From 8cab78e98b9b51d18930a8936e007aa1fb3376ca Mon Sep 17 00:00:00 2001 From: zhangbinqin Date: Thu, 18 Sep 2025 12:30:31 +0000 Subject: [PATCH] fix CVE-2025-8227 (cherry picked from commit bee4cf0b6c4b8d4a18c08ab0ca3a4601d79d00e8) --- ...8-CVE-2025-8277-adjust-packet-filter.patch | 38 ++++++ ...mory-leak-and-free-allocated-pubkeys.patch | 115 ++++++++++++++++++ ...8277-mbedtls-avoid-leaking-ecdh-keys.patch | 46 +++++++ libssh.spec | 11 +- 4 files changed, 209 insertions(+), 1 deletion(-) create mode 100644 backport-0028-CVE-2025-8277-adjust-packet-filter.patch create mode 100644 backport-0029-CVE-2025-8277-fix-memory-leak-and-free-allocated-pubkeys.patch create mode 100644 backport-0030-CVE-2025-8277-mbedtls-avoid-leaking-ecdh-keys.patch diff --git a/backport-0028-CVE-2025-8277-adjust-packet-filter.patch b/backport-0028-CVE-2025-8277-adjust-packet-filter.patch new file mode 100644 index 0000000..780b22d --- /dev/null +++ b/backport-0028-CVE-2025-8277-adjust-packet-filter.patch @@ -0,0 +1,38 @@ +From 4310a696f2d632c6742678077d703d9b9ff3bc0e Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 5 Aug 2025 18:42:31 +0200 +Subject: CVE-2025-8277: packet: Adjust packet filter to work when DH-GEX is guessed wrongly + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +Conflict:NA +Reference:https://git.libssh.org/projects/libssh.git/patch/?id=4310a696f2d632c6742678077d703d9b9ff3bc0e + +--- + src/packet.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/packet.c b/src/packet.c +index 36910499..5b32f46b 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -294,6 +294,7 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se + * or session_state == SSH_SESSION_STATE_INITIAL_KEX + * - dh_handshake_state == DH_STATE_INIT + * or dh_handshake_state == DH_STATE_INIT_SENT (re-exchange) ++ * or dh_handshake_state == DH_STATE_REQUEST_SENT (dh-gex) + * or dh_handshake_state == DH_STATE_FINISHED (re-exchange) + * + * Transitions: +@@ -313,6 +314,7 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se + + if ((session->dh_handshake_state != DH_STATE_INIT) && + (session->dh_handshake_state != DH_STATE_INIT_SENT) && ++ (session->dh_handshake_state != DH_STATE_REQUEST_SENT) && + (session->dh_handshake_state != DH_STATE_FINISHED)) + { + rc = SSH_PACKET_DENIED; +-- +cgit v1.2.3 + diff --git a/backport-0029-CVE-2025-8277-fix-memory-leak-and-free-allocated-pubkeys.patch b/backport-0029-CVE-2025-8277-fix-memory-leak-and-free-allocated-pubkeys.patch new file mode 100644 index 0000000..d801333 --- /dev/null +++ b/backport-0029-CVE-2025-8277-fix-memory-leak-and-free-allocated-pubkeys.patch @@ -0,0 +1,115 @@ +From ccff22d3787c1355b3f0dcd09fe54d90acc55bf1 Mon Sep 17 00:00:00 2001 +From: Francesco Rollo ;Jakub Jelen +Date: Thu, 24 Jul 2025 16:30:07 +0300 +Subject: CVE-2025-8277: Fix memory leak of unused ephemeral key pair after client's wrong KEX guess +CVE-2025-8277: ecdh: Free previously allocated pubkeys + +Signed-off-by: Francesco Rollo ;Jakub Jelen +Reviewed-by: Andreas Schneider ;Andreas Schneider + +Conflict: adapt for src/ecdh_crypto.c, src/curve25519_crypto.c and src/curve25519_gcrypt.c