--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], Sergei Golovan <[email protected]>,
Bastien Roucaries <[email protected]>
Control: affects -1 + src:erlang
User: [email protected]
Usertags: pu
[ Reason ]
There have been several CVEs published for the erlang programming
language that have been flagged as no DSA affecting the ssh server
implementation.
[ Impact ]
Mostly denial of service attacks.
[ Tests ]
Manually tested.
[ Risks ]
Low risk, given that those implementations are niche and the patches
mostly add safe guards.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Other info ]
@Sergei as with #1127606 (trixie) please write if you disagree.
diff --git a/debian/changelog b/debian/changelog
index 6738cb3c3a..b6b3272c74 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+erlang (1:25.2.3+dfsg-1+deb12u4) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2025-48038: allocation of resources without limits or throttling
+ vulnerability in the ssh_sftp module allows excessive allocation,
+ resource leak exposure (closes: #1115093).
+ * Fix CVE-2025-48039: allocation of resources without limits or throttling
+ vulnerability in the ssh_sftp module allows excessive allocation,
+ resource leak exposure (closes: #1115092).
+ * Fix CVE-2025-48040: uncontrolled resource consumption vulnerability in
+ the ssh_sftp module allows excessive allocation, flooding (closes:
1115091).
+ * Fix CVE-2025-48041: allocation of resources without limits or throttling
+ vulnerability in the ssh_sftp module allows excessive allocation,
+ flooding (closes: #1115090).
+
+ -- Jochen Sprickerhof <[email protected]> Thu, 15 Jan 2026 10:56:30 +0100
+
erlang (1:25.2.3+dfsg-1+deb12u3) bookworm-proposed-updates; urgency=medium
* Fix FTBFS with newer xsltproc.
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000000..cec628c744
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+pristine-tar = True
diff --git a/debian/patches/CVE-2025-48038.patch
b/debian/patches/CVE-2025-48038.patch
new file mode 100644
index 0000000000..800160e857
--- /dev/null
+++ b/debian/patches/CVE-2025-48038.patch
@@ -0,0 +1,34 @@
+From: Jakub Witczak <[email protected]>
+Date: Wed, 27 Aug 2025 17:49:08 +0200
+Subject: ssh: verify file handle size limit for client data
+
+- reject handles exceeding 256 bytes (as specified for SFTP)
+
+Origin:
https://github.com/erlang/otp/commit/f09e0201ff701993dc24a08f15e524daf72db42f
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48038
+---
+ lib/ssh/src/ssh_sftpd.erl | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/lib/ssh/src/ssh_sftpd.erl b/lib/ssh/src/ssh_sftpd.erl
+index 6bcad0d..cd24c3e 100644
+--- a/lib/ssh/src/ssh_sftpd.erl
++++ b/lib/ssh/src/ssh_sftpd.erl
+@@ -222,6 +222,17 @@ handle_data(Type, ChannelId, Data0, State =
#state{pending = Pending}) ->
+ handle_data(Type, ChannelId, Data, State#state{pending = <<>>})
+ end.
+
++%% From draft-ietf-secsh-filexfer-02 "The file handle strings MUST NOT be
longer than 256 bytes."
