[packages/libssh2] Rel 2
arekm
arekm at pld-linux.org
Thu Jun 25 08:28:42 CEST 2026
commit 61e35ed88f87c6050f005a2441fea842e8ebf8c7
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date: Thu Jun 25 08:19:57 2026 +0200
Rel 2
- CVE-2025-15661: sftp_symlink() OOB heap read on malformed SSH_FXP_NAME
(upstream 2dae3024); needs LIBSSH2_UNCONST backport (upstream 606c102e)
- CVE-2026-55199: EXT_INFO handler pre-auth CPU-exhaustion DoS
(upstream 17626857)
- CVE-2026-55200: transport.c packet_length OOB write / RCE
(upstream 97acf3df)
- CVE-2026-7598: userauth.c username_len/password_len integer overflow
(upstream 256d04b)
CVE-2025-15661.patch | 111 +++++++++++++++++++++++++++++++++++++++++
CVE-2026-55199.patch | 21 ++++++++
CVE-2026-55200.patch | 22 ++++++++
CVE-2026-7598.patch | 51 +++++++++++++++++++
libssh2-unconst-backport.patch | 24 +++++++++
libssh2.spec | 12 ++++-
6 files changed, 240 insertions(+), 1 deletion(-)
---
diff --git a/libssh2.spec b/libssh2.spec
index f4a9841..07fb27f 100644
--- a/libssh2.spec
+++ b/libssh2.spec
@@ -2,11 +2,16 @@ Summary: Library implementing the SSH2 protocol
Summary(pl.UTF-8): Biblioteka implementująca protokół SSH2
Name: libssh2
Version: 1.11.1
-Release: 1
+Release: 2
License: BSD
Group: Libraries
Source0: https://libssh2.org/download/%{name}-%{version}.tar.gz
# Source0-md5: 38857d10b5c5deb198d6989dacace2e6
+Patch0: %{name}-unconst-backport.patch
+Patch1: CVE-2025-15661.patch
+Patch2: CVE-2026-55199.patch
+Patch3: CVE-2026-55200.patch
+Patch4: CVE-2026-7598.patch
URL: https://libssh2.org/
BuildRequires: autoconf >= 2.59
BuildRequires: automake
@@ -116,6 +121,11 @@ Biblioteka statyczna libssh2.
%prep
%setup -q
+%patch -P0 -p1
+%patch -P1 -p1
+%patch -P2 -p1
+%patch -P3 -p1
+%patch -P4 -p1
%build
%{__libtoolize}
diff --git a/CVE-2025-15661.patch b/CVE-2025-15661.patch
new file mode 100644
index 0000000..8e3ab28
--- /dev/null
+++ b/CVE-2025-15661.patch
@@ -0,0 +1,111 @@
+From 2dae3024897e1898d389835151f4e9606227721d Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will at panic.com>
+Date: Fri, 10 Oct 2025 08:26:20 -0700
+Subject: [PATCH] Update sftp_symlink to avoid out of bounds read on malformed
+ packet #1705 (#1717)
+
+--- libssh2-1.11.1.orig/src/sftp.c
++++ libssh2-1.11.1/src/sftp.c
+@@ -3795,15 +3795,19 @@ static int sftp_symlink(LIBSSH2_SFTP *sf
+ {
+ LIBSSH2_CHANNEL *channel = sftp->channel;
+ LIBSSH2_SESSION *session = channel->session;
+- size_t data_len = 0, link_len;
++ size_t data_len = 0, lk_len;
+ /* 13 = packet_len(4) + packet_type(1) + request_id(4) + path_len(4) */
+ ssize_t packet_len =
+ path_len + 13 +
+ ((link_type == LIBSSH2_SFTP_SYMLINK) ? (4 + target_len) : 0);
+ unsigned char *s, *data = NULL;
++ struct string_buf buf;
+ static const unsigned char link_responses[2] =
+ { SSH_FXP_NAME, SSH_FXP_STATUS };
+ int retcode;
++ unsigned char packet_type;
++ uint32_t tmp_u32;
++ unsigned char *lk_target;
+
+ if(sftp->symlink_state == libssh2_NB_state_idle) {
+ sftp->last_errno = LIBSSH2_FX_OK;
+@@ -3891,8 +3895,25 @@ static int sftp_symlink(LIBSSH2_SFTP *sf
+
+ sftp->symlink_state = libssh2_NB_state_idle;
+
+- if(data[0] == SSH_FXP_STATUS) {
+- retcode = _libssh2_ntohu32(data + 5);
++ buf.data = (unsigned char *)LIBSSH2_UNCONST(data);
++ buf.dataptr = buf.data;
++ buf.len = data_len;
++