don't exist +Reference:https://git.libssh.org/projects/libssh.git/patch/?id=ccff22d3787c1355b3f0dcd09fe54d90acc55bf1 +https://git.libssh.org/projects/libssh.git/patch/?id=c9d95ab0c7a52b231bcec09afbea71944ed0d852 +--- + src/dh_crypto.c | 5 +++++ + src/dh_key.c | 5 +++++ + src/ecdh_crypto.c | 10 ++++++++++ + src/ecdh_gcrypt.c | 7 +++++++ + src/ecdh_mbedcrypto.c | 6 ++++++ + 5 files changed, 33 insertions(+) + +diff --git a/src/dh_crypto.c b/src/dh_crypto.c +index 4dd9b50..cedfbc8 100644 +--- a/src/dh_crypto.c ++++ b/src/dh_crypto.c +@@ -407,6 +407,11 @@ int ssh_dh_init_common(struct ssh_crypto_struct *crypto) + struct dh_ctx *ctx = NULL; + int rc; + ++ /* Cleanup any previously allocated dh_ctx */ ++ if (crypto->dh_ctx != NULL) { ++ ssh_dh_cleanup(crypto); ++ } ++ + ctx = calloc(1, sizeof(*ctx)); + if (ctx == NULL) { + return SSH_ERROR; +diff --git a/src/dh_key.c b/src/dh_key.c +index 20d24a3..d9743ce 100644 +--- a/src/dh_key.c ++++ b/src/dh_key.c +@@ -237,6 +237,11 @@ int ssh_dh_init_common(struct ssh_crypto_struct *crypto) + struct dh_ctx *ctx = NULL; + int rc; + ++ /* Cleanup any previously allocated dh_ctx */ ++ if (crypto->dh_ctx != NULL) { ++ ssh_dh_cleanup(crypto); ++ } ++ + ctx = calloc(1, sizeof(*ctx)); + if (ctx == NULL) { + return SSH_ERROR; +diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c +index b674b2e..2ce2ff2 100644 +--- a/src/ecdh_crypto.c ++++ b/src/ecdh_crypto.c +@@ -218,8 +218,18 @@ int ssh_client_ecdh_init(ssh_session session){ + SSH_STRING_FREE(client_pubkey); + return SSH_ERROR; + } ++/* Free any previously allocated privkey */ ++ if (session->next_crypto->ecdh_privkey != NULL) { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ EC_KEY_free(session->next_crypto->ecdh_privkey); ++#else ++ EVP_PKEY_free(session->next_crypto->ecdh_privkey); ++#endif ++ session->next_crypto->ecdh_privkey = NULL; ++ } + + session->next_crypto->ecdh_privkey = key; ++ ssh_string_free(session->next_crypto->ecdh_client_pubkey); + session->next_crypto->ecdh_client_pubkey = client_pubkey; + + /* register the packet callbacks */ +diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c +index a8a8c37..5831a30 100644 +--- a/src/ecdh_gcrypt.c ++++ b/src/ecdh_gcrypt.c +@@ -101,8 +101,15 @@ int ssh_client_ecdh_init(ssh_session session) + goto out; + } + ++ /* Free any previously allocated privkey */ ++ if (session->next_crypto->ecdh_privkey != NULL) { ++ gcry_sexp_release(session->next_crypto->ecdh_privkey); ++ session->next_crypto->ecdh_privkey = NULL; ++ } + session->next_crypto->ecdh_privkey = key; + key = NULL; ++ ++ SSH_STRING_FREE(session->next_crypto->ecdh_client_pubkey); + session->next_crypto->ecdh_client_pubkey = client_pubkey; + client_pubkey = NULL; + +diff --git a/src/ecdh_mbedcrypto.c b/src/ecdh_mbedcrypto.c +index dda7392..6074b93 100644 +--- a/src/ecdh_mbedcrypto.c ++++ b/src/ecdh_mbedcrypto.c +@@ -70,6 +70,12 @@ int ssh_client_ecdh_init(ssh_session session) + return SSH_ERROR; + } + ++ /* Free any previously allocated privkey */ ++ if (session->next_crypto->ecdh_privkey != NULL) { ++ mbedtls_ecp_keypair_free(session->next_crypto->ecdh_privkey); ++ SAFE_FREE(session->next_crypto->ecdh_privkey); ++ } ++ + session->next_crypto->ecdh_privkey = malloc(sizeof(mbedtls_ecp_keypair)); + if (session->next_crypto->ecdh_privkey == NULL) { + return SSH_ERROR; +-- +2.33.0 + diff --git a/backport-0030-CVE-2025-8277-mbedtls-avoid-leaking-ecdh-keys.patch b/backport-0030-CVE-2025-8277-mbedtls-avoid-leaking-ecdh-keys.patch new file mode 100644 index 0000000..b080e03 --- /dev/null +++ b/backport-0030-CVE-2025-8277-mbedtls-avoid-leaking-ecdh-keys.patch @@ -0,0 +1,46 @@ +From ffed80f8c078122990a4eba2b275facd56dd43e0 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 6 Aug 2025 15:32:56 +0200 +Subject: CVE-2025-8277: mbedtls: Avoid leaking ecdh keys + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +Conflict:NA +Reference:https://git.libssh.org/projects/libssh.git/patch/?id=ffed80f8c078122990a4eba2b275facd56dd43e0 +--- + src/ecdh_mbedcrypto.c | 1 + + src/wrapper.c | 5 ++++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/ecdh_mbedcrypto.c b/src/ecdh_mbedcrypto.c +index dda7392..bd054d6 100644 +--- a/src/ecdh_mbedcrypto.c ++++ b/src/ecdh_mbedcrypto.c +@@ -110,6 +110,7 @@ int ssh_client_ecdh_init(ssh_session session) + goto out; + } + ++ SSH_STRING_FREE(session->next_crypto->ecdh_client_pubkey); + session->next_crypto->ecdh_client_pubkey = client_pubkey; + client_pubkey = NULL; + +diff --git a/src/wrapper.c b/src/wrapper.c +index 43bf213..5f1c0e2 100644 +--- a/src/wrapper.c ++++ b/src/wrapper.c +@@ -190,7 +190,10 @@ void crypto_free(struct ssh_crypto_struct *crypto) + #endif /* OPENSSL_VERSION_NUMBER */ + #elif defined HAVE_GCRYPT_ECC + gcry_sexp_release(crypto->ecdh_privkey); +-#endif ++#elif defined HAVE_LIBMBEDCRYPTO ++ mbedtls_ecp_keypair_free(crypto->ecdh_privkey); ++ SAFE_FREE(crypto->ecdh_privkey); ++#endif /* HAVE_LIBGCRYPT */ + crypto->ecdh_privkey = NULL; + } + #endif +-- +2.33.0 + diff --git a/libssh.spec b/libssh.spec index 80c4294..35f6eb9 100644 --- a/libssh.spec +++ b/libssh.spec @@ -1,6 +1,6 @@ Name: libssh Version: 0.10.5 -Release: 6 +Release: 7 Summary: A library implementing the SSH protocol License: LGPLv2+ URL: http://www.libssh.org @@ -37,6 +37,9 @@ Patch25: backport-0024-CVE-2025-5351-avoid-double-free-on-low-memory-cond Patch26: backport-0025-CVE-2025-5987-correctly-detect-failures-of-chacha-init.patch Patch27: backport-0026-CVE-2025-5372-Simplify-error-checking-in-ssh_kdf.patch Patch28: backport-0027-CVE-2025-8114-NULL-pointer-dereference-after-allocate-fail.patch +Patch29: backport-0028-CVE-2025-8277-adjust-packet-filter.patch +Patch30: backport-0029-CVE-2025-8277-fix-memory-leak-and-free-allocated-pubkeys.patch +Patch31: backport-0030-CVE-2025-8277-mbedtls-avoid-leaking-ecdh-keys.patch BuildRequires: cmake gcc-c++ gnupg2 openssl-devel pkgconfig zlib-devel BuildRequires: krb5-devel libcmocka-devel openssh-clients openssh-server @@ -122,6 +125,12 @@ popd %doc CHANGELOG README %changelog +* Thu Sep 18 2025 zhangbinqin - 0.10.5-7 +- Type:CVE +- Id:CVE-2025-8227 +- SUG:NA +- DESC:fix CVE-2025-8227 + * Mon Sep 15 2025 zhangbinqin - 0.10.5-6 - Type:CVE - Id:CVE-2025-8114 -- Gitee