diff --git a/SPECS/libssh/CVE-2025-5318.patch b/SPECS/libssh/CVE-2025-5318.patch new file mode 100644 index 00000000000..9eb71af7129 --- /dev/null +++ b/SPECS/libssh/CVE-2025-5318.patch @@ -0,0 +1,27 @@ +From 56a3a57425b569bfd79191b1c9150862f3390fa7 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Thu, 10 Jul 2025 13:56:51 +0000 +Subject: [PATCH] Fix CVE CVE-2025-5318 in libssh + +[AI Backported] Upstream Patch Reference: https://git.libssh.org/projects/libssh.git/commit/?id=5f4ffda88770f95482fd0e66aa44106614dbf466 +--- + src/sftpserver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/sftpserver.c b/src/sftpserver.c +index 9117f15..b3349e1 100644 +--- a/src/sftpserver.c ++++ b/src/sftpserver.c +@@ -538,7 +538,7 @@ void *sftp_handle(sftp_session sftp, ssh_string handle){ + + memcpy(&val, ssh_string_data(handle), sizeof(uint32_t)); + +- if (val > SFTP_HANDLES) { ++ if (val >= SFTP_HANDLES) { + return NULL; + } + +-- +2.45.3 + diff --git a/SPECS/libssh/CVE-2025-5351.patch b/SPECS/libssh/CVE-2025-5351.patch new file mode 100644 index 00000000000..f025ba04ba4 --- /dev/null +++ b/SPECS/libssh/CVE-2025-5351.patch @@ -0,0 +1,34 @@ +From 7f209182f27254940032f40108fd32f3227cf372 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Thu, 10 Jul 2025 13:56:18 +0000 +Subject: [PATCH] Fix CVE CVE-2025-5351 in libssh + +Upstream Patch Reference: https://git.libssh.org/projects/libssh.git/patch/?id=6ddb730a27338983851248af59b128b995aad256 +--- + src/pki_crypto.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/pki_crypto.c b/src/pki_crypto.c +index 5b0d7de..aec4954 100644 +--- a/src/pki_crypto.c ++++ b/src/pki_crypto.c +@@ -2023,6 +2023,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key) + bignum_safe_free(bn); + bignum_safe_free(be); + OSSL_PARAM_free(params); ++ params = NULL; + #endif /* OPENSSL_VERSION_NUMBER */ + break; + } +@@ -2143,6 +2144,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key) + */ + #if 0 + OSSL_PARAM_free(params); ++ params = NULL; + #endif /* OPENSSL_VERSION_NUMBER */ + + if (key->type == SSH_KEYTYPE_SK_ECDSA && +-- +2.45.3 + diff --git a/SPECS/libssh/CVE-2025-5372.patch b/SPECS/libssh/CVE-2025-5372.patch new file mode 100644 index 00000000000..a85a3b33053 --- /dev/null +++ b/SPECS/libssh/CVE-2025-5372.patch @@ -0,0 +1,81 @@ +From 249ddebaa09978a5c2c8aba5760ec219e89e72c9 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Thu, 10 Jul 2025 13:57:02 +0000 +Subject: [PATCH] Fix CVE CVE-2025-5372 in libssh + +[AI Backported] Upstream Patch Reference: https://git.libssh.org/projects/libssh.git/commit/?id=a9d8a3d44829cf9182b252bc951f35fb0d573972 +--- + src/libcrypto.