[AutoPR- Security] Patch libssh for CVE-2025-5987, CVE-2025-5372, CVE-2025-5351, CVE-2025-5318 (microsoft#14256)

Co-authored-by: Kevin Lockwood <[email protected]>
Co-authored-by: Mykhailo Bykhovtsev <[email protected]>

Author: 3 people

SPECS/libssh/CVE-2025-5318.patch

@@ -0,0 +1,27 @@
+From 06b93128198f80c4bf5c98563bffdad5524ecb51 Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <[email protected]>
+Date: Thu, 10 Jul 2025 14:55:12 +0000
+Subject: [PATCH] Fix CVE CVE-2025-5318 in libssh
+
+[AI Backported] Upstream Patch Reference: https://git.libssh.org/projects/libssh.git/commit/?id=5f4ffda88770f95482fd0e66aa44106614dbf466
+---
+ src/sftpserver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sftpserver.c b/src/sftpserver.c
+index 9117f15..b3349e1 100644
+--- a/src/sftpserver.c
++++ b/src/sftpserver.c
+@@ -538,7 +538,7 @@ void *sftp_handle(sftp_session sftp, ssh_string handle){
+ 
+   memcpy(&val, ssh_string_data(handle), sizeof(uint32_t));
+ 
+-  if (val > SFTP_HANDLES) {
++  if (val >= SFTP_HANDLES) {
+     return NULL;
+   }
+ 
+-- 
+2.45.3
+

SPECS/libssh/CVE-2025-5351.patch

@@ -0,0 +1,34 @@
+From 313681dd6494c3086489ae14957a496a2ba42456 Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <[email protected]>
+Date: Thu, 10 Jul 2025 14:46:58 +0000
+Subject: [PATCH] Fix CVE CVE-2025-5351 in libssh
+
+Upstream Patch Reference: https://git.libssh.org/projects/libssh.git/patch/?id=6ddb730a27338983851248af59b128b995aad256
+---
+ src/pki_crypto.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/pki_crypto.c b/src/pki_crypto.c
+index 5b0d7de..aec4954 100644
+--- a/src/pki_crypto.c
++++ b/src/pki_crypto.c
+@@ -2023,6 +2023,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
+             bignum_safe_free(bn);
+             bignum_safe_free(be);
+             OSSL_PARAM_free(params);
++            params = NULL;
+ #endif /* OPENSSL_VERSION_NUMBER */
+             break;
+         }
+@@ -2143,6 +2144,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
+  */
+ #if 0
+                 OSSL_PARAM_free(params);
++                params = NULL;
+ #endif /* OPENSSL_VERSION_NUMBER */
+ 
+                 if (key->type == SSH_KEYTYPE_SK_ECDSA &&
+-- 
+2.45.3
+

