From 30158b644f753fcd6ae0bf4e4f6515584487ffbb Mon Sep 17 00:00:00 2001
From: zhangbinqin <zhangbinqin@h-partners.com>
Date: Tue, 1 Jul 2025 14:12:46 +0000
Subject: [PATCH] fix CVE-2025-5318

---
 ...025-5318-fix-possible-buffer-overrun.patch | 30 +++++++++++++++++++
 libssh.spec                                   |  9 +++++-
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 backport-0020-CVE-2025-5318-fix-possible-buffer-overrun.patch

diff --git a/backport-0020-CVE-2025-5318-fix-possible-buffer-overrun.patch b/backport-0020-CVE-2025-5318-fix-possible-buffer-overrun.patch
new file mode 100644
index 0000000..745e797
--- /dev/null
+++ b/backport-0020-CVE-2025-5318-fix-possible-buffer-overrun.patch
@@ -0,0 +1,30 @@
+From ae8881dfe54214c0c0eb88345c35e15a14081b3d Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 22 Apr 2025 21:18:44 +0200
+Subject: CVE-2025-5318: sftpserver: Fix possible buffer overrun
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+
+Conflict: NA
+Reference:https://git.libssh.org/projects/libssh.git/patch/?id=ae8881dfe54214c0c0eb88345c35e15a14081b3d
+---
+ src/sftpserver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sftpserver.c b/src/sftpserver.c
+index 9117f15..b3349e1 100644
+--- a/src/sftpserver.c
++++ b/src/sftpserver.c
+@@ -538,7 +538,7 @@ void *sftp_handle(sftp_session sftp, ssh_string handle){
+ 
+   memcpy(&val, ssh_string_data(handle), sizeof(uint32_t));
+ 
+-  if (val > SFTP_HANDLES) {
++  if (val >= SFTP_HANDLES) {
+     return NULL;
+   }
+ 
+-- 
+2.33.0
+
diff --git a/libssh.spec b/libssh.spec
index ed21573..728ba2a 100644
--- a/libssh.spec
+++ b/libssh.spec
@@ -1,6 +1,6 @@
 Name:           libssh
 Version:        0.9.4
-Release:        9
+Release:        10
 Summary:        A library implementing the SSH protocol
 License:        LGPLv2+
 URL:            http://www.libssh.org
@@ -50,6 +50,7 @@ Patch38:        backport-0002-CVE-2023-6918-Remove-unused-evp-functions-and-type
 Patch39:        backport-0003-CVE-2023-6918-Systematically-check-return-values-whe.patch
 Patch40:        backport-0004-CVE-2023-6918-kdf-Detect-context-init-failures.patch
 Patch41:        backport-0010-CVE-2023-6004-torture_config-Allow-multiple-in-usern.patch
+Patch42:        backport-0020-CVE-2025-5318-fix-possible-buffer-overrun.patch
 
 BuildRequires:  cmake gcc-c++ gnupg2 openssl-devel pkgconfig zlib-devel
 BuildRequires:  krb5-devel libcmocka-devel openssh-clients openssh-server
@@ -134,6 +135,12 @@ popd
 %doc ChangeLog README
 
 %changelog
+* Tue Jul 1 2025 zhangbinqin <zhangbinqin@h-partners.com> - 0.9.4-10
+- Type:CVE
+- Id:CVE-2025-5318
+- SUG:NA
+- DESC:fix CVE-2025-5318
+
 * Thu Jan 4 2024 renmingshuai <renmingshuai@huawei.com> - 0.9.4-9
 - Type:CVE
 - Id:CVE-2023-6004,CVE-2023-48795,CVE-2023-6918
-- 
Gitee