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/src/libcrypto.c b/src/libcrypto.c +index 4f945d9..620f99b 100644 +--- a/src/libcrypto.c ++++ b/src/libcrypto.c +@@ -163,7 +163,7 @@ int ssh_kdf(struct ssh_crypto_struct *crypto, + uint8_t key_type, unsigned char *output, + size_t requested_len) + { +- int rc = -1; ++ int ret = SSH_ERROR, rv; + #if OPENSSL_VERSION_NUMBER < 0x30000000L + EVP_KDF_CTX *ctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF); + #else +@@ -185,30 +185,30 @@ int ssh_kdf(struct ssh_crypto_struct *crypto, + } + + #if OPENSSL_VERSION_NUMBER < 0x30000000L +- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD, ++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD, + sshkdf_digest_to_md(crypto->digest_type)); + if (rc != 1) { + goto out; + } +- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len); ++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len); + if (rc != 1) { + goto out; + } +- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, ++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, + crypto->secret_hash, crypto->digest_len); + if (rc != 1) { + goto out; + } +- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type); ++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type); + if (rc != 1) { + goto out; + } +- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, ++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, + crypto->session_id, crypto->session_id_len); + if (rc != 1) { + goto out; + } +- rc = EVP_KDF_derive(ctx, output, requested_len); ++ rv = EVP_KDF_derive(ctx, output, requested_len); + if (rc != 1) { + goto out; + } +@@ -259,6 +259,7 @@ int ssh_kdf(struct ssh_crypto_struct *crypto, + rc = -1; + goto out; + } ++ ret = SSH_OK; + #endif /* OPENSSL_VERSION_NUMBER */ + + out: +@@ -267,7 +268,7 @@ out: + OSSL_PARAM_free(params); + #endif + EVP_KDF_CTX_free(ctx); +- if (rc < 0) { ++ if (ret < 0) { + return rc; + } + return 0; +-- +2.45.3 + diff --git a/SPECS/libssh/CVE-2025-5987.patch b/SPECS/libssh/CVE-2025-5987.patch new file mode 100644 index 00000000000..e7a3317fbfe --- /dev/null +++ b/SPECS/libssh/CVE-2025-5987.patch @@ -0,0 +1,27 @@ +From abc5f4471915f6a39656a77534174beafaba89c3 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Thu, 10 Jul 2025 13:56:57 +0000 +Subject: [PATCH] Fix CVE CVE-2025-5987 in libssh + +[AI Backported] Upstream Patch Reference: https://git.libssh.org/projects/libssh.git/commit/?id=90b4845e0c98574bbf7bea9e97796695f064bf57 +--- + src/libcrypto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libcrypto.c b/src/libcrypto.c +index 4f945d9..1006916 100644 +--- a/src/libcrypto.c ++++ b/src/libcrypto.c +@@ -777,7 +777,7 @@ chacha20_poly1305_set_key(struct ssh_cipher_struct *cipher, + SSH_LOG(SSH_LOG_WARNING, "EVP_CIPHER_CTX_new failed"); + goto out; + } +- ret = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL, ++ rv = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL, + u8key + CHACHA20_KEYLEN, NULL); + if (ret != 1) { + SSH_LOG(SSH_LOG_WARNING, "EVP_CipherInit failed"); +-- +2.45.3 + diff --git a/SPECS/libssh/libssh.spec b/SPECS/libssh/libssh.spec index 238cea54e00..3604070ed84 100644 --- a/SPECS/libssh/libssh.spec +++ b/SPECS/libssh/libssh.spec @@ -2,7 +2,7 @@ Vendor: Microsoft Corporation Distribution: Azure Linux Name: libssh Version: 0.10.6 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A library implementing the SSH protocol License: LGPLv2+ URL: http://www.libssh.org @@ -12,6 +12,10 @@ Source1: https://www.libssh.org/files/0.10/%{name}-%{version}.tar.xz.asc