[AutoPR- Security] Patch libssh for CVE-2025-8114 [MEDIUM] (microsoft#15065)

Author: azurelinux-security

SPECS/libssh/CVE-2025-8114.patch

@@ -0,0 +1,46 @@
+From 593fa4de0aee1cc61ed78446fd2a914846abf374 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <[email protected]>
+Date: Wed, 6 Aug 2025 15:17:59 +0200
+Subject: [PATCH] CVE-2025-8114: Fix NULL pointer dereference after allocation
+ failure
+
+Signed-off-by: Andreas Schneider <[email protected]>
+Reviewed-by: Jakub Jelen <[email protected]>
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://git.libssh.org/projects/libssh.git/patch/?id=53ac23ded4cb2c5463f6c4cd1525331bd578812d
+---
+ src/kex.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/kex.c b/src/kex.c
+index ecfc012..e88908b 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -1391,6 +1391,8 @@ int ssh_make_sessionid(ssh_session session)
+     ssh_log_hexdump("hash buffer", ssh_buffer_get(buf), ssh_buffer_get_len(buf));
+ #endif
+ 
++    /* Set rc for the following switch statement in case we goto error. */
++    rc = SSH_ERROR;
+     switch (session->next_crypto->kex_type) {
+     case SSH_KEX_DH_GROUP1_SHA1:
+     case SSH_KEX_DH_GROUP14_SHA1:
+@@ -1450,6 +1452,7 @@ int ssh_make_sessionid(ssh_session session)
+                session->next_crypto->secret_hash);
+         break;
+     }
++
+     /* During the first kex, secret hash and session ID are equal. However, after
+      * a key re-exchange, a new secret hash is calculated. This hash will not replace
+      * but complement existing session id.
+@@ -1458,6 +1461,7 @@ int ssh_make_sessionid(ssh_session session)
+         session->next_crypto->session_id = malloc(session->next_crypto->digest_len);
+         if (session->next_crypto->session_id == NULL) {
+             ssh_set_error_oom(session);
++            rc = SSH_ERROR;
+             goto error;
+         }
+         memcpy(session->next_crypto->session_id, session->next_crypto->secret_hash,
+-- 
+2.45.4
+

SPECS/libssh/libssh.spec

@@ -2,7 +2,7 @@ Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Name:           libssh
 Version:        0.10.6
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        A library implementing the SSH protocol
 License:        LGPLv2+
 URL:            http://www.libssh.org
@@ -18,6 +18,7 @@ Patch2:         CVE-2025-5351.patch
 Patch3:         CVE-2025-5318.patch
 Patch4:         CVE-2025-4878.patch
 Patch5:         CVE-2025-8277.patch
+Patch6:         CVE-2025-8114.patch
 
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
@@ -151,6 +152,9 @@ popd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
 
 %changelog
+* Wed Nov 12 2025 Azure Linux Security Servicing Account <[email protected]> - 0.10.6-5
+- Patch for CVE-2025-8114
+
 * Thu Sep 11 2025 Azure Linux Security Servicing Account <[email protected]> - 0.10.6-4
 - Patch for CVE-2025-8277