Overview

File libssh-CVE-2025-8277-Fix-memory-leak-of-unused-ephemeral-ke.patch of Package libssh.40696

From ccff22d3787c1355b3f0dcd09fe54d90acc55bf1 Mon Sep 17 00:00:00 2001
From: Francesco Rollo <eferollo@gmail.com>
Date: Thu, 24 Jul 2025 16:30:07 +0300
Subject: [PATCH 10/20] CVE-2025-8277: Fix memory leak of unused ephemeral key
 pair after client's wrong KEX guess

Signed-off-by: Francesco Rollo <eferollo@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>

Index: libssh-0.10.6/src/dh_crypto.c
===================================================================
--- libssh-0.10.6.orig/src/dh_crypto.c
+++ libssh-0.10.6/src/dh_crypto.c
@@ -407,6 +407,11 @@ int ssh_dh_init_common(struct ssh_crypto
     struct dh_ctx *ctx = NULL;
     int rc;
 
+    /* Cleanup any previously allocated dh_ctx */
+    if (crypto->dh_ctx != NULL) {
+        ssh_dh_cleanup(crypto);
+    }
+
     ctx = calloc(1, sizeof(*ctx));
     if (ctx == NULL) {
         return SSH_ERROR;
Index: libssh-0.10.6/src/dh_key.c
===================================================================
--- libssh-0.10.6.orig/src/dh_key.c
+++ libssh-0.10.6/src/dh_key.c
@@ -237,6 +237,11 @@ int ssh_dh_init_common(struct ssh_crypto
     struct dh_ctx *ctx = NULL;
     int rc;
 
+    /* Cleanup any previously allocated dh_ctx */
+    if (crypto->dh_ctx != NULL) {
+        ssh_dh_cleanup(crypto);
+    }
+
     ctx = calloc(1, sizeof(*ctx));
     if (ctx == NULL) {
         return SSH_ERROR;
Index: libssh-0.10.6/src/ecdh_gcrypt.c
===================================================================
--- libssh-0.10.6.orig/src/ecdh_gcrypt.c
+++ libssh-0.10.6/src/ecdh_gcrypt.c
@@ -101,6 +101,12 @@ int ssh_client_ecdh_init(ssh_session ses
         goto out;
     }
 
+    /* Free any previously allocated privkey */
+    if (session->next_crypto->ecdh_privkey != NULL) {
+        gcry_sexp_release(session->next_crypto->ecdh_privkey);
+        session->next_crypto->ecdh_privkey = NULL;
+    }
+
     session->next_crypto->ecdh_privkey = key;
     key = NULL;
     session->next_crypto->ecdh_client_pubkey = client_pubkey;
Index: libssh-0.10.6/src/ecdh_mbedcrypto.c
===================================================================
--- libssh-0.10.6.orig/src/ecdh_mbedcrypto.c
+++ libssh-0.10.6/src/ecdh_mbedcrypto.c
@@ -70,6 +70,12 @@ int ssh_client_ecdh_init(ssh_session ses
         return SSH_ERROR;
     }
 
+    /* Free any previously allocated privkey */
+    if (session->next_crypto->ecdh_privkey != NULL) {
+        mbedtls_ecp_keypair_free(session->next_crypto->ecdh_privkey);
+        SAFE_FREE(session->next_crypto->ecdh_privkey);
+    }
+
     session->next_crypto->ecdh_privkey = malloc(sizeof(mbedtls_ecp_keypair));
     if (session->next_crypto->ecdh_privkey == NULL) {
         return SSH_ERROR;
openSUSE Build Service is sponsored by
Places