Source2: https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D.gpg#/%{name}.keyring Source3: libssh_client.config Source4: libssh_server.config +Patch0: CVE-2025-5987.patch +Patch1: CVE-2025-5372.patch +Patch2: CVE-2025-5351.patch +Patch3: CVE-2025-5318.patch BuildRequires: cmake BuildRequires: gcc-c++ @@ -144,6 +148,9 @@ popd %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config %changelog +* Thu Jul 10 2025 Azure Linux Security Servicing Account - 0.10.6-2 +- Patch for CVE-2025-5987, CVE-2025-5372, CVE-2025-5351, CVE-2025-5318 + * Tue Feb 25 2025 CBL-Mariner Servicing Account - 0.10.6-1 - Auto-upgrade to 0.10.6 - for CVE-2023-6004, CVE-2023-6918 & CVE-2023-48795 [Medium] diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 52c662c18e7..eca84e5e6d1 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -193,8 +193,8 @@ e2fsprogs-1.47.0-2.azl3.aarch64.rpm e2fsprogs-devel-1.47.0-2.azl3.aarch64.rpm libsolv-0.7.28-3.azl3.aarch64.rpm libsolv-devel-0.7.28-3.azl3.aarch64.rpm -libssh2-1.11.1-1.azl3.aarch64.rpm -libssh2-devel-1.11.1-1.azl3.aarch64.rpm +libssh2-0.10.6-2.azl3.aarch64.rpm +libssh2-devel-0.10.6-2.azl3.aarch64.rpm krb5-1.21.3-2.azl3.aarch64.rpm krb5-devel-1.21.3-2.azl3.aarch64.rpm nghttp2-1.61.0-2.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 48d07af5196..daa8b92c393 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -193,8 +193,8 @@ e2fsprogs-1.47.0-2.azl3.x86_64.rpm e2fsprogs-devel-1.47.0-2.azl3.x86_64.rpm libsolv-0.7.28-3.azl3.x86_64.rpm libsolv-devel-0.7.28-3.azl3.x86_64.rpm -libssh2-1.11.1-1.azl3.x86_64.rpm -libssh2-devel-1.11.1-1.azl3.x86_64.rpm +libssh2-0.10.6-2.azl3.x86_64.rpm +libssh2-devel-0.10.6-2.azl3.x86_64.rpm krb5-1.21.3-2.azl3.x86_64.rpm krb5-devel-1.21.3-2.azl3.x86_64.rpm nghttp2-1.61.0-2.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 6b0ea5ecf2b..b7f02985502 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -229,9 +229,9 @@ libsolv-0.7.28-3.azl3.aarch64.rpm libsolv-debuginfo-0.7.28-3.azl3.aarch64.rpm libsolv-devel-0.7.28-3.azl3.aarch64.rpm libsolv-tools-0.7.28-3.azl3.aarch64.rpm -libssh2-1.11.1-1.azl3.aarch64.rpm -libssh2-debuginfo-1.11.1-1.azl3.aarch64.rpm -libssh2-devel-1.11.1-1.azl3.aarch64.rpm +libssh2-0.10.6-2.azl3.aarch64.rpm +libssh2-debuginfo-0.10.6-2.azl3.aarch64.rpm +libssh2-devel-0.10.6-2.azl3.aarch64.rpm libstdc++-13.2.0-7.azl3.aarch64.rpm libstdc++-devel-13.2.0-7.azl3.aarch64.rpm libtasn1-4.19.0-2.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index ec41b45a86a..121ec22a266 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -237,9 +237,9 @@ libsolv-0.7.28-3.azl3.x86_64.rpm libsolv-debuginfo-0.7.28-3.azl3.x86_64.rpm libsolv-devel-0.7.28-3.azl3.x86_64.rpm libsolv-tools-0.7.28-3.azl3.x86_64.rpm -libssh2-1.11.1-1.azl3.x86_64.rpm -libssh2-debuginfo-1.11.1-1.azl3.x86_64.rpm -libssh2-devel-1.11.1-1.azl3.x86_64.rpm +libssh2-0.10.6-2.azl3.x86_64.rpm +libssh2-debuginfo-0.10.6-2.azl3.x86_64.rpm +libssh2-devel-0.10.6-2.azl3.x86_64.rpm libstdc++-13.2.0-7.azl3.x86_64.rpm libstdc++-devel-13.2.0-7.azl3.x86_64.rpm libtasn1-4.19.0-2.azl3.x86_64.rpm