++handle_op(Request, ReqId, <<?UINT32(HLen), _/binary>>, State = #state{xf =
XF})
++ when (Request == ?SSH_FXP_CLOSE orelse
++ Request == ?SSH_FXP_FSETSTAT orelse
++ Request == ?SSH_FXP_FSTAT orelse
++ Request == ?SSH_FXP_READ orelse
++ Request == ?SSH_FXP_READDIR orelse
++ Request == ?SSH_FXP_WRITE),
++ HLen > 256 ->
++ ssh_xfer:xf_send_status(XF, ReqId, ?SSH_FX_INVALID_HANDLE, "Invalid
handle"),
++ State;
+ handle_op(?SSH_FXP_INIT, Version, B, State) when is_binary(B) ->
+ XF = State#state.xf,
+ Vsn = lists:min([XF#ssh_xfer.vsn, Version]),
diff --git a/debian/patches/CVE-2025-48039.patch
b/debian/patches/CVE-2025-48039.patch
new file mode 100644
index 0000000000..a683c023c0
--- /dev/null
+++ b/debian/patches/CVE-2025-48039.patch
@@ -0,0 +1,239 @@
+From: Jakub Witczak <[email protected]>
+Date: Fri, 11 Jul 2025 13:59:41 +0200
+Subject: ssh: ssh_sftpd verify path size for client data
+
+- reject max_path exceeding the 4096 limit or according to other option value
+
+Origin:
https://github.com/erlang/otp/commit/043ee3c943e2977c1acdd740ad13992fd60b6bf0
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48039
+---
+ lib/ssh/doc/src/ssh_sftpd.xml | 8 ++++
+ lib/ssh/src/ssh_sftpd.erl | 32 +++++++++++++-
+ lib/ssh/test/ssh_sftpd_SUITE.erl | 90 ++++++++++++++++++++++++++--------------
+ 3 files changed, 97 insertions(+), 33 deletions(-)
+
+diff --git a/lib/ssh/doc/src/ssh_sftpd.xml b/lib/ssh/doc/src/ssh_sftpd.xml
+index 49a23f4..efabf3f 100644
+--- a/lib/ssh/doc/src/ssh_sftpd.xml
++++ b/lib/ssh/doc/src/ssh_sftpd.xml
+@@ -65,6 +65,14 @@
+ If supplied, the number of filenames returned to the SFTP client
per <c>READDIR</c>
+ request is limited to at most the given value.</p>
+ </item>
++ <tag><c>max_path</c></tag>
++ <item>
++ <p>The default value is <c>4096</c>. Positive integer
++ value represents the maximum path length which cannot be
++ exceeded in data provided by the SFTP client. (Note:
++ limitations might be also enforced by underlying operating
++ system)</p>
++ </item>
+ <tag><c>root</c></tag>
+ <item>
+ <p>Sets the SFTP root directory. Then the user cannot see any files
+diff --git a/lib/ssh/src/ssh_sftpd.erl b/lib/ssh/src/ssh_sftpd.erl
+index cd24c3e..5632848 100644
+--- a/lib/ssh/src/ssh_sftpd.erl
++++ b/lib/ssh/src/ssh_sftpd.erl
+@@ -52,6 +52,7 @@
+ file_handler, % atom() - callback module
+ file_state, % state for the file callback module
+ max_files, % integer >= 0 max no files sent during
READDIR
++ max_path, % integer > 0 - max length of path
+ options, % from the subsystem declaration
+ handles % list of open handles
+ %% handle is either {<int>, directory, {Path, unread|eof}} or
+@@ -65,6 +66,7 @@
+ Options :: [ {cwd, string()} |
+ {file_handler, CbMod | {CbMod, FileState}} |
+ {max_files, integer()} |
++ {max_path, integer()} |
+ {root, string()} |
+ {sftpd_vsn, integer()}
+ ],
+@@ -115,8 +117,12 @@ init(Options) ->
+ {Root0, State0}
+ end,
+ MaxLength = proplists:get_value(max_files, Options, 0),
++ MaxPath = proplists:get_value(max_path, Options, 4096),
+ Vsn = proplists:get_value(sftpd_vsn, Options, 5),
+- {ok, State#state{cwd = CWD, root = Root, max_files = MaxLength,
++ {ok, State#state{cwd = CWD,
++ root = Root,
++ max_files = MaxLength,
++ max_path = MaxPath,
+ options = Options,
+ handles = [], pending = <<>>,
+ xf = #ssh_xfer{vsn = Vsn, ext = []}}}.