++ if(_libssh2_get_byte(&buf, &packet_type)) {
++ LIBSSH2_FREE(session, data);
++ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
++ "SFTP Protocol Error (type)");
++ }
++
++ if(packet_type == SSH_FXP_STATUS) {
++ if(_libssh2_get_u32(&buf, &tmp_u32)) {
++ LIBSSH2_FREE(session, data);
++ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
++ "SFTP Protocol Error (code)");
++ }
++
++ retcode = (int)tmp_u32;
++
+ LIBSSH2_FREE(session, data);
+ if(retcode == LIBSSH2_FX_OK)
+ return LIBSSH2_ERROR_NONE;
+@@ -3903,30 +3924,37 @@ static int sftp_symlink(LIBSSH2_SFTP *sf
+ }
+ }
+
+- if(_libssh2_ntohu32(data + 5) < 1) {
++ /* advance past id */
++ if(_libssh2_get_u32(&buf, &tmp_u32)) {
+ LIBSSH2_FREE(session, data);
+ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
+- "Invalid READLINK/REALPATH response, "
+- "no name entries");
++ "SFTP Protocol Error (id)");
+ }
+
+- if(data_len < 13) {
+- if(data_len > 0) {
+- LIBSSH2_FREE(session, data);
+- }
++ /* look for at least one link */
++ if(_libssh2_get_u32(&buf, &tmp_u32) || tmp_u32 < 1) {
++ LIBSSH2_FREE(session, data);
+ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
+- "SFTP stat packet too short");
++ "Invalid READLINK/REALPATH response, "
++ "no name entries");
+ }
+
+- /* this reads a u32 and stores it into a signed 32bit value */
+- link_len = _libssh2_ntohu32(data + 9);
+- if(link_len < target_len) {
+- memcpy(target, data + 13, link_len);
+- target[link_len] = 0;
+- retcode = (int)link_len;
++ if(_libssh2_get_string(&buf, &lk_target, &lk_len) == LIBSSH2_ERROR_NONE) {
++ if(lk_len < target_len) {
++ memcpy(target, lk_target, lk_len);
++ target[lk_len] = '\0';
++ retcode = (int)lk_len;
++ }
++ else {
++ retcode = LIBSSH2_ERROR_BUFFER_TOO_SMALL;
++ }
+ }
+- else
+- retcode = LIBSSH2_ERROR_BUFFER_TOO_SMALL;
++ else {
++ LIBSSH2_FREE(session, data);
++ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
++ "SFTP Protocol Error (filename)");
++ }
++
+ LIBSSH2_FREE(session, data);
+
+ return retcode;
diff --git a/CVE-2026-55199.patch b/CVE-2026-55199.patch
new file mode 100644
index 0000000..5ef23ee
--- /dev/null
+++ b/CVE-2026-55199.patch
@@ -0,0 +1,21 @@
+From 17626857d20b3c9a1addfa45979dadcee1cd84a4 Mon Sep 17 00:00:00 2001
+From: TristanInSec <tristan.mtn at gmail.com>
+Date: Wed, 15 Apr 2026 14:51:08 -0400
+Subject: [PATCH] packet: check `_libssh2_get_string()` return in `EXT_INFO`
+ handler
+
+--- libssh2-1.11.1.orig/src/packet.c
++++ libssh2-1.11.1/src/packet.c
+@@ -868,8 +868,10 @@ _libssh2_packet_add(LIBSSH2_SESSION * se
+
+ nr_extensions -= 1;
+
+- _libssh2_get_string(&buf, &name, &name_len);
+- _libssh2_get_string(&buf, &value, &value_len);
++ if(_libssh2_get_string(&buf, &name, &name_len))
++ break;
++ if(_libssh2_get_string(&buf, &value, &value_len))
++ break;
+
+ if(name && value) {
+ _libssh2_debug((session,
diff --git a/CVE-2026-55200.patch b/CVE-2026-55200.patch
new file mode 100644
index 0000000..0adb94c
--- /dev/null
+++ b/CVE-2026-55200.patch
@@ -0,0 +1,22 @@
+From 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will at panic.com>
+Date: Fri, 12 Jun 2026 15:57:44 -0700
+Subject: [PATCH] transport.c: Additional boundary checks for packet length
+ (#2052)
+
+--- libssh2-1.11.1.orig/src/transport.c
++++ libssh2-1.11.1/src/transport.c
+@@ -639,8 +639,12 @@ int _libssh2_transport_read(LIBSSH2_SESS
