(ssh_public_key pubkey) { +- ssh_key key; +- ssh_string key_blob; ++ssh_string publickey_to_string(ssh_public_key pubkey) ++{ ++ ssh_key key = NULL; ++ ssh_string key_blob = NULL; + int rc; + + if (pubkey == NULL) { +@@ -577,11 +580,11 @@ int ssh_publickey_to_file(ssh_session session, + ssh_string pubkey, + int type) + { +- FILE *fp; +- char *user; ++ FILE *fp = NULL; ++ char *user = NULL; + char buffer[1024]; + char host[256]; +- unsigned char *pubkey_64; ++ unsigned char *pubkey_64 = NULL; + size_t len; + int rc; + if(session==NULL) +@@ -644,9 +647,9 @@ int ssh_try_publickey_from_file(ssh_session session, + const char *keyfile, + ssh_string *publickey, + int *type) { +- char *pubkey_file; ++ char *pubkey_file = NULL; + size_t len; +- ssh_string pubkey_string; ++ ssh_string pubkey_string = NULL; + int pubkey_type; + + if (session == NULL || keyfile == NULL || publickey == NULL || type == NULL) { +diff --git a/src/libmbedcrypto.c b/src/libmbedcrypto.c +index d24e564..41e2f3b 100644 +--- a/src/libmbedcrypto.c ++++ b/src/libmbedcrypto.c +@@ -484,7 +484,7 @@ cipher_init(struct ssh_cipher_struct *cipher, + void *IV) + { + const mbedtls_cipher_info_t *cipher_info = NULL; +- mbedtls_cipher_context_t *ctx; ++ mbedtls_cipher_context_t *ctx = NULL; + int rc; + + if (operation == MBEDTLS_ENCRYPT) { +diff --git a/src/log.c b/src/log.c +index a8664b1..b26ed8b 100644 +--- a/src/log.c ++++ b/src/log.c +@@ -40,7 +40,7 @@ + + static LIBSSH_THREAD int ssh_log_level; + static LIBSSH_THREAD ssh_logging_callback ssh_log_cb; +-static LIBSSH_THREAD void *ssh_log_userdata; ++static LIBSSH_THREAD void *ssh_log_userdata = NULL; + + /** + * @defgroup libssh_log The SSH logging functions. +diff --git a/src/messages.c b/src/messages.c +index c09a841..23f6481 100644 +--- a/src/messages.c ++++ b/src/messages.c +@@ -479,7 +479,7 @@ static void ssh_message_queue(ssh_session session, ssh_message message) + */ + ssh_message ssh_message_pop_head(ssh_session session){ + ssh_message msg=NULL; +- struct ssh_iterator *i; ++ struct ssh_iterator *i = NULL; + if(session->ssh_message_list == NULL) + return NULL; + i=ssh_list_get_iterator(session->ssh_message_list); +@@ -493,7 +493,7 @@ ssh_message ssh_message_pop_head(ssh_session session){ + /* Returns 1 if there is a message available */ + static int ssh_message_termination(void *s){ + ssh_session session = s; +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + if(session->session_state == SSH_SESSION_STATE_ERROR) + return 1; + it = ssh_list_get_iterator(session->ssh_message_list); +@@ -694,7 +694,7 @@ static ssh_buffer ssh_msg_userauth_build_digest(ssh_session session, + ssh_string algo) + { + struct ssh_crypto_struct *crypto = NULL; +- ssh_buffer buffer; ++ ssh_buffer buffer = NULL; + ssh_string str=NULL; + int rc; + +@@ -933,9 +933,9 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){ + #ifdef WITH_GSSAPI + if (strcmp(method, "gssapi-with-mic") == 0) { + uint32_t n_oid; +- ssh_string *oids; +- ssh_string oid; +- char *hexa; ++ ssh_string *oids = NULL; ++ ssh_string oid = NULL; ++ char *hexa = NULL; + int i; + ssh_buffer_get_u32(packet, &n_oid); + n_oid=ntohl(n_oid); +@@ -1019,7 +1019,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){ + SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){ + uint32_t nanswers; + uint32_t i; +- ssh_string tmp; ++ ssh_string tmp = NULL; + int rc; + + ssh_message msg = NULL; +@@ -1251,7 +1251,7 @@ end: + * @returns SSH_OK on success, SSH_ERROR if an error occured. + */ + int ssh_message_channel_request_open_reply_accept_channel(ssh_message msg, ssh_channel chan) { +- ssh_session session; ++ ssh_session session = NULL; + int rc; + + if (msg == NULL) { +@@ -1302,7 +1302,7 @@ int ssh_message_channel_request_open_reply_accept_channel(ssh_message msg, ssh_c + * @returns NULL in case of error + */ + ssh_channel ssh_message_channel_request_open_reply_accept(ssh_message msg) { +- ssh_channel chan; ++ ssh_channel chan = NULL; + int rc; + + if (msg == NULL) { +diff --git a/src/misc.c b/src/misc.c +index 227929e..338b426 100644 +--- a/src/misc.c ++++ b/src/misc.c +@@ -384,7 +384,7 @@ int ssh_is_ipaddr(const char *str) { + #endif /* _WIN32 */ + + char *ssh_lowercase(const char* str) { +- char *new, *p; ++ char *new = NULL, *p = NULL; + + if (str == NULL) { + return NULL; +@@ -436,7 +436,7 @@ char *ssh_hostport(const char *host, int port) + */ + char *ssh_get_hexa(const unsigned char *what, size_t len) { + const char h[] = "0123456789abcdef"; +- char *hexa; ++ char *hexa = NULL; + size_t i; + size_t hlen = len * 3; + +@@ -701,7 +701,7 @@ struct ssh_list *ssh_list_new(void) { + } + + void ssh_list_free(struct ssh_list *list){ +- struct ssh_iterator *ptr,*next; ++ struct ssh_iterator *ptr = NULL, *next = NULL; + if(!list) + return; + ptr=list->root; +@@ -720,7 +720,7 @@ struct ssh_iterator *ssh_list_get_iterator(const struct ssh_list *list){ + } + + struct ssh_iterator *ssh_list_find(const struct ssh_list *list, void *value){ +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + for(it = ssh_list_get_iterator(list); it != NULL ;it=it->next) + if(it->data==value) + return it; +@@ -803,7 +803,7 @@ int ssh_list_prepend(struct ssh_list *list, const void *data){ + } + + void ssh_list_remove(struct ssh_list *list, struct ssh_iterator *iterator){ +- struct ssh_iterator *ptr,*prev; ++ struct ssh_iterator *ptr = NULL, *prev = NULL; + + if (list == NULL) { + return; +@@ -935,7 +935,7 @@ char *ssh_dirname (const char *path) { + */ + char *ssh_basename (const char *path) { + char *new = NULL; +- const char *s; ++ const char *s = NULL; + size_t len; + + if (path == NULL || *path == '\0') { +@@ -1069,8 +1069,8 @@ int ssh_mkdirs(const char *pathname, mode_t mode) + * @return The expanded directory, NULL on error. + */ + char *ssh_path_expand_tilde(const char *d) { +- char *h = NULL, *r; +- const char *p; ++ char *h = NULL, *r = NULL; ++ const char *p = NULL; + size_t ld; + size_t lh = 0; + +@@ -1085,7 +1085,7 @@ char *ssh_path_expand_tilde(const char *d) { + #ifdef _WIN32 + return strdup(d); + #else +- struct passwd *pw; ++ struct passwd *pw = NULL; + size_t s = p - d; + char u[128]; + +@@ -1141,7 +1141,7 @@ char *ssh_path_expand_escape(ssh_session + char host[NI_MAXHOST]; + char buf[MAX_BUF_SIZE]; + char *r, *x = NULL; +- const char *p; ++ const char *p = NULL; + size_t i, l; + + r = ssh_path_expand_tilde(s); +@@ -1271,8 +1271,8 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) { + */ + int ssh_analyze_banner(ssh_session session, int server) + { +- const char *banner; +- const char *openssh; ++ const char *banner = NULL; ++ const char *openssh = NULL; + + if (server) { + banner = session->clientbanner; +diff --git a/src/options.c b/src/options.c +index 7370cd7..74cc9bc 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -65,7 +65,7 @@ + */ + int ssh_options_copy(ssh_session src, ssh_session *dest) + { +- ssh_session new; ++ ssh_session new = NULL; + struct ssh_iterator *it = NULL; + char *id = NULL; + int i; +@@ -474,8 +474,8 @@ int ssh_options_set_algo(ssh_session session, + */ + int ssh_options_set(ssh_session session, enum ssh_options_e type, + const void *value) { +- const char *v; +- char *p, *q; ++ const char *v = NULL; ++ char *p = NULL, *q = NULL; + long int i; + unsigned int u; + int rc; +@@ -1098,7 +1098,7 @@ int ssh_options_get_port(ssh_session session, unsigned int* port_target) { + */ + int ssh_options_get(ssh_session session, enum ssh_options_e type, char** value) + { +- char* src = NULL; ++ char *src = NULL; + + if (session == NULL) { + return SSH_ERROR; +@@ -1352,7 +1352,7 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv) + * @see ssh_options_set_host() + */ + int ssh_options_parse_config(ssh_session session, const char *filename) { +- char *expanded_filename; ++ char *expanded_filename = NULL; + int r; + + if (session == NULL) { +@@ -1397,8 +1397,8 @@ out: + } + + int ssh_options_apply(ssh_session session) { +- struct ssh_iterator *it; +- char *tmp; ++ struct ssh_iterator *it = NULL; ++ char *tmp = NULL; + int rc; + + if (session->opts.sshdir == NULL) { +@@ -1635,8 +1635,8 @@ static int ssh_bind_set_algo(ssh_bind sshbind, + int ssh_bind_options_set(ssh_bind sshbind, enum ssh_bind_options_e type, + const void *value) + { +- char *p, *q; +- const char *v; ++ char *p = NULL, *q = NULL; ++ const char *v = NULL; + int i, rc; + + if (sshbind == NULL) { +@@ -1985,8 +1985,8 @@ int ssh_bind_options_set(ssh_bind sshbind, enum ssh_bind_options_e type, + static char *ssh_bind_options_expand_escape(ssh_bind