+@@ -233,6 +239,30 @@ handle_op(Request, ReqId, <<?UINT32(HLen), _/binary>>,
State = #state{xf = XF})
+ HLen > 256 ->
+ ssh_xfer:xf_send_status(XF, ReqId, ?SSH_FX_INVALID_HANDLE, "Invalid
handle"),
+ State;
++handle_op(Request, ReqId, <<?UINT32(PLen), _/binary>>,
++ State = #state{max_path = MaxPath, xf = XF})
++ when (Request == ?SSH_FXP_LSTAT orelse
++ Request == ?SSH_FXP_MKDIR orelse
++ Request == ?SSH_FXP_OPEN orelse
++ Request == ?SSH_FXP_OPENDIR orelse
++ Request == ?SSH_FXP_READLINK orelse
++ Request == ?SSH_FXP_REALPATH orelse
++ Request == ?SSH_FXP_REMOVE orelse
++ Request == ?SSH_FXP_RMDIR orelse
++ Request == ?SSH_FXP_SETSTAT orelse
++ Request == ?SSH_FXP_STAT),
++ PLen > MaxPath ->
++ ssh_xfer:xf_send_status(XF, ReqId, ?SSH_FX_NO_SUCH_PATH,
++ "No such path"),
++ State;
++handle_op(Request, ReqId, <<?UINT32(PLen), _:PLen/binary, ?UINT32(PLen2),
_/binary>>,
++ State = #state{max_path = MaxPath, xf = XF})
++ when (Request == ?SSH_FXP_RENAME orelse
++ Request == ?SSH_FXP_SYMLINK),
++ (PLen > MaxPath orelse PLen2 > MaxPath) ->
++ ssh_xfer:xf_send_status(XF, ReqId, ?SSH_FX_NO_SUCH_PATH,
++ "No such path"),
++ State;
+ handle_op(?SSH_FXP_INIT, Version, B, State) when is_binary(B) ->
+ XF = State#state.xf,
+ Vsn = lists:min([XF#ssh_xfer.vsn, Version]),
+diff --git a/lib/ssh/test/ssh_sftpd_SUITE.erl
b/lib/ssh/test/ssh_sftpd_SUITE.erl
+index 42677b7..f04cde3 100644
+--- a/lib/ssh/test/ssh_sftpd_SUITE.erl
++++ b/lib/ssh/test/ssh_sftpd_SUITE.erl
+@@ -43,6 +43,7 @@
+ open_file_dir_v6/1,
+ read_dir/1,
+ read_file/1,
++ max_path/1,
+ real_path/1,
+ relative_path/1,
+ relpath/1,
+@@ -71,9 +72,8 @@
+ -define(SSH_TIMEOUT, 10000).
+ -define(REG_ATTERS, <<0,0,0,0,1>>).
+ -define(UNIX_EPOCH, 62167219200).
+-
+--define(is_set(F, Bits),
+- ((F) band (Bits)) == (F)).
++-define(MAX_PATH, 200).
++-define(is_set(F, Bits), ((F) band (Bits)) == (F)).
+
+ %%--------------------------------------------------------------------
+ %% Common Test interface functions -----------------------------------
+@@ -86,6 +86,7 @@ all() ->
+ [open_close_file,
+ open_close_dir,
+ read_file,
++ max_path,
+ read_dir,
+ write_file,
+ rename_file,
+@@ -180,7 +181,8 @@ init_per_testcase(TestCase, Config) ->
+ {sftpd_vsn,
6}])],
+ ssh:daemon(0, [{subsystems, SubSystems}|Options]);
+ _ ->
+- SubSystems = [ssh_sftpd:subsystem_spec([])],
++ SubSystems = [ssh_sftpd:subsystem_spec(
++ [{max_path, ?MAX_PATH}])],
+ ssh:daemon(0, [{subsystems, SubSystems}|Options])
+ end,
+
+@@ -333,6 +335,23 @@ read_file(Config) when is_list(Config) ->
+
+ {ok, Data} = file:read_file(FileName).
+
++%%--------------------------------------------------------------------
++max_path(Config) when is_list(Config) ->
++ PrivDir = proplists:get_value(priv_dir, Config),
++ FileName = filename:join(PrivDir, "test.txt"),
++ {Cm, Channel} = proplists:get_value(sftp, Config),
++ %% verify max_path limit
++ LongFileName =
++ filename:join(PrivDir,
++ "t" ++ lists:flatten(lists:duplicate(?MAX_PATH, "e"))
++ "st.txt"),
++ {ok, _} = file:copy(FileName, LongFileName),
++ ReqId1 = req_id(),
++ {ok, <<?SSH_FXP_STATUS, ?UINT32(ReqId1), ?UINT32(?SSH_FX_NO_SUCH_PATH),
++ _/binary>>, _} =
++ open_file(LongFileName, Cm, Channel, ReqId1,
++ ?ACE4_READ_DATA bor ?ACE4_READ_ATTRIBUTES,
++ ?SSH_FXF_OPEN_EXISTING).
