From 0c5073172abb7c9324955f9b6f2a9cfe5ab91755 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=BC=A0=E7=BF=BC?= <yizhang@cqsoftware.com.cn>
Date: Tue, 9 Sep 2025 19:49:51 +0800
Subject: [PATCH] fix CVE-2025-8114

---
 ...dereference-after-allocation-failure.patch | 43 +++++++++++++++++++
 libssh.spec                                   |  8 +++-
 2 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 backport-0027-CVE-2025-8114-Fix-NULL-pointer-dereference-after-allocation-failure.patch

diff --git a/backport-0027-CVE-2025-8114-Fix-NULL-pointer-dereference-after-allocation-failure.patch b/backport-0027-CVE-2025-8114-Fix-NULL-pointer-dereference-after-allocation-failure.patch
new file mode 100644
index 0000000..04f367c
--- /dev/null
+++ b/backport-0027-CVE-2025-8114-Fix-NULL-pointer-dereference-after-allocation-failure.patch
@@ -0,0 +1,43 @@
+From 53ac23ded4cb2c5463f6c4cd1525331bd578812d Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 6 Aug 2025 15:17:59 +0200
+Subject: CVE-2025-8114: Fix NULL pointer dereference after allocation failure
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Jakub Jelen <jjelen@redhat.com>
+---
+ src/kex.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/kex.c b/src/kex.c
+index f1c1b014..02f2735f 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -1569,6 +1569,8 @@ int ssh_make_sessionid(ssh_session session)
+     ssh_log_hexdump("hash buffer", ssh_buffer_get(buf), ssh_buffer_get_len(buf));
+ #endif
+ 
++    /* Set rc for the following switch statement in case we goto error. */
++    rc = SSH_ERROR;
+     switch (session->next_crypto->kex_type) {
+     case SSH_KEX_DH_GROUP1_SHA1:
+     case SSH_KEX_DH_GROUP14_SHA1:
+@@ -1629,6 +1631,7 @@ int ssh_make_sessionid(ssh_session session)
+                session->next_crypto->secret_hash);
+         break;
+     }
++
+     /* During the first kex, secret hash and session ID are equal. However, after
+      * a key re-exchange, a new secret hash is calculated. This hash will not replace
+      * but complement existing session id.
+@@ -1637,6 +1640,7 @@ int ssh_make_sessionid(ssh_session session)
+         session->next_crypto->session_id = malloc(session->next_crypto->digest_len);
+         if (session->next_crypto->session_id == NULL) {
+             ssh_set_error_oom(session);
++            rc = SSH_ERROR;
+             goto error;
+         }
+         memcpy(session->next_crypto->session_id, session->next_crypto->secret_hash,
+-- 
+cgit v1.2.3
+
diff --git a/libssh.spec b/libssh.spec
index f280fe0..98676fc 100644
--- a/libssh.spec
+++ b/libssh.spec
@@ -1,6 +1,6 @@
 Name:           libssh
 Version:        0.10.5
-Release:        5
+Release:        6
 Summary:        A library implementing the SSH protocol
 License:        LGPLv2+
 URL:            http://www.libssh.org
@@ -37,6 +37,9 @@ Patch25:        backport-0024-CVE-2025-5351-avoid-double-free-on-low-memory-cond
 Patch26:        backport-0025-CVE-2025-5987-correctly-detect-failures-of-chacha-init.patch
 Patch27:        backport-0026-CVE-2025-5372-Simplify-error-checking-in-ssh_kdf.patch 
 
+#Reference:	https://git.libssh.org/projects/libssh.git/commit/?id=53ac23ded4cb2c5463f6c4cd1525331bd578812d
+Patch28:	backport-0027-CVE-2025-8114-Fix-NULL-pointer-dereference-after-allocation-failure.patch
+
 BuildRequires:  cmake gcc-c++ gnupg2 openssl-devel pkgconfig zlib-devel
 BuildRequires:  krb5-devel libcmocka-devel openssh-clients openssh-server
 BuildRequires:  nmap-ncat
@@ -121,6 +124,9 @@ popd
 %doc CHANGELOG README
 
 %changelog
+* Wed Sep 10 2025 Zhang Yi <yizhang@cqsoftware.com.cn> - 0.10.5-6
+- fix CVE-2025-8114
+
 * Mon Aug 18 2025 zhangbinqin <zhangbinqin@h-partners.com> - 0.10.5-5
 - Type:CVE
 - Id:CVE-2025-4877 CVE-2025-4878 CVE-2025-5351 CVE-2025-5987 CVE-2025-5372
-- 
Gitee