Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN406
_____________________________________________________________________

DATE                : 30/06/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running all libssh versions.

=====================================================================
https://www.libssh.org/security/advisories/CVE-2025-4877.txt
_____________________________________________________________________

===========================================================
== Subject:     Write beyond bounds in binary to base64 conversion
                 functions
==
== CVE ID#:     CVE-2025-4877
==
== Versions:    All libssh versions
==
== Summary:     bin_to_base64() can run into an integer overflow on
==              32-bit platforms.
==
===========================================================

===========
Description
===========

bin_to_base64() (src/base64.c) can experience an integer overflow
and subsequent under allocation, leading to a write beyond bounds.
The bug can occur only in 32-bit builds.

The only problematic use case is ssh_get_fingerprint_hash() in
case the API is (mis)used and a libssh consumer passes in an
unexpectedly large input buffer.

As a mitigation, the function bin_to_base64() is adjusted to not
allow inputs larger than 256MB, which is aligned with other
functions that process user input.

==================
Patch Availability
==================

Patches addressing the issues have been posted to:
https://www.libssh.org/security/
Additionally, libssh 0.11.2 have been issued
as security releases to correct the defect.  SSH administrators
are advised to upgrade to these releases or apply the patch as
soon as possible.

==================
CVSSv3 calculation
==================
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C (3.9)

==========
Workaround
==========
Make sure the ssh_get_fingerprint_hash() is not used to encode
arbitrary buffer larger than 1GB on 32-bit architecture.

=======
Credits
=======

Originally reported by Ronald Crane (Hackerone: tdp3kel9g) via
Zippenhop LLC Patches provided by Jakub Jelen from the libssh
team.

==========================================================
== The libssh team
==========================================================


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================