+ total_num = 4;
+
+ p->packet_length = _libssh2_ntohu32(block);
+- if(p->packet_length < 1)
++ if(p->packet_length < 1) {
+ return LIBSSH2_ERROR_DECRYPT;
++ }
++ else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) {
++ return LIBSSH2_ERROR_OUT_OF_BOUNDARY;
++ }
+
+ /* total_num may include size field, however due to existing
+ * logic it needs to be removed after the entire packet is read
diff --git a/CVE-2026-7598.patch b/CVE-2026-7598.patch
new file mode 100644
index 0000000..f342861
--- /dev/null
+++ b/CVE-2026-7598.patch
@@ -0,0 +1,51 @@
+From 256d04b60d80bf1190e96b0ad1e91b2174d744b1 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will at panic.com>
+Date: Mon, 13 Apr 2026 11:18:25 -0700
+Subject: [PATCH] userauth.c: username_len bounds checking (#1858)
+Forwarded: https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1
+
+Return errors when username_len will exceed bounds, fix existing bounds
+check.
+
+Credit:
+[dapickle](https://github.com/dapickle)
+---
+ src/userauth.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/src/userauth.c
++++ b/src/userauth.c
+@@ -80,6 +80,12 @@
+ memset(&session->userauth_list_packet_requirev_state, 0,
+ sizeof(session->userauth_list_packet_requirev_state));
+
++ if(username_len > UINT32_MAX - 27) {
++ _libssh2_error(session, LIBSSH2_ERROR_PROTO,
++ "username_len out of bounds");
++ return NULL;
++ }
++
+ session->userauth_list_data_len = username_len + 27;
+
+ s = session->userauth_list_data =
+@@ -307,6 +313,11 @@
+ * 40 = packet_type(1) + username_len(4) + service_len(4) +
+ * service(14)"ssh-connection" + method_len(4) + method(8)"password" +
+ * chgpwdbool(1) + password_len(4) */
++ if(username_len > UINT32_MAX - 40) {
++ return _libssh2_error(session, LIBSSH2_ERROR_PROTO,
++ "username_len out of bounds");
++ }
++
+ session->userauth_pswd_data_len = username_len + 40;
+
+ session->userauth_pswd_data0 =
+@@ -447,7 +458,7 @@
+ }
+
+ /* basic data_len + newpw_len(4) */
+- if(username_len + password_len + 44 <= UINT_MAX) {
++ if(username_len <= UINT32_MAX - password_len - 44) {
+ session->userauth_pswd_data_len =
+ username_len + password_len + 44;
+ s = session->userauth_pswd_data =
diff --git a/libssh2-unconst-backport.patch b/libssh2-unconst-backport.patch
new file mode 100644
index 0000000..4d75169
--- /dev/null
+++ b/libssh2-unconst-backport.patch
@@ -0,0 +1,24 @@
+Needed by the fix for CVE-2025-15661
+
+Cherrypicked from
+commit 606c102e52f8447de2b745dd6c5ddf418defc519
+Author: Viktor Szakats <commit at vsz.me>
+Date: Thu Jan 30 21:18:23 2025 +0100
+
+--- libssh2-1.11.1.orig/src/libssh2_priv.h
++++ libssh2-1.11.1/src/libssh2_priv.h
+@@ -117,6 +117,14 @@
+ #define UINT32_MAX 0xffffffffU
+ #endif
+
++#ifdef _WIN64
++#define LIBSSH2_UNCONST(p) ((void *)(libssh2_uint64_t)(const void *)(p))
++#elif defined(_MSC_VER)
++#define LIBSSH2_UNCONST(p) ((void *)(unsigned int)(const void *)(p))
++#else
++#define LIBSSH2_UNCONST(p) ((void *)(uintptr_t)(const void *)(p))
++#endif
++
+ #if (defined(__GNUC__) || defined(__clang__)) && \
+ defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) && \
+ !defined(LIBSSH2_NO_FMT_CHECKS)
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/libssh2.git/commitdiff/61e35ed88f87c6050f005a2441fea842e8ebf8c7
More information about the pld-cvs-commit
mailing list