[AUTO-CHERRYPICK] [AutoPR- Security] Patch libssh for CVE-2025-5987, CVE-2025-5372, CVE-2025-5351, CVE-2025-5318 - branch 3.0-dev (microsoft#14299)

Co-authored-by: Azure Linux Security Servicing Account <[email protected]>
Co-authored-by: Kanishk Bansal <[email protected]>
Co-authored-by: Aninda <[email protected]>

Author: 4 people

SPECS/libssh/CVE-2025-5318.patch

@@ -0,0 +1,27 @@
+From b950d47ae47367a53ff3f5dc8021fc02dfcae17d Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <[email protected]>
+Date: Thu, 10 Jul 2025 14:19:59 +0000
+Subject: [PATCH] Fix CVE CVE-2025-5318 in libssh
+
+[AI Backported] Upstream Patch Reference: https://git.libssh.org/projects/libssh.git/commit/?id=5f4ffda88770f95482fd0e66aa44106614dbf466
+---
+ src/sftpserver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sftpserver.c b/src/sftpserver.c
+index 9117f15..b3349e1 100644
+--- a/src/sftpserver.c
++++ b/src/sftpserver.c
+@@ -538,7 +538,7 @@ void *sftp_handle(sftp_session sftp, ssh_string handle){
+ 
+   memcpy(&val, ssh_string_data(handle), sizeof(uint32_t));
+ 
+-  if (val > SFTP_HANDLES) {
++  if (val >= SFTP_HANDLES) {
+     return NULL;
+   }
+ 
+-- 
+2.45.3
+

SPECS/libssh/CVE-2025-5351.patch

@@ -0,0 +1,34 @@
+From 5f21b769c263f77db24b7a2757a7394608e3c4a4 Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <[email protected]>
+Date: Thu, 10 Jul 2025 14:07:05 +0000
+Subject: [PATCH] Fix CVE CVE-2025-5351 in libssh
+
+Upstream Patch Reference: https://git.libssh.org/projects/libssh.git/patch/?id=6ddb730a27338983851248af59b128b995aad256
+---
+ src/pki_crypto.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/pki_crypto.c b/src/pki_crypto.c
+index 5b0d7de..aec4954 100644
+--- a/src/pki_crypto.c
++++ b/src/pki_crypto.c
+@@ -2023,6 +2023,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
+             bignum_safe_free(bn);
+             bignum_safe_free(be);
+             OSSL_PARAM_free(params);
++            params = NULL;
+ #endif /* OPENSSL_VERSION_NUMBER */
+             break;
+         }
+@@ -2143,6 +2144,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
+  */
+ #if 0
+                 OSSL_PARAM_free(params);
++                params = NULL;
+ #endif /* OPENSSL_VERSION_NUMBER */
+ 
+                 if (key->type == SSH_KEYTYPE_SK_ECDSA &&
+-- 
+2.45.3
+