sshbind, const char *s) + { + char buf[MAX_BUF_SIZE]; +- char *r, *x = NULL; +- const char *p; ++ char *r = NULL, *x = NULL; ++ const char *p = NULL; + size_t i, l; + + r = ssh_path_expand_tilde(s); +@@ -2074,7 +2074,7 @@ static char *ssh_bind_options_expand_escape(ssh_bind sshbind, const char *s) + int ssh_bind_options_parse_config(ssh_bind sshbind, const char *filename) + { + int rc = 0; +- char *expanded_filename; ++ char *expanded_filename = NULL; + + if (sshbind == NULL) { + return -1; +diff --git a/src/packet.c b/src/packet.c +index 9cad423..93ef59e 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -1422,8 +1422,8 @@ error: + static void ssh_packet_socket_controlflow_callback(int code, void *userdata) + { + ssh_session session = userdata; +- struct ssh_iterator *it; +- ssh_channel channel; ++ struct ssh_iterator *it = NULL; ++ ssh_channel channel = NULL; + + if (code == SSH_SOCKET_FLOW_WRITEWONTBLOCK) { + SSH_LOG(SSH_LOG_TRACE, "sending channel_write_wontblock callback"); +@@ -1872,7 +1872,7 @@ int ssh_packet_send(ssh_session session) + + /* We finished the key exchange so we can try to send our queue now */ + if (rc == SSH_OK && type == SSH2_MSG_NEWKEYS) { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + + if (session->flags & SSH_SESSION_FLAG_KEX_STRICT) { + /* reset packet sequence number when running in strict kex mode */ +diff --git a/src/packet_crypt.c b/src/packet_crypt.c +index 95d438c..78417b9 100644 +--- a/src/packet_crypt.c ++++ b/src/packet_crypt.c +@@ -244,7 +244,7 @@ int ssh_packet_hmac_verify(ssh_session session, + { + struct ssh_crypto_struct *crypto = NULL; + unsigned char hmacbuf[DIGEST_MAX_LEN] = {0}; +- HMACCTX ctx; ++ HMACCTX ctx = NULL; + unsigned int hmaclen; + uint32_t seq; + +diff --git a/src/pki.c b/src/pki.c +index 5291090..bc227a3 100644 +--- a/src/pki.c ++++ b/src/pki.c +@@ -346,7 +346,7 @@ enum ssh_digest_e ssh_key_hash_from_name(const char *name) + */ + int ssh_key_algorithm_allowed(ssh_session session, const char *type) + { +- const char *allowed_list; ++ const char *allowed_list = NULL; + + if (session->client) { + allowed_list = session->opts.pubkey_accepted_types; +@@ -645,7 +645,7 @@ int ssh_key_cmp(const ssh_key k1, + + ssh_signature ssh_signature_new(void) + { +- struct ssh_signature_struct *sig; ++ struct ssh_signature_struct *sig = NULL; + + sig = malloc(sizeof(struct ssh_signature_struct)); + if (sig == NULL) { +@@ -733,7 +733,7 @@ int ssh_pki_import_privkey_base64(const char *b64_key, + void *auth_data, + ssh_key *pkey) + { +- ssh_key key; ++ ssh_key key = NULL; + char *openssh_header = NULL; + + if (b64_key == NULL || pkey == NULL) { +@@ -853,8 +853,8 @@ int ssh_pki_import_privkey_file(const char *filename, + void *auth_data, + ssh_key *pkey) { + struct stat sb; +- char *key_buf; +- FILE *file; ++ char *key_buf = NULL; ++ FILE *file = NULL; + off_t size; + int rc; + +@@ -947,7 +947,7 @@ int ssh_pki_export_privkey_file(const ss + void *auth_data, + const char *filename) + { +- ssh_string blob; ++ ssh_string blob = NULL; + FILE *fp; + int rc; + +@@ -992,8 +992,8 @@ int ssh_pki_export_privkey_file(const ss + + /* temporary function to migrate seemlessly to ssh_key */ + ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key) { +- ssh_public_key pub; +- ssh_key tmp; ++ ssh_public_key pub = NULL; ++ ssh_key tmp = NULL; + + if(key == NULL) { + return NULL; +@@ -1025,7 +1025,7 @@ ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key) { + } + + ssh_private_key ssh_pki_convert_key_to_privatekey(const ssh_key key) { +- ssh_private_key privkey; ++ ssh_private_key privkey = NULL; + + privkey = malloc(sizeof(struct ssh_private_key_struct)); + if (privkey == NULL) { +@@ -1380,9 +1380,9 @@ fail: + static int pki_import_cert_buffer(ssh_buffer buffer, + enum ssh_keytypes_e type, + ssh_key *pkey) { +- ssh_buffer cert; +- ssh_string tmp_s; +- const char *type_c; ++ ssh_buffer cert = NULL; ++ ssh_string tmp_s = NULL; ++ const char *type_c = NULL; + ssh_key key = NULL; + int rc; + +@@ -1854,7 +1854,7 @@ error: + int ssh_pki_export_privkey_to_pubkey(const ssh_key privkey, + ssh_key *pkey) + { +- ssh_key pubkey; ++ ssh_key pubkey = NULL; + + if (privkey == NULL || !ssh_key_is_private(privkey)) { + return SSH_ERROR; +@@ -1892,7 +1892,7 @@ int ssh_pki_export_privkey_to_pubkey(const ssh_key privkey, + int ssh_pki_export_pubkey_blob(const ssh_key key, + ssh_string *pblob) + { +- ssh_string blob; ++ ssh_string blob = NULL; + + if (key == NULL) { + return SSH_OK; +@@ -1922,8 +1922,8 @@ int ssh_pki_export_pubkey_blob(const ssh_key key, + int ssh_pki_export_pubkey_base64(const ssh_key key, + char **b64_key) + { +- ssh_string key_blob; +- unsigned char *b64; ++ ssh_string key_blob = NULL; ++ unsigned char *b64 = NULL; + + if (key == NULL || b64_key == NULL) { + return SSH_ERROR; +@@ -1950,9 +1950,9 @@ int ssh_pki_export_pubkey_file(const ssh_key key, + { + char key_buf[4096]; + char host[256]; +- char *b64_key; +- char *user; +- FILE *fp; ++ char *b64_key = NULL; ++ char *user = NULL; ++ FILE *fp = NULL; + int rc; + + if (key == NULL || filename == NULL || *filename == '\0') { +@@ -2013,7 +2013,7 @@ int ssh_pki_export_pubkey_file(const ssh_key key, + * @returns SSH_OK on success, SSH_ERROR otherwise. + **/ + int ssh_pki_copy_cert_to_privkey(const ssh_key certkey, ssh_key privkey) { +- ssh_buffer cert_buffer; ++ ssh_buffer cert_buffer = NULL; + int rc; + + if (certkey == NULL || privkey == NULL) { +@@ -2048,7 +2048,7 @@ int ssh_pki_export_signature_blob(const ssh_signature sig, + ssh_string *sig_blob) + { + ssh_buffer buf = NULL; +- ssh_string str; ++ ssh_string str = NULL; + int rc; + + if (sig == NULL || sig_blob == NULL) { +@@ -2112,7 +2112,7 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob, + enum ssh_keytypes_e type; + enum ssh_digest_e hash_type; + ssh_string algorithm = NULL, blob = NULL; +- ssh_buffer buf; ++ ssh_buffer buf = NULL; + const char *alg = NULL; + int rc; + +@@ -2391,9 +2391,9 @@ ssh_string ssh_pki_do_sign_agent(ssh_session session, + const ssh_key pubkey) + { + struct ssh_crypto_struct *crypto = NULL; +- ssh_string session_id; +- ssh_string sig_blob; +- ssh_buffer sig_buf; ++ ssh_string session_id = NULL; ++ ssh_string sig_blob = NULL; ++ ssh_buffer sig_buf = NULL; + int rc; + + crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_BOTH); +diff --git a/src/pki_container_openssh.c b/src/pki_container_openssh.c +index ecde4cd..0167c53 100644 +--- a/src/pki_container_openssh.c ++++ b/src/pki_container_openssh.c +@@ -234,12 +234,12 @@ ssh_pki_openssh_import(const char *text_key, + bool private) + { + const char *ptr = text_key; +- const char *end; +- char *base64; ++ const char *end = NULL; ++ char *base64 = NULL; + int cmp; + int rc; + int i; +- ssh_buffer buffer = NULL, privkey_buffer=NULL; ++ ssh_buffer buffer = NULL, privkey_buffer = NULL; + char *magic = NULL, *ciphername = NULL, *kdfname = NULL; + uint32_t nkeys = 0, checkint1 = 0, checkint2 = 0xFFFF; + ssh_string kdfoptions = NULL; +@@ -536,16 +536,16 @@ ssh_string ssh_pki_openssh_privkey_export(const ssh_key privkey, + ssh_auth_callback auth_fn, + void *auth_data) + { +- ssh_buffer buffer; ++ ssh_buffer buffer = NULL; + ssh_string str = NULL; +- ssh_string pubkey_s=NULL; ++ ssh_string pubkey_s = NULL; + ssh_buffer privkey_buffer = NULL; + uint32_t rnd; + uint32_t rounds = 16; +- ssh_string salt=NULL; +- ssh_string kdf_options=NULL; ++ ssh_string salt = NULL; ++ ssh_string kdf_options = NULL; + int to_encrypt=0; +- unsigned char *b64; ++ unsigned char *b64 = NULL; + uint32_t str_len, len; + uint8_t padding = 1; + int ok; +diff --git a/src/pki_crypto.c b/src/pki_crypto.c +index 9f80086..5f575f7 100644 +--- a/src/pki_crypto.c ++++ b/src/pki_crypto.c +@@ -1473,7 +1473,7 @@ static ssh_string pki_ecdsa_signature_to_blob(const ssh_signature sig) + const unsigned char *raw_sig_data = NULL; + size_t raw_sig_len; + +- ECDSA_SIG *ecdsa_sig; ++ ECDSA_SIG *ecdsa_sig = NULL; + + int rc; + +@@ -1781,8 +1781,8 @@ static int pki_signature_from_ecdsa_blob(UNUSED_PARAM(const ssh_key pubkey), + ECDSA_SIG *ecdsa_sig = NULL; + BIGNUM *pr = NULL, *ps = NULL; + +- ssh_string r; +- ssh_string s; ++ ssh_string r = NULL; ++ ssh_string s = NULL; + + ssh_buffer buf = NULL; + uint32_t rlen; +diff --git a/src/pki_ed25519.c b/src/pki_ed25519.c +index fdf94b4..94808b5 100644 +--- a/src/pki_ed25519.c ++++ b/src/pki_ed25519.c +@@ -62,7 +62,7 @@ int pki_ed25519_sign(const ssh_key privkey, + size_t hlen) + { + int rc; +- uint8_t *buffer; ++ uint8_t *buffer = NULL; + uint64_t dlen = 0; + + buffer = malloc(hlen + ED25519_SIG_LEN); +@@ -104,8 +104,8 @@ int pki_ed25519_verify(const ssh_key pubkey, + size_t hlen) + { + uint64_t mlen = 0; +- uint8_t *buffer; +- uint8_t *buffer2; ++ uint8_t *buffer = NULL; ++ uint8_t *buffer2 = NULL; + int rc; + + if (pubkey == NULL || sig == NULL || +diff --git a/src/pki_ed25519_common.c b/src/pki_ed25519_common.c +index 7aa0526..0c66963 100644 +--- a/src/pki_ed25519_common.c ++++ b/src/pki_ed25519_common.c +@@ -213,7 +213,7 @@ int pki_ed25519_public_key_to_blob(ssh_buffer buffer, ssh_key key) + */ + ssh_string pki_ed25519_signature_to_blob(ssh_signature sig) + { +- ssh_string sig_blob; ++ ssh_string sig_blob = NULL; + int rc; + + #ifdef HAVE_OPENSSL_ED25519 +diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c +index bf45351..b06186a 100644 +--- a/src/pki_gcrypt.c ++++ b/src/pki_gcrypt.c +@@ -152,7 +152,7 @@ static ssh_string asn1_get_int(ssh_buffer buffer) { + + static ssh_string asn1_get_bit_string(ssh_buffer buffer) + { +- ssh_string str; ++ ssh_string str = NULL; + unsigned char type; + uint32_t size; + unsigned char unused, last, *p; +@@ -1849,9 +1849,9 @@ ssh_string pki_signature_to_blob(const ssh_signature sig) + case SSH_KEYTYPE_ECDSA_P521: + #ifdef HAVE_GCRYPT_ECC + { +- ssh_string R; +- ssh_string S; +- ssh_buffer b; ++ ssh_string R = NULL; ++ ssh_string S = NULL; ++ ssh_buffer b = NULL; + + b = ssh_buffer_new(); + if (b == NULL) { +@@ -2018,8 +2018,8 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, + case SSH_KEYTYPE_ECDSA_P521: + #ifdef HAVE_GCRYPT_ECC + { /* build ecdsa siganature */ +- ssh_buffer b; +- ssh_string r, s; ++ ssh_buffer b = NULL; ++ ssh_string r = NULL, s = NULL; + uint32_t rlen; + + b = ssh_buffer_new(); +diff --git a/src/pki_mbedcrypto.c b/src/pki_mbedcrypto.c +index c33fb72..da02325 100644 +--- a/src/pki_mbedcrypto.c ++++ b/src/pki_mbedcrypto.c +@@ -790,9 +790,9 @@ ssh_string pki_signature_to_blob(const ssh_signature sig) + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: { +- ssh_string r; +- ssh_string s; +- ssh_buffer b; ++ ssh_string r = NULL; ++ ssh_string s = NULL; ++ ssh_buffer b = NULL; + int rc; + + b = ssh_buffer_new(); +@@ -945,9 +945,9 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: { +- ssh_buffer b; +- ssh_string r; +- ssh_string s; ++ ssh_buffer b = NULL; ++ ssh_string r = NULL; ++ ssh_string s = NULL; + size_t rlen; + + b = ssh_buffer_new(); +diff --git a/src/poll.c b/src/poll.c +index 4620694..57f7288 100644 +--- a/src/poll.c ++++ b/src/poll.c +@@ -537,8 +537,8 @@ void ssh_poll_ctx_free(ssh_poll_ctx ctx) { + } + + static int ssh_poll_ctx_resize(ssh_poll_ctx ctx, size_t new_size) { +- ssh_poll_handle *pollptrs; +- ssh_pollfd_t *pollfds; ++ ssh_poll_handle *pollptrs = NULL; ++ ssh_pollfd_t *pollfds = NULL; + + pollptrs = realloc(ctx->pollptrs, sizeof(ssh_poll_handle) * new_size); + if (pollptrs == NULL) { +@@ -815,7 +815,7 @@ static int ssh_event_fd_wrapper_callback(ssh_poll_handle p, socket_t fd, int rev + int ssh_event_add_fd(ssh_event event, socket_t fd, short events, + ssh_event_callback cb, void *userdata) { + ssh_poll_handle p; +- struct ssh_event_fd_wrapper *pw; ++ struct ssh_event_fd_wrapper *pw = NULL; + + if(event == NULL || event->ctx == NULL || cb == NULL + || fd == SSH_INVALID_SOCKET) { +@@ -884,7 +884,7 @@ void ssh_event_remove_poll(ssh_event event, ssh_poll_handle p) + int ssh_event_add_session(ssh_event event, ssh_session session) { + ssh_poll_handle p; + #ifdef WITH_SERVER +- struct ssh_iterator *iterator; ++ struct ssh_iterator *iterator = NULL; + #endif + + if(event == NULL || event->ctx == NULL || session == NULL) { +@@ -1024,7 +1024,7 @@ int ssh_event_remove_session(ssh_event event, ssh_session session) { + register size_t i, used; + int rc = SSH_ERROR; + #ifdef WITH_SERVER +- struct ssh_iterator *iterator; ++ struct ssh_iterator *iterator = NULL; + #endif + + if(event == NULL || event->ctx == NULL || session == NULL) { +diff --git a/src/server.c b/src/server.c +index 958325c..c0ca468 100644 +--- a/src/server.c ++++ b/src/server.c +@@ -85,8 +85,8 @@ int server_set_kex(ssh_session session) + { + struct ssh_kex_struct *server = &session->next_crypto->server_kex; + int i, j, rc; +- const char *wanted, *allowed; +- char *kept; ++ const char *wanted = NULL, *allowed = NULL; ++ char *kept = NULL; + char hostkeys[128] = {0}; + enum ssh_keytypes_e keytype; + size_t len; +@@ -219,9 +219,10 @@ int ssh_server_init_kex(ssh_session session) { + return server_set_kex(session); + } + +-static int ssh_server_send_extensions(ssh_session session) { ++static int ssh_server_send_extensions(ssh_session session) ++{ + int rc; +- const char *hostkey_algorithms; ++ const char *hostkey_algorithms = NULL; + + SSH_LOG(SSH_LOG_PACKET, "Sending SSH_MSG_EXT_INFO"); + +@@ -286,8 +287,8 @@ ssh_get_key_params(ssh_session session, + ssh_key *privkey, + enum ssh_digest_e *digest) + { +- ssh_key pubkey; +- ssh_string pubkey_blob; ++ ssh_key pubkey = NULL; ++ ssh_string pubkey_blob = NULL; + int rc; + + switch(session->srv.hostkey) { +@@ -682,7 +683,7 @@ static int ssh_message_service_request_reply_default(ssh_message msg) { + } + + int ssh_message_service_reply_success(ssh_message msg) { +- ssh_session session; ++ ssh_session session = NULL; + int rc; + + if (msg == NULL) { +@@ -1030,7 +1031,7 @@ int ssh_message_auth_reply_pk_ok(ssh_message msg, ssh_string algo, ssh_string pu + } + + int ssh_message_auth_reply_pk_ok_simple(ssh_message msg) { +- ssh_string algo; ++ ssh_string algo = NULL; + ssh_string pubkey_blob = NULL; + int ret; + +diff --git a/src/session.c b/src/session.c +index 9e7e8e7..0cc6f8e 100644 +--- a/src/session.c ++++ b/src/session.c +@@ -58,7 +58,7 @@ + */ + ssh_session ssh_new(void) + { +- ssh_session session; ++ ssh_session session = NULL; + char *id = NULL; + int rc; + +@@ -276,7 +276,7 @@ void ssh_free(ssh_session session) + + /* options */ + if (session->opts.identity) { +- char *id; ++ char *id = NULL; + + for (id = ssh_list_pop_head(char *, session->opts.identity); + id != NULL; +@@ -1129,7 +1129,7 @@ int ssh_get_publickey_hash(const ssh_key key, + unsigned char **hash, + size_t *hlen) + { +- ssh_string blob; ++ ssh_string blob = NULL; + unsigned char *h; + int rc; + +@@ -1141,7 +1141,7 @@ int ssh_get_publickey_hash(const ssh_key key, + switch (type) { + case SSH_PUBLICKEY_HASH_SHA1: + { +- SHACTX ctx; ++ SHACTX ctx = NULL; + + h = calloc(1, SHA_DIGEST_LEN); + if (h == NULL) { +@@ -1173,7 +1173,7 @@ int ssh_get_publickey_hash(const ssh_key key, + break; + case SSH_PUBLICKEY_HASH_SHA256: + { +- SHA256CTX ctx; ++ SHA256CTX ctx = NULL; + + h = calloc(1, SHA256_DIGEST_LEN); + if (h == NULL) { +@@ -1205,7 +1205,7 @@ int ssh_get_publickey_hash(const ssh_key key, + break; + case SSH_PUBLICKEY_HASH_MD5: + { +- MD5CTX ctx; ++ MD5CTX ctx = NULL; + + /* In FIPS mode, we cannot use MD5 */ + if (ssh_fips_mode()) { +diff --git a/src/sftpserver.c b/src/sftpserver.c +index b3349e1..528ef6f 100644 +--- a/src/sftpserver.c ++++ b/src/sftpserver.c +@@ -299,8 +299,8 @@ void sftp_client_message_free(sftp_client_message msg) { + + int sftp_reply_name(sftp_client_message msg, const char *name, + sftp_attributes attr) { +- ssh_buffer out; +- ssh_string file; ++ ssh_buffer out = NULL; ++ ssh_string file = NULL; + + out = ssh_buffer_new(); + if (out == NULL) { +@@ -369,7 +369,7 @@ int sftp_reply_attr(sftp_client_message msg, sftp_attributes attr) { + + int sftp_reply_names_add(sftp_client_message msg, const char *file, + const char *longname, sftp_attributes attr) { +- ssh_string name; ++ ssh_string name = NULL; + + name = ssh_string_from_char(file); + if (name == NULL) { +@@ -435,8 +435,8 @@ int sftp_reply_names(sftp_client_message msg) { + + int sftp_reply_status(sftp_client_message msg, uint32_t status, + const char *message) { +- ssh_buffer out; +- ssh_string s; ++ ssh_buffer out = NULL; ++ ssh_string s = NULL; + + out = ssh_buffer_new(); + if (out == NULL) { +@@ -492,7 +492,7 @@ int sftp_reply_data(sftp_client_message msg, const void *data, int len) { + * valid info (or worse). + */ + ssh_string sftp_handle_alloc(sftp_session sftp, void *info) { +- ssh_string ret; ++ ssh_string ret = NULL; + uint32_t val; + uint32_t i; + +diff --git a/src/string.c b/src/string.c +index acd3cf4..3e04437 100644 +--- a/src/string.c ++++ b/src/string.c +@@ -106,7 +106,7 @@ int ssh_string_fill(struct ssh_string_struct *s, const void *data, size_t len) { + * @note The nul byte is not copied nor counted in the ouput string. + */ + struct