++
+ %%--------------------------------------------------------------------
+ read_dir(Config) when is_list(Config) ->
+ PrivDir = proplists:get_value(priv_dir, Config),
+@@ -388,35 +407,33 @@ rename_file(Config) when is_list(Config) ->
+ PrivDir = proplists:get_value(priv_dir, Config),
+ FileName = filename:join(PrivDir, "test.txt"),
+ NewFileName = filename:join(PrivDir, "test1.txt"),
+- ReqId = 0,
++ LongFileName =
++ filename:join(PrivDir,
++ "t" ++ lists:flatten(lists:duplicate(?MAX_PATH, "e"))
++ "st.txt"),
+ {Cm, Channel} = proplists:get_value(sftp, Config),
+-
+- {ok, <<?SSH_FXP_STATUS, ?UINT32(ReqId),
+- ?UINT32(?SSH_FX_OK), _/binary>>, _} =
+- rename(FileName, NewFileName, Cm, Channel, ReqId, 6, 0),
+-
+- NewReqId = ReqId + 1,
+-
+- {ok, <<?SSH_FXP_STATUS, ?UINT32(NewReqId),
+- ?UINT32(?SSH_FX_OK), _/binary>>, _} =
+- rename(NewFileName, FileName, Cm, Channel, NewReqId, 6,
+- ?SSH_FXP_RENAME_OVERWRITE),
+-
+- NewReqId1 = NewReqId + 1,
+- file:copy(FileName, NewFileName),
+-
+- %% No overwrite
+- {ok, <<?SSH_FXP_STATUS, ?UINT32(NewReqId1),
+- ?UINT32(?SSH_FX_FILE_ALREADY_EXISTS), _/binary>>, _} =
+- rename(FileName, NewFileName, Cm, Channel, NewReqId1, 6,
+- ?SSH_FXP_RENAME_NATIVE),
+-
+- NewReqId2 = NewReqId1 + 1,
+-
+- {ok, <<?SSH_FXP_STATUS, ?UINT32(NewReqId2),
+- ?UINT32(?SSH_FX_OP_UNSUPPORTED), _/binary>>, _} =
+- rename(FileName, NewFileName, Cm, Channel, NewReqId2, 6,
+- ?SSH_FXP_RENAME_ATOMIC).
++ Version = 6,
++ [begin
++ case Action of
++ {Code, AFile, BFile, Flags} ->
++ ReqId = req_id(),
++ ct:log("ReqId = ~p,~nCode = ~p,~nAFile = ~p,~nBFile =
~p,~nFlags = ~p",
++ [ReqId, Code, AFile, BFile, Flags]),
++ {ok, <<?SSH_FXP_STATUS, ?UINT32(ReqId), ?UINT32(Code),
_/binary>>, _} =
++ rename(AFile, BFile, Cm, Channel, ReqId, Version, Flags);
++ {file_copy, AFile, BFile} ->
++ {ok, _} = file:copy(AFile, BFile)
++ end
++ end ||
++ Action <-
++ [{?SSH_FX_OK, FileName, NewFileName, 0},
++ {?SSH_FX_OK, NewFileName, FileName, ?SSH_FXP_RENAME_OVERWRITE},
++ {file_copy, FileName, NewFileName},
++ %% no overwrite
++ {?SSH_FX_FILE_ALREADY_EXISTS, FileName, NewFileName,
?SSH_FXP_RENAME_NATIVE},
++ {?SSH_FX_OP_UNSUPPORTED, FileName, NewFileName,
?SSH_FXP_RENAME_ATOMIC},
++ %% max_path
++ {?SSH_FX_NO_SUCH_PATH, FileName, LongFileName, 0}]],
++ ok.
+
+ %%--------------------------------------------------------------------
+ mk_rm_dir(Config) when is_list(Config) ->
+@@ -1078,3 +1095,12 @@ encode_file_type(Type) ->
+
+ not_default_permissions() ->
+ 8#600. %% User read-write-only
++
++req_id() ->
++ ReqId =
++ case get(req_id) of
++ undefined -> 0;
++ I -> I
++ end,
++ put(req_id, ReqId + 1),
++ ReqId.
diff --git a/debian/patches/CVE-2025-48040.patch
b/debian/patches/CVE-2025-48040.patch
new file mode 100644
index 0000000000..d27a182c56
--- /dev/null
+++ b/debian/patches/CVE-2025-48040.patch
@@ -0,0 +1,477 @@
+From: Jakub Witczak <[email protected]>
+Date: Wed, 20 Aug 2025 10:30:55 +0200
+Subject: ssh: key exchange robustness improvements
+
+- reduce untrusted data processing for non-debug logs
+- trim badmatch exceptions to avoid processing potentially malicious data
+- terminate with kexinit_error when too many algorithms are received in KEX
init message
+
+Origin:
https://github.com/erlang/otp/commit/548f1295d86d0803da884db8685cc16d461d0d5a
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48040
+---
+ lib/ssh/src/ssh_connection.erl | 3 +-
+ lib/ssh/src/ssh_connection_handler.erl | 35 +++++++---
+ lib/ssh/src/ssh_lib.erl | 15 ++++-
+ lib/ssh/src/ssh_message.erl | 42 +++++++-----
+ lib/ssh/src/ssh_transport.erl | 120 +++++++++++++++++++--------------
+ lib/ssh/test/ssh_connection_SUITE.erl | 12 +++-
+ 6 files changed, 147 insertions(+), 80 deletions(-)
+
+diff --git a/lib/ssh/src/ssh_connection.erl b/lib/ssh/src/ssh_connection.erl
+index badf3a2..b21d249 100644
+--- a/lib/ssh/src/ssh_connection.erl
++++ b/lib/ssh/src/ssh_connection.erl
+@@ -481,10 +481,9 @@ handle_msg(Msg, Connection, server, Ssh =
#ssh{authenticated = false}) ->
+ %% respond by disconnecting, preferably with a proper disconnect message
+ %% sent to ease troubleshooting.