SPECS/libssh/CVE-2025-5372.patch

@@ -0,0 +1,148 @@
+From a9d8a3d44829cf9182b252bc951f35fb0d573972 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <[email protected]>
+Date: Wed, 14 May 2025 14:07:58 +0200
+Subject: CVE-2025-5372 libgcrypto: Simplify error checking and handling of
+ return codes in ssh_kdf()
+
+Signed-off-by: Jakub Jelen <[email protected]>
+Reviewed-by: Andreas Schneider <[email protected]>
+
+Upstream Patch Reference: https://git.libssh.org/projects/libssh.git/patch/?id=a9d8a3d44829cf9182b252bc951f35fb0d573972
+---
+ src/libcrypto.c | 63 ++++++++++++++++++++++---------------------------
+ 1 file changed, 28 insertions(+), 35 deletions(-)
+
+diff --git a/src/libcrypto.c b/src/libcrypto.c
+index 911b363..aa48c67 100644
+--- a/src/libcrypto.c
++++ b/src/libcrypto.c
+@@ -163,7 +163,7 @@ int ssh_kdf(struct ssh_crypto_struct *crypto,
+             uint8_t key_type, unsigned char *output,
+             size_t requested_len)
+ {
+-    int rc = -1;
++    int ret = SSH_ERROR, rv;
+ #if OPENSSL_VERSION_NUMBER < 0x30000000L
+     EVP_KDF_CTX *ctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF);
+ #else
+@@ -185,90 +185,83 @@ int ssh_kdf(struct ssh_crypto_struct *crypto,
+     }
+ 
+ #if OPENSSL_VERSION_NUMBER < 0x30000000L
+-    rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD,
++    rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD,
+                       sshkdf_digest_to_md(crypto->digest_type));
+-    if (rc != 1) {
++    if (rv != 1) {
+         goto out;
+     }
+-    rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len);
+-    if (rc != 1) {
++    rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len);
++    if (rv != 1) {
+         goto out;
+     }
+-    rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
++    rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
+                       crypto->secret_hash, crypto->digest_len);
+-    if (rc != 1) {
++    if (rv != 1) {
+         goto out;
+     }
+-    rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type);
+-    if (rc != 1) {
++    rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type);
++    if (rv != 1) {
+         goto out;
+     }
+-    rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
++    rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
+                       crypto->session_id, crypto->session_id_len);
+-    if (rc != 1) {
++    if (rv != 1) {
+         goto out;
+     }
+-    rc = EVP_KDF_derive(ctx, output, requested_len);
+-    if (rc != 1) {
++    rv = EVP_KDF_derive(ctx, output, requested_len);
++    if (rv != 1) {
+         goto out;
+     }
+ #else
+-    rc = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST,
++    rv = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST,
+                                          md, strlen(md));
+-    if (rc != 1) {
+-        rc = -1;
++    if (rv != 1) {
+         goto out;
+     }
+-    rc = OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY,
++    rv = OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY,
+                                           key, key_len);
+-    if (rc != 1) {
+-        rc = -1;
++    if (rv != 1) {
+         goto out;
+     }
+-    rc = OSSL_PARAM_BLD_push_octet_string(param_bld,
++    rv = OSSL_PARAM_BLD_push_octet_string(param_bld,
+                                           OSSL_KDF_PARAM_SSHKDF_XCGHASH,
+                                           crypto->secret_hash,
+                                           crypto->digest_len);
+-    if (rc != 1) {
+-        rc = -1;
++    if (rv != 1) {
+         goto out;
+     }
+-    rc = OSSL_PARAM_BLD_push_octet_string(param_bld,
++    rv = OSSL_PARAM_BLD_push_octet_string(param_bld,
+                                           OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
+                                           crypto->session_id,
+                                           crypto->session_id_len);
+-    if (rc != 1) {
+-        rc = -1;
++    if (rv != 1) {
+         goto out;
+     }
+-    rc = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE,
++    rv = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE,
+                                          (const char*)&key_type, 1);
+-    if (rc != 1) {
+-        rc = -1;
++    if (rv != 1) {
+         goto out;
+     }
+ 
+     params = OSSL_PARAM_BLD_to_param(param_bld);
+     if (params == NULL) {
+-        rc = -1;
+         goto out;
+     }
+ 
+-    rc = EVP_KDF_derive(ctx, output, requested_len, params);
+-    if (rc != 1) {
+-        rc = -1;
++    rv = EVP_KDF_derive(ctx, output, requested_len, params);
++    if (rv != 1) {
+         goto out;
+     }
+ #endif /* OPENSSL_VERSION_NUMBER */
+-
++    ret = SSH_OK;
+ out:
+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L
+     OSSL_PARAM_BLD_free(param_bld);
+     OSSL_PARAM_free(params);
+ #endif
+     EVP_KDF_CTX_free(ctx);
+-    if (rc < 0) {
+-        return rc;
++    if (ret < 0) {
++        return ret;
+     }
+     return 0;
+ }
+-- 
+2.34.1
+

SPECS/libssh/CVE-2025-5987.patch

@@ -0,0 +1,30 @@
+From 3f1f9958b798bffbf2968306712aea63d93eebf9 Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <[email protected]>
+Date: Thu, 10 Jul 2025 14:19:53 +0000
+Subject: [PATCH] Fix CVE CVE-2025-5987 in libssh
+
+[AI Backported] Upstream Patch Reference: https://git.libssh.org/projects/libssh.git/commit/?id=90b4845e0c98574bbf7bea9e97796695f064bf57
+---
+ src/libcrypto.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcrypto.c b/src/libcrypto.c
+index 4f945d9..911b363 100644
+--- a/src/libcrypto.c
++++ b/src/libcrypto.c
+@@ -777,9 +777,9 @@ chacha20_poly1305_set_key(struct ssh_cipher_struct *cipher,
+         SSH_LOG(SSH_LOG_WARNING, "EVP_CIPHER_CTX_new failed");
+         goto out;
+     }
+-    ret = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL,
++    rv = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL,
+                              u8key + CHACHA20_KEYLEN, NULL);
+-    if (ret != 1) {
++    if (rv != 1) {
+         SSH_LOG(SSH_LOG_WARNING, "EVP_CipherInit failed");
+         goto out;
+     }
+-- 
+2.45.3
+

SPECS/libssh/libssh.spec

@@ -2,7 +2,7 @@ Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Name:           libssh
 Version:        0.10.6
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A library implementing the SSH protocol
 License:        LGPLv2+
 URL:            http://www.libssh.org
@@ -12,6 +12,10 @@ Source1:        https://www.libssh.org/files/0.10/%{name}-%{version}.tar.xz.asc
 Source2:        https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D.gpg#/%{name}.keyring
 Source3:        libssh_client.config
 Source4:        libssh_server.config
+Patch0:         CVE-2025-5987.patch
+Patch1:         CVE-2025-5372.patch
+Patch2:         CVE-2025-5351.patch
+Patch3:         CVE-2025-5318.patch
 
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
@@ -144,6 +148,9 @@ popd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
 
 %changelog
+* Thu Jul 10 2025 Azure Linux Security Servicing Account <[email protected]> - 0.10.6-2
+- Patch for CVE-2025-5987, CVE-2025-5372, CVE-2025-5351, CVE-2025-5318
+
 * Tue Feb 25 2025 CBL-Mariner Servicing Account <[email protected]> - 0.10.6-1
 - Auto-upgrade to 0.10.6 - for CVE-2023-6004, CVE-2023-6918 & CVE-2023-48795 [Medium]