1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
From 8e4d67aa9eda455bfad9ac610e54b7a548d0aa08 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 6 Aug 2025 11:10:38 +0200
Subject: CVE-2025-8277: ecdh: Free previously allocated pubkeys
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit c9d95ab0c7a52b231bcec09afbea71944ed0d852)
---
src/ecdh_crypto.c | 1 +
src/ecdh_gcrypt.c | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c
index a286804f4..fb707c321 100644
--- a/src/ecdh_crypto.c
+++ b/src/ecdh_crypto.c
@@ -230,6 +230,7 @@ int ssh_client_ecdh_init(ssh_session session)
session->next_crypto->ecdh_privkey = key;
+ ssh_string_free(session->next_crypto->ecdh_client_pubkey);
session->next_crypto->ecdh_client_pubkey = client_pubkey;
/* register the packet callbacks */
diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c
index 8eabfe181..5dcd3929a 100644
--- a/src/ecdh_gcrypt.c
+++ b/src/ecdh_gcrypt.c
@@ -106,9 +106,10 @@ int ssh_client_ecdh_init(ssh_session session)
gcry_sexp_release(session->next_crypto->ecdh_privkey);
session->next_crypto->ecdh_privkey = NULL;
}
-
session->next_crypto->ecdh_privkey = key;
key = NULL;
+
+ SSH_STRING_FREE(session->next_crypto->ecdh_client_pubkey);
session->next_crypto->ecdh_client_pubkey = client_pubkey;
client_pubkey = NULL;
--
cgit v1.2.3
|