+ MsgFun = fun(M) ->
+- MaxLogItemLen = ?GET_OPT(max_log_item_len, Ssh#ssh.opts),
+ io_lib:format("Connection terminated. Unexpected message
for unauthenticated user."
+ " Message: ~w", [M],
+- [{chars_limit, MaxLogItemLen}])
++ [{chars_limit, ssh_lib:max_log_len(Ssh)}])
+ end,
+ ?LOG_DEBUG(MsgFun, [Msg]),
+ {disconnect, {?SSH_DISCONNECT_PROTOCOL_ERROR, "Connection refused"},
handle_stop(Connection)};
+diff --git a/lib/ssh/src/ssh_connection_handler.erl
b/lib/ssh/src/ssh_connection_handler.erl
+index ba46468..fa3b374 100644
+--- a/lib/ssh/src/ssh_connection_handler.erl
++++ b/lib/ssh/src/ssh_connection_handler.erl
+@@ -1146,12 +1146,21 @@ handle_event(info, {Proto, Sock, NewData}, StateName,
+ {next_event, internal, Msg}
+ ]}
+ catch
+- C:E:ST ->
+- MaxLogItemLen =
?GET_OPT(max_log_item_len,SshParams#ssh.opts),
++ Class:Reason0:Stacktrace ->
++ Reason = ssh_lib:trim_reason(Reason0),
++ MsgFun =
++ fun(debug) ->
++ io_lib:format("Bad packet: Decrypted, but
can't decode~n~p:~p~n~p",
++ [Class,Reason,Stacktrace],
++ [{chars_limit,
ssh_lib:max_log_len(SshParams)}]);
++ (_) ->
++ io_lib:format("Bad packet: Decrypted, but
can't decode ~p:~p",
++ [Class, Reason],
++ [{chars_limit,
ssh_lib:max_log_len(SshParams)}])
++ end,
+ {Shutdown, D} =
+ ?send_disconnect(?SSH_DISCONNECT_PROTOCOL_ERROR,
+- io_lib:format("Bad packet:
Decrypted, but can't decode~n~p:~p~n~p",
+- [C,E,ST],
[{chars_limit, MaxLogItemLen}]),
++ ?SELECT_MSG(MsgFun),
+ StateName, D1),
+ {stop, Shutdown, D}
+ end;
+@@ -1181,12 +1190,20 @@ handle_event(info, {Proto, Sock, NewData}, StateName,
+ StateName, D0),
+ {stop, Shutdown, D}
+ catch
+- C:E:ST ->
+- MaxLogItemLen = ?GET_OPT(max_log_item_len,SshParams#ssh.opts),
++ Class:Reason0:Stacktrace ->
++ MsgFun =
++ fun(debug) ->
++ io_lib:format("Bad packet: Couldn't
decrypt~n~p:~p~n~p",
++ [Class,Reason0,Stacktrace],
++ [{chars_limit,
ssh_lib:max_log_len(SshParams)}]);
++ (_) ->
++ Reason = ssh_lib:trim_reason(Reason0),
++ io_lib:format("Bad packet: Couldn't decrypt~n~p:~p",
++ [Class,Reason],
++ [{chars_limit,
ssh_lib:max_log_len(SshParams)}])
++ end,
+ {Shutdown, D} =
+- ?send_disconnect(?SSH_DISCONNECT_PROTOCOL_ERROR,
+- io_lib:format("Bad packet: Couldn't
decrypt~n~p:~p~n~p",
+- [C,E,ST], [{chars_limit,
MaxLogItemLen}]),
++ ?send_disconnect(?SSH_DISCONNECT_PROTOCOL_ERROR,
?SELECT_MSG(MsgFun),
+ StateName, D0),
+ {stop, Shutdown, D}
+ end;
+diff --git a/lib/ssh/src/ssh_lib.erl b/lib/ssh/src/ssh_lib.erl
+index 3d29b5e..c6791f1 100644
+--- a/lib/ssh/src/ssh_lib.erl
++++ b/lib/ssh/src/ssh_lib.erl
+@@ -28,7 +28,9 @@
+ format_address_port/2, format_address_port/1,
+ format_address/1,
+ format_time_ms/1,
+- comp/2
++ comp/2,
++ trim_reason/1,
++ max_log_len/1
+ ]).
