===========================================================
== Subject:     Invalid return code for chacha20 poly1305 with OpenSSL backend
==
== CVE ID#:     CVE-2025-5987
==
== Versions:    libssh >= 0.10.0 built with OpenSSL
==
== Summary:     In the OpenSSL based implementation of
==              chacha20_poly1305_set_key() an invalid
==              error is returned if the cipher
==              initialization fails.
==
===========================================================

===========
Description
===========

If there is an error in initializing ChaCha20 cipher with OpenSSL, an invalid
error code is returned. This can happen if there is an heap exhaustion.  This
error is not correctly detected and could allow libssh to use partially
initialized cipher context.

This is caused by the mismatch of return value meaning from OpenSSL and libssh,
where OpenSSL error (rv=0) aliases with SSH_OK (0) and is returned directly
from the function chacha20_poly1305_set_key(). This will likely cause error
somewhere down the road.

==================
Patch Availability
==================

Patches addressing the issues have been posted to:
https://www.libssh.org/security/

Additionally, libssh 0.11.2 have been issued as security releases to correct
the defect.  SSH administrators are advised to upgrade to these releases or
apply the patch as soon as possible.

==================
CVSSv3 calculation
==================
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C (4.5)

==========
Workaround
==========
Disable chacha20-poly1305@openssh.com cipher in case libssh is compiled with the OpenSSL backend.

=======
Credits
=======

Originally reported by Ronald Crane (Hackerone: tdp3kel9g) via Zippenhop LLC
Patches provided by Jakub Jelen from the libssh team.

==========================================================
== The libssh team
==========================================================