ssh_string_struct *ssh_string_from_char(const char *what) { +- struct ssh_string_struct *ptr; ++ struct ssh_string_struct *ptr = NULL; + size_t len; + + if(what == NULL) { +@@ -180,7 +180,7 @@ const char *ssh_string_get_char(struct ssh_string_struct *s) + */ + char *ssh_string_to_char(struct ssh_string_struct *s) { + size_t len; +- char *new; ++ char *new = NULL; + + if (s == NULL) { + return NULL; +@@ -219,7 +219,7 @@ void ssh_string_free_char(char *s) { + * @return Newly allocated copy of the string, NULL on error. + */ + struct ssh_string_struct *ssh_string_copy(struct ssh_string_struct *s) { +- struct ssh_string_struct *new; ++ struct ssh_string_struct *new = NULL; + size_t len; + + if (s == NULL) { +diff --git a/src/threads/winlocks.c b/src/threads/winlocks.c +index da60041..e63635e 100644 +--- a/src/threads/winlocks.c ++++ b/src/threads/winlocks.c +@@ -82,7 +82,7 @@ static struct ssh_threads_callbacks_struct ssh_threads_winlock = + + void ssh_mutex_lock(SSH_MUTEX *mutex) + { +- void *rc; ++ void *rc = NULL; + + CRITICAL_SECTION *mutex_tmp = NULL; + +diff --git a/src/wrapper.c b/src/wrapper.c +index 05c820d..49a1106 100644 +--- a/src/wrapper.c ++++ b/src/wrapper.c +@@ -148,7 +148,7 @@ static void cipher_free(struct ssh_cipher_struct *cipher) { + } + + struct ssh_crypto_struct *crypto_new(void) { +- struct ssh_crypto_struct *crypto; ++ struct ssh_crypto_struct *crypto = NULL; + + crypto = malloc(sizeof(struct ssh_crypto_struct)); + if (crypto == NULL) { +-- +2.33.0 + diff --git a/backport-CVE-2025-4878-fix-uninitialized-variable-part2.patch b/backport-CVE-2025-4878-fix-uninitialized-variable-part2.patch new file mode 100644 index 0000000000000000000000000000000000000000..0fcb9bbaf9ff48aa0de45d1f9874e4418b357918 --- /dev/null +++ b/backport-CVE-2025-4878-fix-uninitialized-variable-part2.patch @@ -0,0 +1,29 @@ +From b35ee876adc92a208d47194772e99f9c71e0bedb Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 28 Apr 2025 11:04:55 +0200 +Subject: CVE-2025-4878 legacy: Properly check return value to avoid NULL + pointer dereference + +Signed-off-by: Jakub Jelen + +Conflict: NA +Reference:https://git.libssh.org/projects/libssh.git/commit/?id=b35ee876adc92a208d47194772e99f9c71e0bedb +--- + src/legacy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/legacy.c b/src/legacy.c +index d3b28ec..616c972 100644 +--- a/src/legacy.c ++++ b/src/legacy.c +@@ -428,7 +428,7 @@ ssh_private_key privatekey_from_file(ssh_session session, + auth_fn, + auth_data, + &key); +- if (rc == SSH_ERROR) { ++ if (rc != SSH_OK) { + return NULL; + } + +-- +2.33.0 diff --git a/backport-CVE-2025-5372-Simplify-error-checking-in-ssh_kdf.patch b/backport-CVE-2025-5372-Simplify-error-checking-in-ssh_kdf.patch new file mode 100644 index 0000000000000000000000000000000000000000..dd304e5188053e7a11618a8f18c44c64025f8242 --- /dev/null +++ b/backport-CVE-2025-5372-Simplify-error-checking-in-ssh_kdf.patch @@ -0,0 +1,88 @@ +From a9d8a3d44829cf9182b252bc951f35fb0d573972 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 14 May 2025 14:07:58 +0200 +Subject: CVE-2025-5372 libgcrypto: Simplify error checking and handling of + return codes in ssh_kdf() + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +Conflict:openssl version < 3 +Reference:https://git.libssh.org/projects/libssh.git/patch/?id=a9d8a3d44829cf9182b252bc951f35fb0d573972 + +--- + src/libcrypto.c | 62 ++++++++++++++++++++++++++------------------------------- + 1 file changed, 28 insertions(+), 34 deletions(-) + +diff --git a/src/libcrypto.c b/src/libcrypto.c +index 50470f57..8af28f32 100644 +--- a/src/libcrypto.c ++++ b/src/libcrypto.c +@@ -408,49 +408,50 @@ int ssh_kdf(struct ssh_crypto_struct *cr + size_t requested_len) + { + EVP_KDF_CTX *ctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF); +- int rc; ++ int ret = SSH_ERROR, rv; + + if (ctx == NULL) { + return -1; + } + +- rc = EVP_KDF_ctrl(ctx, ++ rv = EVP_KDF_ctrl(ctx, + EVP_KDF_CTRL_SET_MD, + sshkdf_digest_to_md(crypto->digest_type)); +- if (rc != 1) { ++ if (rv != 1) { + goto out; + } +- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len); +- if (rc != 1) { ++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len); ++ if (rv != 1) { + goto out; + } +- rc = EVP_KDF_ctrl(ctx, ++ rv = EVP_KDF_ctrl(ctx, + EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, + crypto->secret_hash, + crypto->digest_len); +- if (rc != 1) { ++ if (rv != 1) { + goto out; + } +- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type); +- if (rc != 1) { ++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type); ++ if (rv != 1) { + goto out; + } +- rc = EVP_KDF_ctrl(ctx, ++ rv = EVP_KDF_ctrl(ctx, + EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, + crypto->session_id, + crypto->session_id_len); +- if (rc != 1) { ++ if (rv != 1) { + goto out; + } +- rc = EVP_KDF_derive(ctx, output, requested_len); +- if (rc != 1) { ++ rv = EVP_KDF_derive(ctx, output, requested_len); ++ if (rv != 1) { + goto out; + } ++ ret = SSH_OK; + + out: + EVP_KDF_CTX_free(ctx); +- if (rc < 0) { +- return rc; ++ if (ret < 0) { ++ return ret; + } + return 0; + } +-- +cgit v1.2.3 diff --git a/backport-CVE-2025-5372-pre-Reformat-ssh_kdf.patch b/backport-CVE-2025-5372-pre-Reformat-ssh_kdf.patch new file mode 100644 index 0000000000000000000000000000000000000000..716942229d0f58798671dac11aae0cef060f731a --- /dev/null +++ b/backport-CVE-2025-5372-pre-Reformat-ssh_kdf.patch @@ -0,0 +1,57 @@ +From f13b91c2d87f2b75540ebdc93b8958594976e985 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 14 May 2025 13:57:24 +0200 +Subject: libgcrypto: Reformat ssh_kdf() + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +Conflict:openssl version < 3 +Reference:Reference:https://git.libssh.org/projects/libssh.git/patch/?id=f13b91c2d87f2b75540ebdc93b8958594976e985 + +--- + src/libcrypto.c | 33 ++++++++++++++++++++++----------- + 1 file changed, 22 insertions(+), 11 deletions(-) + +diff --git a/src/libcrypto.c b/src/libcrypto.c +index 1d583bc5..50470f57 100644 +--- a/src/libcrypto.c ++++ b/src/libcrypto.c +@@ -414,7 +414,8 @@ int ssh_kdf(struct ssh_crypto_struct *cr + return -1; + } + +- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD, ++ rc = EVP_KDF_ctrl(ctx, ++ EVP_KDF_CTRL_SET_MD, + sshkdf_digest_to_md(crypto->digest_type)); + if (rc != 1) { + goto out; +@@ -423,8 +424,10 @@ int ssh_kdf(struct ssh_crypto_struct *cr + if (rc != 1) { + goto out; + } +- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, +- crypto->secret_hash, crypto->digest_len); ++ rc = EVP_KDF_ctrl(ctx, ++ EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, ++ crypto->secret_hash, ++ crypto->digest_len); + if (rc != 1) { + goto out; + } +@@ -432,8 +435,10 @@ int ssh_kdf(struct ssh_crypto_struct *cr + if (rc != 1) { + goto out; + } +- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, +- crypto->session_id, crypto->session_id_len); ++ rc = EVP_KDF_ctrl(ctx, ++ EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, ++ crypto->session_id, ++ crypto->session_id_len); + if (rc != 1) { + goto out; + } +-- +cgit v1.2.3 diff --git a/libssh.spec b/libssh.spec index b5193b4b764e709d579f4db2146a4ac2e9b9b89e..da009221c8f88fa93f90d3ca4408a711496e99a9 100644 --- a/libssh.spec +++ b/libssh.spec @@ -1,6 +1,6 @@ Name: libssh Version: 0.9.6 -Release: 10 +Release: 11 Summary: A library implementing the SSH protocol License: LGPLv2+ URL: http://www.libssh.org @@ -60,6 +60,11 @@ Patch47: backport-0004-CVE-2023-6918-kdf-Detect-context-init-failures.pat Patch48: backport-0010-CVE-2023-6004-torture_config-Allow-multiple-in-usern.patch Patch49: backport-Fix-regression-in-IPv6-addresses-in-hostname-parsing.patch Patch50: backport-0020-CVE-2025-5318-fix-possible-buffer-overrun.patch +Patch51: backport-CVE-2025-4877-prevent-integer-overflow-and-potential-OOB.patch +Patch52: backport-CVE-2025-4878-fix-uninitialized-variable-part1.patch +Patch53: backport-CVE-2025-4878-fix-uninitialized-variable-part2.patch +Patch54: backport-CVE-2025-5372-pre-Reformat-ssh_kdf.patch +Patch55: backport-CVE-2025-5372-Simplify-error-checking-in-ssh_kdf.patch BuildRequires: cmake gcc-c++ gnupg2 openssl-devel pkgconfig zlib-devel BuildRequires: krb5-devel libcmocka-devel openssh-clients openssh-server @@ -145,6 +150,12 @@ popd %doc ChangeLog README %changelog +* Wed Aug 27 2025 gaihuiying - 0.9.6-11 +- Type:CVE +- CVE:CVE-2025-4877 CVE-2025-4878 CVE-2025-5372 +- SUG:NA +- DESC:fix CVE-2025-4877 CVE-2025-4878 CVE-2025-5372 + * Wed Jul 2 2025 zhangbinqin - 0.9.6-10 - Type:CVE - Id:CVE-2025-5318