Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libssh2_org for openSUSE:Factory checked in at 2026-06-23 17:37:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libssh2_org (Old) and /work/SRC/openSUSE:Factory/.libssh2_org.new.1956 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libssh2_org" Tue Jun 23 17:37:45 2026 rev:48 rq:1361144 version:1.11.1 Changes: -------- --- /work/SRC/openSUSE:Factory/libssh2_org/libssh2_org.changes 2025-12-27 11:28:51.575587135 +0100 +++ /work/SRC/openSUSE:Factory/.libssh2_org.new.1956/libssh2_org.changes 2026-06-23 17:40:28.581465090 +0200 @@ -1,0 +2,14 @@ +Mon Jun 22 10:12:39 UTC 2026 - Andreas Stieger <[email protected]> + +- CVE-2026-55199: pre-Authentication DoS via SSH_MSG_EXT_INFO + Handler (boo#1268530) libssh2-1.11.1-CVE-2026-55199.patch +- CVE-2026-55200: out-of-Bounds write via Unchecked packet_length + in transport.c (boo#1268531) libssh2-1.11.1-CVE-2026-55200.patch +- CVE-2026-7598: integer overflow in function userauth_password of + file src/userauth.c (boo#1263890) + libssh2-1.11.1-CVE-2026-7598.patch +- CVE-2025-15661: out-of-bounds heap read vulnerability in the + sftp_symlink() function in src/sftp.c (boo#1268546) + libssh2-1.11.1-CVE-2025-15661.patch + +------------------------------------------------------------------- New: ---- libssh2-1.11.1-CVE-2025-15661.patch libssh2-1.11.1-CVE-2026-55199.patch libssh2-1.11.1-CVE-2026-55200.patch libssh2-1.11.1-CVE-2026-7598.patch ----------(New B)---------- New: sftp_symlink() function in src/sftp.c (boo#1268546) libssh2-1.11.1-CVE-2025-15661.patch New:- CVE-2026-55199: pre-Authentication DoS via SSH_MSG_EXT_INFO Handler (boo#1268530) libssh2-1.11.1-CVE-2026-55199.patch - CVE-2026-55200: out-of-Bounds write via Unchecked packet_length New:- CVE-2026-55200: out-of-Bounds write via Unchecked packet_length in transport.c (boo#1268531) libssh2-1.11.1-CVE-2026-55200.patch - CVE-2026-7598: integer overflow in function userauth_password of New: file src/userauth.c (boo#1263890) libssh2-1.11.1-CVE-2026-7598.patch - CVE-2025-15661: out-of-bounds heap read vulnerability in the ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libssh2_org.spec ++++++ --- /var/tmp/diff_new_pack.a5z5kT/_old 2026-06-23 17:40:30.169520468 +0200 +++ /var/tmp/diff_new_pack.a5z5kT/_new 2026-06-23 17:40:30.169520468 +0200 @@ -2,7 +2,7 @@ # spec file for package libssh2_org # # Copyright (c) 2024 SUSE LLC -# Copyright (c) 2025 Andreas Stieger <[email protected]> +# Copyright (c) 2026 Andreas Stieger <[email protected]> # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -31,6 +31,10 @@ Source2: baselibs.conf Source3: libssh2_org.keyring Patch0: libssh2-ocloexec.patch +Patch1: libssh2-1.11.1-CVE-2026-55199.patch +Patch2: libssh2-1.11.1-CVE-2026-55200.patch +Patch3: libssh2-1.11.1-CVE-2026-7598.patch +Patch4: libssh2-1.11.1-CVE-2025-15661.patch BuildRequires: cmake BuildRequires: pkgconfig BuildRequires: pkgconfig(libcrypto) ++++++ libssh2-1.11.1-CVE-2025-15661.patch ++++++ >From 2dae3024897e1898d389835151f4e9606227721d Mon Sep 17 00:00:00 2001 From: Will Cosgrove <[email protected]> Date: Fri, 10 Oct 2025 08:26:20 -0700 Subject: [PATCH] Update sftp_symlink to avoid out of bounds read on malformed packet #1705 (#1717) Use buffer struct to guard against out of bounds reads and invalid packets. Discovery Credit: Joshua Rogers --- src/sftp.c | 66 ++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 47 insertions(+), 19 deletions(-) Index: libssh2-1.11.1/src/sftp.c =================================================================== --- libssh2-1.11.1.orig/src/sftp.c +++ libssh2-1.11.1/src/sftp.c @@ -3786,6 +3786,8 @@ libssh2_sftp_stat_ex(LIBSSH2_SFTP *sftp, return rc; } +#define LIBSSH2_UNCONST(p) ((void *)(uintptr_t)(const void *)(p)) + /* sftp_symlink * Read or set a symlink */ @@ -3795,15 +3797,19 @@ static int sftp_symlink(LIBSSH2_SFTP *sf { LIBSSH2_CHANNEL *channel = sftp->channel; LIBSSH2_SESSION *session = channel->session; - size_t data_len = 0, link_len; + size_t data_len = 0, lk_len; /* 13 = packet_len(4) + packet_type(1) + request_id(4) + path_len(4) */ ssize_t packet_len = path_len + 13 + ((link_type == LIBSSH2_SFTP_SYMLINK) ? (4 + target_len) : 0); unsigned char *s, *data = NULL; + struct string_buf buf; static const unsigned char link_responses[2] = { SSH_FXP_NAME, SSH_FXP_STATUS }; int retcode; + unsigned char packet_type; + uint32_t tmp_u32; + unsigned char *lk_target; if(sftp->symlink_state == libssh2_NB_state_idle) { sftp->last_errno = LIBSSH2_FX_OK; @@ -3891,8 +3897,25 @@ static int sftp_symlink(LIBSSH2_SFTP *sf sftp->symlink_state = libssh2_NB_state_idle; - if(data[0] == SSH_FXP_STATUS) { - retcode = _libssh2_ntohu32(data + 5); + buf.data = (unsigned char *)LIBSSH2_UNCONST(data); + buf.dataptr = buf.data; + buf.len = data_len; + + if(_libssh2_get_byte(&buf, &packet_type)) { + LIBSSH2_FREE(session, data); + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "SFTP Protocol Error (type)"); + } + + if(packet_type == SSH_FXP_STATUS) { + if(_libssh2_get_u32(&buf, &tmp_u32)) { + LIBSSH2_FREE(session, data); + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "SFTP Protocol Error (code)"); + } + + retcode = (int)tmp_u32; + LIBSSH2_FREE(session, data); if(retcode == LIBSSH2_FX_OK) return LIBSSH2_ERROR_NONE; @@ -3903,30 +3926,37 @@ static int sftp_symlink(LIBSSH2_SFTP *sf } } - if(_libssh2_ntohu32(data + 5) < 1) { + /* advance past id */ + if(_libssh2_get_u32(&buf, &tmp_u32)) { LIBSSH2_FREE(session, data); return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, - "Invalid READLINK/REALPATH response, " - "no name entries"); + "SFTP Protocol Error (id)"); } - if(data_len < 13) { - if(data_len > 0) { - LIBSSH2_FREE(session, data); - } + /* look for at least one link */ + if(_libssh2_get_u32(&buf, &tmp_u32) || tmp_u32 < 1) { + LIBSSH2_FREE(session, data); return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, - "SFTP stat packet too short"); + "Invalid READLINK/REALPATH response, " + "no name entries"); } - /* this reads a u32 and stores it into a signed 32bit value */ - link_len = _libssh2_ntohu32(data + 9); - if(link_len < target_len) { - memcpy(target, data + 13, link_len); - target[link_len] = 0; - retcode = (int)link_len; + if(_libssh2_get_string(&buf, &lk_target, &lk_len) == LIBSSH2_ERROR_NONE) { + if(lk_len < target_len) { + memcpy(target, lk_target, lk_len); + target[lk_len] = '\0'; + retcode = (int)lk_len; + } + else { + retcode = LIBSSH2_ERROR_BUFFER_TOO_SMALL; + } } - else - retcode = LIBSSH2_ERROR_BUFFER_TOO_SMALL; + else { + LIBSSH2_FREE(session, data); + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "SFTP Protocol Error (filename)"); + } + LIBSSH2_FREE(session, data); return retcode; ++++++ libssh2-1.11.1-CVE-2026-55199.patch ++++++ >From 17626857d20b3c9a1addfa45979dadcee1cd84a4 Mon Sep 17 00:00:00 2001 From: TristanInSec <[email protected]> Date: Wed, 15 Apr 2026 14:51:08 -0400 Subject: [PATCH] packet: check `_libssh2_get_string()` return in `EXT_INFO` handler The `SSH_MSG_EXT_INFO` handler discards the return values from `_libssh2_get_string()` when parsing extension name/value pairs. When the buffer is exhausted before all claimed extensions are parsed, the loop continues with no-op iterations until `nr_extensions` reaches zero. The `nr_extensions >= 1024` cap limits the worst case, but the loop should still break on parse failure for correctness and consistency with other parsers in this file (e.g. `SSH_MSG_CHANNEL_OPEN`, `SSH_MSG_KEXINIT`) that check `_libssh2_get_string()` return values. Closes #1864 --- src/packet.