libssh: fix CVE-2025-4877

Upstream-Status: Backport from https://git.libssh.org/projects/libssh.git/commit/?id=6fd9cc8ce3958092a1aae11f1f2e911b2747732d Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-04-02 02:49:12 +00:00 · 2025-09-01 11:58:42 +05:30 · 2025-09-01 11:58:42 +05:30 · f3a6203fa0
commit f3a6203fa0
parent 1282441198
2 changed files with 58 additions and 0 deletions
--- a/meta-oe/recipes-support/libssh/libssh/CVE-2025-4877.patch
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4877.patch
@ -0,0 +1,57 @@
+From 6fd9cc8ce3958092a1aae11f1f2e911b2747732d Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 15 Apr 2025 11:41:24 +0200
+Subject: CVE-2025-4877 base64: Prevent integer overflow and potential OOB
+
+Set maximum input to 256MB to have safe margin to the 1GB trigger point
+for 32b arch.
+
+The OOB should not be reachable by any internal code paths as most of
+the buffers and strings we use as input for this operation already have
+similar limit and none really allows this much of data.
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit 00f09acbec55962839fc7837ef14c56fb8fbaf72)
+
+CVE: CVE-2025-4877
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=6fd9cc8ce3958092a1aae11f1f2e911b2747732d]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/base64.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/base64.c b/src/base64.c
+index 372dc65f..7bb8efb1 100644
+--- a/src/base64.c
+++ b/src/base64.c
+@@ -29,6 +29,9 @@
+ #include "libssh/priv.h"
+ #include "libssh/buffer.h"
+ 
+/* Do not allow encoding more than 256MB of data */
+#define BASE64_MAX_INPUT_LEN 256 * 1024 * 1024
+
+ static char alphabet[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+                          "abcdefghijklmnopqrstuvwxyz"
+                          "0123456789+/";
+@@ -269,7 +272,15 @@ static void _bin_to_base64(unsigned char *dest, const unsigned char source[3],
+ unsigned char *bin_to_base64(const unsigned char *source, int len) {
+   unsigned char *base64;
+   unsigned char *ptr;
+-  int flen = len + (3 - (len % 3)); /* round to upper 3 multiple */
+  int flen = 0;
+
+ /* Set the artificial upper limit for the input. Otherwise on 32b arch, the
+  * following line could overflow for sizes larger than SIZE_MAX / 4 */
+  if (len > BASE64_MAX_INPUT_LEN) {
+      return NULL;
+  }
+
+  flen = len + (3 - (len % 3)); /* round to upper 3 multiple */
+   flen = (4 * flen) / 3 + 1;
+ 
+   base64 = malloc(flen);
+-- 
+2.50.1
+
--- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb
+++ b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb
@ -21,6 +21,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
           file://0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch \
           file://run-ptest \
           file://CVE-2025-5318.patch \
+           file://CVE-2025-4877.patch \
          "
 SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8"