From c9510a21cc40b0e736b14a6fca60c73d6fb4f9f1 Mon Sep 17 00:00:00 2001
From: Vijay Anusuri <vanusuri@mvista.com>
Date: Mon, 3 Nov 2025 18:15:10 +0530
Subject: [PATCH] wireshark: Fix CVE-2025-9817

Upstream-Status: Backport from https://gitlab.com/wireshark/wireshark/-/commit/39daba5e247ea495f88b0be82f0b7ebbdbf50fba

Link: https://gitlab.com/wireshark/wireshark/-/issues/20642
      https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-9817
      https://ftp.lysator.liu.se/pub/opensuse/update/leap/15.6/sle/src/wireshark-4.2.13-150600.18.26.1.src.rpm

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
 .../wireshark/files/CVE-2025-9817.patch       | 32 +++++++++++++++++++
 .../wireshark/wireshark_4.2.14.bb             |  1 +
 2 files changed, 33 insertions(+)
 create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2025-9817.patch

diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2025-9817.patch b/meta-networking/recipes-support/wireshark/files/CVE-2025-9817.patch
new file mode 100644
index 0000000000..034c51778e
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2025-9817.patch
@@ -0,0 +1,32 @@
+From 39daba5e247ea495f88b0be82f0b7ebbdbf50fba Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Sat, 26 Jul 2025 07:10:28 -0400
+Subject: [PATCH] ssh: Add a null check
+
+Fix #20642
+
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/39daba5e247ea495f88b0be82f0b7ebbdbf50fba]
+CVE: CVE-2025-9817
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ epan/dissectors/packet-ssh.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/epan/dissectors/packet-ssh.c b/epan/dissectors/packet-ssh.c
+index 4f2b0ff..9b3b904 100644
+--- a/epan/dissectors/packet-ssh.c
++++ b/epan/dissectors/packet-ssh.c
+@@ -2359,6 +2359,10 @@ ssh_kex_shared_secret(gint kex_type, ssh_bignum *pub, ssh_bignum *priv, ssh_bign
+     }
+ 
+     if(kex_type==SSH_KEX_DH_GEX){
++	if (modulo == NULL) {
++	    ws_debug("Missing group modulo");
++	    return NULL;
++	}
+         gcry_mpi_t b = NULL;
+         gcry_mpi_scan(&b, GCRYMPI_FMT_USG, pub->data, pub->length, NULL);
+         gcry_mpi_t d = NULL, e = NULL, m = NULL;
+-- 
+2.43.0
+
diff --git a/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb b/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb
index 6246a1d9fa..bd014055a9 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb
@@ -13,6 +13,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
            file://0002-flex-Remove-line-directives.patch \
            file://0004-lemon-Remove-line-directives.patch \
            file://0001-UseLemon.cmake-do-not-use-lemon-data-from-the-host.patch \
+           file://CVE-2025-9817.patch \
            "
 
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src/all-versions"