From 56f646698b3daa2f8eb7a5d217eabbd2ddf1b666 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <pzacik@redhat.com>
Date: Thu, 11 Dec 2025 10:01:47 +0100
Subject: [PATCH] Fix ChaCha20 error handling from CVE-2025-5987

Resolves: RHEL-130051
---
 CVE-2025-5987.patch | 31 +++++++++++++++++++++++++++++++
 libssh.spec         |  7 ++++++-
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2025-5987.patch

diff --git a/CVE-2025-5987.patch b/CVE-2025-5987.patch
new file mode 100644
index 0000000..d09a6cb
--- /dev/null
+++ b/CVE-2025-5987.patch
@@ -0,0 +1,31 @@
+From ec82ef931c5b60618c728c2252086f94f90c05a8 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 6 May 2025 22:51:41 +0200
+Subject: [PATCH] CVE-2025-5987 libcrypto: Correctly detect failures of chacha
+ initialization
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ src/libcrypto.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcrypto.c b/src/libcrypto.c
+index 468b63f0..2d0148ad 100644
+--- a/src/libcrypto.c
++++ b/src/libcrypto.c
+@@ -831,9 +831,9 @@ chacha20_poly1305_set_key(struct ssh_cipher_struct *cipher,
+         SSH_LOG(SSH_LOG_TRACE, "EVP_CIPHER_CTX_new failed");
+         goto out;
+     }
+-    ret = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL,
++    rv = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL,
+                              u8key + CHACHA20_KEYLEN, NULL);
+-    if (ret != 1) {
++    if (rv != 1) {
+         SSH_LOG(SSH_LOG_TRACE, "EVP_CipherInit failed");
+         goto out;
+     }
+-- 
+2.51.0
+
diff --git a/libssh.spec b/libssh.spec
index 5f08f59..062931d 100644
--- a/libssh.spec
+++ b/libssh.spec
@@ -1,6 +1,6 @@
 Name:           libssh
 Version:        0.10.4
-Release:        15%{?dist}
+Release:        16%{?dist}
 Summary:        A library implementing the SSH protocol
 License:        LGPLv2+
 URL:            http://www.libssh.org
@@ -56,6 +56,7 @@ Patch14: CVE-2023-48795.patch
 Patch15: CVE-2023-6918.patch
 Patch16: escape-brackets-in-proxycommand.patch
 Patch17: CVE-2025-5318.patch
+Patch18: CVE-2025-5987.patch
 
 %description
 The ssh library was designed to be used by programmers needing a working SSH
@@ -148,6 +149,10 @@ popd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
 
 %changelog
+* Thu Dec 11 2025 Pavol Žáčik <pzacik@redhat.com> - 0.10.4-16
+- Fix CVE-2025-5987
+  Resolves: RHEL-130051
+
 * Wed Oct 01 2025 Pavol Žáčik <pzacik@redhat.com> - 0.10.4-15
 - Bump spec to make the 9.7 NVR higher than the 9.6 one