From fe9602c2faaf5862da3d01de0145e094efd58c7c Mon Sep 17 00:00:00 2001
From: wenxin <wx02272781@alibaba-inc.com>
Date: Fri, 8 Aug 2025 16:06:53 +0800
Subject: [PATCH] add patch to fix CVE-2025-5987

---
 0025-CVE-2025-5987.patch | 31 +++++++++++++++++++++++++++++++
 libssh.spec              |  9 +++++++--
 2 files changed, 38 insertions(+), 2 deletions(-)
 create mode 100644 0025-CVE-2025-5987.patch

diff --git a/0025-CVE-2025-5987.patch b/0025-CVE-2025-5987.patch
new file mode 100644
index 0000000..415ab7f
--- /dev/null
+++ b/0025-CVE-2025-5987.patch
@@ -0,0 +1,31 @@
+From 90b4845e0c98574bbf7bea9e97796695f064bf57 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 6 May 2025 22:51:41 +0200
+Subject: CVE-2025-5987 libcrypto: Correctly detect failures of chacha
+ initialization
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ src/libcrypto.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcrypto.c b/src/libcrypto.c
+index 6e2907c..f6681d4 100644
+--- a/src/libcrypto.c
++++ b/src/libcrypto.c
+@@ -771,9 +771,9 @@ chacha20_poly1305_set_key(struct ssh_cipher_struct *cipher,
+         SSH_LOG(SSH_LOG_WARNING, "EVP_CIPHER_CTX_new failed");
+         goto out;
+     }
+-    ret = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL,
++    rv = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL,
+                              u8key + CHACHA20_KEYLEN, NULL);
+-    if (ret != 1) {
++    if (rv != 1) {
+         SSH_LOG(SSH_LOG_WARNING, "EVP_CipherInit failed");
+         goto out;
+     }
+-- 
+2.47.3
+
diff --git a/libssh.spec b/libssh.spec
index e44e950..22ccdc1 100644
--- a/libssh.spec
+++ b/libssh.spec
@@ -1,4 +1,4 @@
-%define anolis_release 7
+%define anolis_release 8
 %global _smp_build_ncpus 1
 
 Name:           libssh
@@ -41,7 +41,9 @@ Patch0022:      0022-libssh-0.10.6-rekey-timeout.patch
 # https://git.libssh.org/projects/libssh.git/commit/?id=5f4ffda88770f95482fd0e66aa44106614dbf466
 Patch0023:      0023-CVE-2025-5318.patch
 # https://git.libssh.org/projects/libssh.git/commit/?id=a9d8a3d44829cf9182b252bc951f35fb0d573972
-Patch0024:      0024-CVE-2025-5372.patch     
+Patch0024:      0024-CVE-2025-5372.patch
+# https://git.libssh.org/projects/libssh.git/commit/?id=90b4845e0c98574bbf7bea9e97796695f064bf57    
+Patch0025:      0025-CVE-2025-5987.patch 
 
 BuildRequires:  cmake gcc-c++
 BuildRequires:  openssl-devel zlib-devel krb5-devel libcmocka-devel
@@ -152,6 +154,9 @@ popd
 %doc AUTHORS CHANGELOG README
 
 %changelog
+* Fri Aug 08 2025 wenxin <wx02272781@alibaba-inc.com> - 0.10.5-8
+- Add patch to fix CVE-2025-5987
+
 * Tue Jul 15 2025 zjl02254423 <zjl02254423@alibab-inc.com> - 0.10.5-7
 - Fix CVE-2025-5372
 
-- 
Gitee