package/libssh: security bump to v0.11.2
For more information on the release see:
- https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.11.2
This fixes the following vulnerabilities:
- CVE-2025-4878
A vulnerability was found in libssh, where an uninitialized variable
exists under certain conditions in the privatekey_from_file()
function. This flaw can be triggered if the file specified by the
filename doesn't exist and may lead to possible signing failures or
heap corruption.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-4878
- https://git.libssh.org/projects/libssh.git/commit/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1
- https://git.libssh.org/projects/libssh.git/commit/?id=b35ee876adc92a208d47194772e99f9c71e0bedb
- CVE-2025-5318
A flaw was found in the libssh library. An out-of-bounds read can be
triggered in the sftp_handle function due to an incorrect comparison
check that permits the function to access memory beyond the valid
handle list and to return an invalid pointer, which is used in further
processing. This vulnerability allows an authenticated remote attacker
to potentially read unintended memory regions, exposing sensitive
information or affect service behavior.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-5318
- https://www.libssh.org/security/advisories/CVE-2025-5318.txt
- CVE-2025-5351
A flaw was found in the key export functionality of libssh. The issue
occurs in the internal function responsible for converting
cryptographic keys into serialized formats. During error handling, a
memory structure is freed but not cleared, leading to a potential
double free issue if an additional failure occurs later in the
function. This condition may result in heap corruption or application
instability in low-memory scenarios, posing a risk to system
reliability where key export operations are performed.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-5351
- CVE-2025-5372
A flaw was found in libssh versions built with OpenSSL versions older
than 3.0, specifically in the ssh_kdf() function responsible for key
derivation. Due to inconsistent interpretation of return values where
OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the
function may mistakenly return a success status even when key
derivation fails. This results in uninitialized cryptographic key
buffers being used in subsequent communication, potentially
compromising SSH sessions' confidentiality, integrity, and
availability.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-5372
- CVE-2025-5449
A flaw was found in the SFTP server message decoding logic of libssh.
The issue occurs due to an incorrect packet length check that allows
an integer overflow when handling large payload sizes on 32-bit
systems. This issue leads to failed memory allocation and causes the
server process to crash, resulting in a denial of service.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-5449
- https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=261612179f740bc62ba363d98b3bd5e5573a811f
- https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=3443aec90188d6aab9282afc80a81df5ab72c4da
- https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=5504ff40515439a5fecbb17da7483000c4d12eb7
- https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=78485f446af9b30e37eb8f177b81940710d54496
- https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=f79ec51b7fd519dbc5737a7ba826e3ed093f6ceb
- https://www.libssh.org/security/advisories/CVE-2025-5449.txt
- CVE-2025-5987
A flaw was found in libssh when using the ChaCha20 cipher with the
OpenSSL library. If an attacker manages to exhaust the heap space,
this error is not detected and may lead to libssh using a partially
initialized cipher context. This occurs because the OpenSSL error code
returned aliases with the SSH_OK code, resulting in libssh not
properly detecting the error returned by the OpenSSL library. This
issue can lead to undefined behavior, including compromised data
confidentiality and integrity or crashes.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-5987
The patch 0001 is removed as it's now included upstream see [1].
[1] 093431f929
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8083972a90)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
43e2ee5b26