diff --git a/backport-0027-CVE-2025-8114-NULL-pointer-dereference-after-allocate-fail.patch b/backport-0027-CVE-2025-8114-NULL-pointer-dereference-after-allocate-fail.patch new file mode 100644 index 0000000000000000000000000000000000000000..44025851d9f3300e7bf8214dd50d170eeeb70c4b --- /dev/null +++ b/backport-0027-CVE-2025-8114-NULL-pointer-dereference-after-allocate-fail.patch @@ -0,0 +1,46 @@ +From 53ac23ded4cb2c5463f6c4cd1525331bd578812d Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 6 Aug 2025 15:17:59 +0200 +Subject: CVE-2025-8114: Fix NULL pointer dereference after allocation failure + +Signed-off-by: Andreas Schneider +Reviewed-by: Jakub Jelen + +Conflict: NA +Reference:https://git.libssh.org/projects/libssh.git/patch/?id=53ac23ded4cb2c5463f6c4cd1525331bd578812d +--- + src/kex.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/kex.c b/src/kex.c +index b8958b5..a834568 100644 +--- a/src/kex.c ++++ b/src/kex.c +@@ -1332,6 +1332,8 @@ int ssh_make_sessionid(ssh_session session) + ssh_log_hexdump("hash buffer", ssh_buffer_get(buf), ssh_buffer_get_len(buf)); + #endif + ++ /* Set rc for the following switch statement in case we goto error. */ ++ rc = SSH_ERROR; + switch (session->next_crypto->kex_type) { + case SSH_KEX_DH_GROUP1_SHA1: + case SSH_KEX_DH_GROUP14_SHA1: +@@ -1391,6 +1393,7 @@ int ssh_make_sessionid(ssh_session session) + session->next_crypto->secret_hash); + break; + } ++ + /* During the first kex, secret hash and session ID are equal. However, after + * a key re-exchange, a new secret hash is calculated. This hash will not replace + * but complement existing session id. +@@ -1399,6 +1402,7 @@ int ssh_make_sessionid(ssh_session session) + session->next_crypto->session_id = malloc(session->next_crypto->digest_len); + if (session->next_crypto->session_id == NULL) { + ssh_set_error_oom(session); ++ rc = SSH_ERROR; + goto error; + } + memcpy(session->next_crypto->session_id, session->next_crypto->secret_hash, +-- +2.33.0 + diff --git a/libssh.spec b/libssh.spec index be1b902fbbaf63762f7a2be3d0cc9f047b088af2..d097299ba2eda2aed6d2b75e4853e47b70e8db57 100644 --- a/libssh.spec +++ b/libssh.spec @@ -2,7 +2,7 @@ Name: libssh Version: 0.10.5 -Release: 6 +Release: 7 Summary: A library implementing the SSH protocol License: LGPL-2.1-or-later URL: https://www.libssh.org @@ -38,6 +38,7 @@ Patch24: backport-0023-CVE-2025-4878-Properly-check-ret-to-avoid-NULL-der Patch25: backport-0024-CVE-2025-5351-avoid-double-free-on-low-memory-conditions.patch Patch26: backport-0025-CVE-2025-5987-correctly-detect-failures-of-chacha-init.patch Patch27: backport-0026-CVE-2025-5372-Simplify-error-checking-in-ssh_kdf.patch +Patch28: backport-0027-CVE-2025-8114-NULL-pointer-dereference-after-allocate-fail.patch BuildRequires: cmake gcc-c++ gnupg2 openssl-devel pkgconfig zlib-devel BuildRequires: krb5-devel libcmocka-devel openssh-clients openssh-server @@ -109,6 +110,12 @@ popd %doc CHANGELOG README %changelog +* Mon Sep 15 2025 zhangbinqin - 0.10.5-7 +- Type:CVE +- Id:CVE-2025-8114 +- SUG:NA +- DESC:fix CVE-2025-8114 + * Mon Aug 18 2025 zhangbinqin - 0.10.5-6 - Type:CVE - Id:CVE-2025-4877 CVE-2025-4878 CVE-2025-5351 CVE-2025-5987 CVE-2025-5372