From 6574518b0a3ca04e888c75de16394dbc19ffad91 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Thu, 18 Dec 2025 03:55:58 +0000
Subject: [PATCH] import UBI libssh-0.10.4-17.el9_7

---
 SOURCES/CVE-2025-5987.patch                   | 31 ++++++++++++
 ...orkaround-sshd-failure-rate-limiting.patch | 47 +++++++++++++++++++
 SPECS/libssh.spec                             | 13 ++++-
 3 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/CVE-2025-5987.patch
 create mode 100644 SOURCES/workaround-sshd-failure-rate-limiting.patch

diff --git a/SOURCES/CVE-2025-5987.patch b/SOURCES/CVE-2025-5987.patch
new file mode 100644
index 0000000..d09a6cb
--- /dev/null
+++ b/SOURCES/CVE-2025-5987.patch
@@ -0,0 +1,31 @@
+From ec82ef931c5b60618c728c2252086f94f90c05a8 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 6 May 2025 22:51:41 +0200
+Subject: [PATCH] CVE-2025-5987 libcrypto: Correctly detect failures of chacha
+ initialization
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ src/libcrypto.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcrypto.c b/src/libcrypto.c
+index 468b63f0..2d0148ad 100644
+--- a/src/libcrypto.c
++++ b/src/libcrypto.c
+@@ -831,9 +831,9 @@ chacha20_poly1305_set_key(struct ssh_cipher_struct *cipher,
+         SSH_LOG(SSH_LOG_TRACE, "EVP_CIPHER_CTX_new failed");
+         goto out;
+     }
+-    ret = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL,
++    rv = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL,
+                              u8key + CHACHA20_KEYLEN, NULL);
+-    if (ret != 1) {
++    if (rv != 1) {
+         SSH_LOG(SSH_LOG_TRACE, "EVP_CipherInit failed");
+         goto out;
+     }
+-- 
+2.51.0
+
diff --git a/SOURCES/workaround-sshd-failure-rate-limiting.patch b/SOURCES/workaround-sshd-failure-rate-limiting.patch
new file mode 100644
index 0000000..07c2f9f
--- /dev/null
+++ b/SOURCES/workaround-sshd-failure-rate-limiting.patch
@@ -0,0 +1,47 @@
+From f2deda1b970ff3ab469e0838114c93a3d08051d8 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 9 Aug 2024 11:30:15 +0200
+Subject: [PATCH] test: Workaround the new OpenSSH failure rate limiting
+
+The new OpenSSH rate limits the failed authentication attempts per source
+address and drops connection when the amount is reached, which is happening
+in our testsuite.
+
+By whitelisting the IP address of the client on the socket wrapper,
+this allows the tests to pass.
+
+https://man.openbsd.org/sshd_config.5#PerSourcePenaltyExemptList
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ tests/torture.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tests/torture.c b/tests/torture.c
+index f5a6bcc7..0590ee3d 100644
+--- a/tests/torture.c
++++ b/tests/torture.c
+@@ -771,6 +771,9 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
+              "HostKeyAlgorithms " OPENSSH_KEYS "\n"
+ #if OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR >= 2
+              "CASignatureAlgorithms " OPENSSH_KEYS "\n"
++#endif
++#if (OPENSSH_VERSION_MAJOR == 9 && OPENSSH_VERSION_MINOR >= 8) || OPENSSH_VERSION_MAJOR > 9
++             "PerSourcePenaltyExemptList 127.0.0.21\n"
+ #endif
+              "Ciphers " OPENSSH_CIPHERS "\n"
+              "KexAlgorithms " OPENSSH_KEX "\n"
+@@ -801,6 +804,9 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
+              "%s\n" /* Here comes UsePam */
+              "%s" /* The space for test-specific options */
+              "\n"
++#if (OPENSSH_VERSION_MAJOR == 9 && OPENSSH_VERSION_MINOR >= 8) || OPENSSH_VERSION_MAJOR > 9
++             "PerSourcePenaltyExemptList 127.0.0.21\n"
++#endif
+              "Ciphers "
+                 "aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,"
+                 "aes128-gcm@openssh.com,aes128-ctr,aes128-cbc"
+-- 
+2.51.0
+
diff --git a/SPECS/libssh.spec b/SPECS/libssh.spec
index 5f08f59..9bacb40 100644
--- a/SPECS/libssh.spec
+++ b/SPECS/libssh.spec
@@ -1,6 +1,6 @@
 Name:           libssh
 Version:        0.10.4
-Release:        15%{?dist}
+Release:        17%{?dist}
 Summary:        A library implementing the SSH protocol
 License:        LGPLv2+
 URL:            http://www.libssh.org
@@ -56,6 +56,8 @@ Patch14: CVE-2023-48795.patch
 Patch15: CVE-2023-6918.patch
 Patch16: escape-brackets-in-proxycommand.patch
 Patch17: CVE-2025-5318.patch
+Patch18: CVE-2025-5987.patch
+Patch19: workaround-sshd-failure-rate-limiting.patch
 
 %description
 The ssh library was designed to be used by programmers needing a working SSH
@@ -148,6 +150,15 @@ popd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
 
 %changelog
+* Fri Dec 12 2025 Pavol Žáčik <pzacik@redhat.com> - 0.10.4-17
+- Bump spec to resolve build tagging issues
+
+* Thu Dec 11 2025 Pavol Žáčik <pzacik@redhat.com> - 0.10.4-16
+- Fix CVE-2025-5987
+  Resolves: RHEL-130051
+- Workaround sshd failure rate limiting in tests
+  Resolves: RHEL-135506
+
 * Wed Oct 01 2025 Pavol Žáčik <pzacik@redhat.com> - 0.10.4-15
 - Bump spec to make the 9.7 NVR higher than the 9.6 one