SPECS/libssh/CVE-2025-5372.patch

@@ -0,0 +1,154 @@
+From 8a935478287196fc0428d82c3a2ebd4a1ecc133a Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <[email protected]>
+Date: Wed, 14 May 2025 14:07:58 +0200
+Subject: [PATCH] CVE-2025-5372 libgcrypto: Simplify error checking and
+ handling of return codes in ssh_kdf()
+
+Upstream Patch Link: https://git.libssh.org/projects/libssh.git/commit/?id=a9d8a3d44829cf9182b252bc951f35fb0d573972
+
+Signed-off-by: Jakub Jelen <[email protected]>
+Reviewed-by: Andreas Schneider <[email protected]>
+---
+ src/libcrypto.c | 68 ++++++++++++++++++++++++-------------------------
+ 1 file changed, 34 insertions(+), 34 deletions(-)
+
+diff --git a/src/libcrypto.c b/src/libcrypto.c
+index 911b363..f7d42ac 100644
+--- a/src/libcrypto.c
++++ b/src/libcrypto.c
+@@ -163,7 +163,7 @@ int ssh_kdf(struct ssh_crypto_struct *crypto,
+             uint8_t key_type, unsigned char *output,
+             size_t requested_len)
+ {
+-    int rc = -1;
++    int ret = SSH_ERROR, rv;
+ #if OPENSSL_VERSION_NUMBER < 0x30000000L
+     EVP_KDF_CTX *ctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF);
+ #else
+@@ -185,81 +185,81 @@ int ssh_kdf(struct ssh_crypto_struct *crypto,
+     }
+ 
+ #if OPENSSL_VERSION_NUMBER < 0x30000000L
+-    rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD,
++    rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD,
+                       sshkdf_digest_to_md(crypto->digest_type));
+-    if (rc != 1) {
++    if (rv != 1) {
+         goto out;
+     }
+-    rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len);
+-    if (rc != 1) {
++    rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len);
++    if (rv != 1) {
+         goto out;
+     }
+-    rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
++    rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
+                       crypto->secret_hash, crypto->digest_len);
+-    if (rc != 1) {
++    if (rv != 1) {
+         goto out;
+     }
+-    rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type);
+-    if (rc != 1) {
++    rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type);
++    if (rv != 1) {
+         goto out;
+     }
+-    rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
++    rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
+                       crypto->session_id, crypto->session_id_len);
+-    if (rc != 1) {
++    if (rv != 1) {
+         goto out;
+     }
+-    rc = EVP_KDF_derive(ctx, output, requested_len);
+-    if (rc != 1) {
++    rv = EVP_KDF_derive(ctx, output, requested_len);
++    if (rv != 1) {
+         goto out;
+     }
+ #else
+-    rc = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST,
++    rv = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST,
+                                          md, strlen(md));
+-    if (rc != 1) {
+-        rc = -1;
++    if (rv != 1) {
++        rv = -1;
+         goto out;
+     }
+-    rc = OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY,
++    rv = OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY,
+                                           key, key_len);
+-    if (rc != 1) {
+-        rc = -1;
++    if (rv != 1) {
++        rv = -1;
+         goto out;
+     }
+-    rc = OSSL_PARAM_BLD_push_octet_string(param_bld,
++    rv = OSSL_PARAM_BLD_push_octet_string(param_bld,
+                                           OSSL_KDF_PARAM_SSHKDF_XCGHASH,
+                                           crypto->secret_hash,
+                                           crypto->digest_len);
+-    if (rc != 1) {
+-        rc = -1;
++    if (rv != 1) {
++        rv = -1;
+         goto out;
+     }
+-    rc = OSSL_PARAM_BLD_push_octet_string(param_bld,
++    rv = OSSL_PARAM_BLD_push_octet_string(param_bld,
+                                           OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
+                                           crypto->session_id,
+                                           crypto->session_id_len);
+-    if (rc != 1) {
+-        rc = -1;
++    if (rv != 1) {
++        rv = -1;
+         goto out;
+     }
+-    rc = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE,
++    rv = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE,
+                                          (const char*)&key_type, 1);
+-    if (rc != 1) {
+-        rc = -1;
++    if (rv != 1) {
++        rv = -1;
+         goto out;
+     }
+ 
+     params = OSSL_PARAM_BLD_to_param(param_bld);
+     if (params == NULL) {
+-        rc = -1;
++        rv = -1;
+         goto out;
+     }
+ 
+-    rc = EVP_KDF_derive(ctx, output, requested_len, params);
+-    if (rc != 1) {
+-        rc = -1;
++    rv = EVP_KDF_derive(ctx, output, requested_len, params);
++    if (rv != 1) {
+         goto out;
+     }
+ #endif /* OPENSSL_VERSION_NUMBER */
++    ret = SSH_OK;
+ 
+ out:
+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L
+@@ -267,8 +267,8 @@ out:
+     OSSL_PARAM_free(params);
+ #endif
+     EVP_KDF_CTX_free(ctx);
+-    if (rc < 0) {
+-        return rc;
++    if (ret < 0) {
++        return ret;
+     }
+     return 0;
+ }
+-- 
+2.34.1
+

SPECS/libssh/CVE-2025-5987.patch

@@ -0,0 +1,30 @@
+From 58aa3e96f2ba827e02254434bdfacf0b595f5080 Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <[email protected]>
+Date: Thu, 10 Jul 2025 14:55:18 +0000
+Subject: [PATCH] Fix CVE CVE-2025-5987 in libssh
+
+[AI Backported] Upstream Patch Reference: https://git.libssh.org/projects/libssh.git/commit/?id=90b4845e0c98574bbf7bea9e97796695f064bf57
+---
+ src/libcrypto.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcrypto.c b/src/libcrypto.c
+index 4f945d9..911b363 100644
+--- a/src/libcrypto.c
++++ b/src/libcrypto.c
+@@ -777,9 +777,9 @@ chacha20_poly1305_set_key(struct ssh_cipher_struct *cipher,
+         SSH_LOG(SSH_LOG_WARNING, "EVP_CIPHER_CTX_new failed");
+         goto out;
+     }
+-    ret = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL,
++    rv = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL,
+                              u8key + CHACHA20_KEYLEN, NULL);
+-    if (ret != 1) {
++    if (rv != 1) {
+         SSH_LOG(SSH_LOG_WARNING, "EVP_CipherInit failed");
+         goto out;
+     }
+-- 
+2.45.3
+

SPECS/libssh/libssh.spec

@@ -2,7 +2,7 @@ Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Name:           libssh
 Version:        0.10.6
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A library implementing the SSH protocol
 License:        LGPLv2+
 URL:            http://www.libssh.org
@@ -12,6 +12,10 @@ Source1:        https://www.libssh.org/files/0.10/%{name}-%{version}.tar.xz.asc
 Source2:        https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D.gpg#/%{name}.keyring
 Source3:        libssh_client.config
 Source4:        libssh_server.config
+Patch0:         CVE-2025-5987.patch
+Patch1:         CVE-2025-5372.patch
+Patch2:         CVE-2025-5351.patch
+Patch3:         CVE-2025-5318.patch
 
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
@@ -144,6 +148,9 @@ popd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
 
 %changelog
+* Thu Jul 10 2025 Azure Linux Security Servicing Account <[email protected]> - 0.10.6-2
+- Patch for CVE-2025-5987, CVE-2025-5372, CVE-2025-5351, CVE-2025-5318
+
 * Fri Dec 29 2023 Neha Agarwal <[email protected]> - 0.10.6-1
 - Upgrade to 0.10.6 to fix CVE-2023-48795