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/packet.c b/src/packet.c index ae86365d2a..8a7a0d2690 100644 --- a/src/packet.c +++ b/src/packet.c @@ -890,8 +890,10 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, nr_extensions -= 1; - _libssh2_get_string(&buf, &name, &name_len); - _libssh2_get_string(&buf, &value, &value_len); + if(_libssh2_get_string(&buf, &name, &name_len)) + break; + if(_libssh2_get_string(&buf, &value, &value_len)) + break; if(name && value) { _libssh2_debug((session, ++++++ libssh2-1.11.1-CVE-2026-55200.patch ++++++ >From 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 Mon Sep 17 00:00:00 2001 From: Will Cosgrove <[email protected]> Date: Fri, 12 Jun 2026 15:57:44 -0700 Subject: [PATCH] transport.c: Additional boundary checks for packet length (#2052) Add additional bounds checking on packet length to prevent OOB write. Credit: [TristanInSec](https://github.com/TristanInSec) --- src/transport.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) Index: libssh2-1.11.1/src/transport.c =================================================================== --- libssh2-1.11.1.orig/src/transport.c +++ libssh2-1.11.1/src/transport.c @@ -639,8 +639,12 @@ int _libssh2_transport_read(LIBSSH2_SESS total_num = 4; p->packet_length = _libssh2_ntohu32(block); - if(p->packet_length < 1) + if(p->packet_length < 1) { return LIBSSH2_ERROR_DECRYPT; + } + else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) { + return LIBSSH2_ERROR_OUT_OF_BOUNDARY; + } /* total_num may include size field, however due to existing * logic it needs to be removed after the entire packet is read ++++++ libssh2-1.11.1-CVE-2026-7598.patch ++++++ >From 256d04b60d80bf1190e96b0ad1e91b2174d744b1 Mon Sep 17 00:00:00 2001 From: Will Cosgrove <[email protected]> Date: Mon, 13 Apr 2026 11:18:25 -0700 Subject: [PATCH] userauth.c: username_len bounds checking (#1858) Return errors when username_len will exceed bounds, fix existing bounds check. Credit: [dapickle](https://github.com/dapickle) --- src/userauth.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) Index: libssh2-1.11.1/src/userauth.c =================================================================== --- libssh2-1.11.1.orig/src/userauth.c +++ libssh2-1.11.1/src/userauth.c @@ -80,6 +80,12 @@ static char *userauth_list(LIBSSH2_SESSI memset(&session->userauth_list_packet_requirev_state, 0, sizeof(session->userauth_list_packet_requirev_state)); + if(username_len > UINT32_MAX - 27) { + _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "username_len out of bounds"); + return NULL; + } + session->userauth_list_data_len = username_len + 27; s = session->userauth_list_data = @@ -307,6 +313,11 @@ userauth_password(LIBSSH2_SESSION *sessi * 40 = packet_type(1) + username_len(4) + service_len(4) + * service(14)"ssh-connection" + method_len(4) + method(8)"password" + * chgpwdbool(1) + password_len(4) */ + if(username_len > UINT32_MAX - 40) { + return _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "username_len out of bounds"); + } + session->userauth_pswd_data_len = username_len + 40; session->userauth_pswd_data0 = @@ -447,7 +458,7 @@ password_response: } /* basic data_len + newpw_len(4) */ - if(username_len + password_len + 44 <= UINT_MAX) { + if(username_len <= UINT32_MAX - password_len - 44) { session->userauth_pswd_data_len = username_len + password_len + 44; s = session->userauth_pswd_data =
