* [meta-oe][scarthgap][PATCH] libssh: fix CVE-2025-4877
@ 2025-09-01 5:36 Hitendra Prajapati
0 siblings, 0 replies; only message in thread
From: Hitendra Prajapati @ 2025-09-01 5:36 UTC (permalink / raw)
To: openembedded-devel; +Cc: Hitendra Prajapati
Upstream-Status: Backport from https://git.libssh.org/projects/libssh.git/commit/?id=6fd9cc8ce3958092a1aae11f1f2e911b2747732d
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
.../libssh/libssh/CVE-2025-4877.patch | 57 +++++++++++++++++++
.../recipes-support/libssh/libssh_0.10.6.bb | 1 +
2 files changed, 58 insertions(+)
create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-4877.patch
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-4877.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4877.patch
new file mode 100644
index 0000000000..afea52c5b5
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4877.patch
@@ -0,0 +1,57 @@
+From 6fd9cc8ce3958092a1aae11f1f2e911b2747732d Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 15 Apr 2025 11:41:24 +0200
+Subject: CVE-2025-4877 base64: Prevent integer overflow and potential OOB
+
+Set maximum input to 256MB to have safe margin to the 1GB trigger point
+for 32b arch.
+
+The OOB should not be reachable by any internal code paths as most of
+the buffers and strings we use as input for this operation already have
+similar limit and none really allows this much of data.
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit 00f09acbec55962839fc7837ef14c56fb8fbaf72)
+
+CVE: CVE-2025-4877
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=6fd9cc8ce3958092a1aae11f1f2e911b2747732d]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/base64.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/base64.c b/src/base64.c
+index 4148f49c..f42e0e80 100644
+--- a/src/base64.c
++++ b/src/base64.c
+@@ -29,6 +29,9 @@
+ #include "libssh/priv.h"
+ #include "libssh/buffer.h"
+
++/* Do not allow encoding more than 256MB of data */
++#define BASE64_MAX_INPUT_LEN 256 * 1024 * 1024
++
+ static
+ const uint8_t alphabet[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+ "abcdefghijklmnopqrstuvwxyz"
+@@ -274,7 +277,15 @@ uint8_t *bin_to_base64(const uint8_t *source, size_t len)
+ {
+ uint8_t *base64 = NULL;
+ uint8_t *ptr = NULL;
+- size_t flen = len + (3 - (len % 3)); /* round to upper 3 multiple */
++ size_t flen = 0;
++
++ /* Set the artificial upper limit for the input. Otherwise on 32b arch, the
++ * following line could overflow for sizes larger than SIZE_MAX / 4 */
++ if (len > BASE64_MAX_INPUT_LEN) {
++ return NULL;
++ }
++
++ flen = len + (3 - (len % 3)); /* round to upper 3 multiple */
+ flen = (4 * flen) / 3 + 1;
+
+ base64 = malloc(flen);
+--
+2.50.1
+
diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
index 64835c5e08..48cb47d4c0 100644
--- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
+++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
@@ -13,6 +13,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
file://CVE-2025-5318.patch \
file://CVE-2025-5351.patch \
file://CVE-2025-5372.patch \
+ file://CVE-2025-4877.patch \
"
SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"
--
2.50.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2025-09-01 5:36 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-01 5:36 [meta-oe][scarthgap][PATCH] libssh: fix CVE-2025-4877 Hitendra Prajapati
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).