+
+ -include("ssh.hrl").
+@@ -86,3 +88,14 @@ comp([], [], Truth) ->
+
+ comp(_, _, _) ->
+ false.
++%% We don't want to process badmatch details, potentially containing
++%% malicious data of unknown size
++trim_reason({badmatch, V}) when is_binary(V) ->
++ badmatch;
++trim_reason(E) ->
++ E.
++
++max_log_len(#ssh{opts = Opts}) ->
++ ?GET_OPT(max_log_item_len, Opts);
++max_log_len(Opts) when is_map(Opts) ->
++ ?GET_OPT(max_log_item_len, Opts).
+diff --git a/lib/ssh/src/ssh_message.erl b/lib/ssh/src/ssh_message.erl
+index e22a4e2..4d5ac74 100644
+--- a/lib/ssh/src/ssh_message.erl
++++ b/lib/ssh/src/ssh_message.erl
+@@ -43,7 +43,7 @@
+
+ -behaviour(ssh_dbg).
+ -export([ssh_dbg_trace_points/0, ssh_dbg_flags/1, ssh_dbg_on/1,
ssh_dbg_off/1, ssh_dbg_format/2]).
+--define(ALG_NAME_LIMIT, 64).
++-define(ALG_NAME_LIMIT, 64). % RFC4251 sec6
+
+ ucl(B) ->
+ try unicode:characters_to_list(B) of
+@@ -821,23 +821,33 @@ decode_kex_init(<<?BYTE(Bool)>>, Acc, 0) ->
+ %% See rfc 4253 7.1
+ X = 0,
+ list_to_tuple(lists:reverse([X, erl_boolean(Bool) | Acc]));
+-decode_kex_init(<<?DEC_BIN(Data,__0), Rest/binary>>, Acc, N) ->
++decode_kex_init(<<?DEC_BIN(Data,__0), Rest/binary>>, Acc, N) when
++ byte_size(Data) < ?MAX_NUM_ALGORITHMS * ?ALG_NAME_LIMIT ->
+ BinParts = binary:split(Data, <<$,>>, [global]),
+- Process =
+- fun(<<>>, PAcc) ->
+- PAcc;
+- (Part, PAcc) ->
+- case byte_size(Part) > ?ALG_NAME_LIMIT of
+- true ->
+- ?LOG_DEBUG("Ignoring too long name", []),
++ AlgCount = length(BinParts),
++ case AlgCount =< ?MAX_NUM_ALGORITHMS of
++ true ->
++ Process =
++ fun(<<>>, PAcc) ->
+ PAcc;
+- false ->
+- Name = binary:bin_to_list(Part),
+- [Name | PAcc]
+- end
+- end,
+- Names = lists:foldr(Process, [], BinParts),
+- decode_kex_init(Rest, [Names | Acc], N - 1).
++ (Part, PAcc) ->
++ case byte_size(Part) =< ?ALG_NAME_LIMIT of
++ true ->
++ Name = binary:bin_to_list(Part),
++ [Name | PAcc];
++ false ->
++ ?LOG_DEBUG("Ignoring too long name", []),
++ PAcc
++ end
++ end,
++ Names = lists:foldr(Process, [], BinParts),
++ decode_kex_init(Rest, [Names | Acc], N - 1);
++ false ->
++ throw({error, {kexinit_error, N, {alg_count, AlgCount}}})
++ end;
++decode_kex_init(<<?DEC_BIN(Data,__0), _Rest/binary>>, _Acc, N) ->
++ throw({error, {kexinit, N, {string_size, byte_size(Data)}}}).
++
+
+
+ %%%================================================================
+diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl
+index 6081a02..5abc11b 100644
+--- a/lib/ssh/src/ssh_transport.erl
++++ b/lib/ssh/src/ssh_transport.erl
+@@ -405,8 +405,9 @@ handle_kexinit_msg(#ssh_msg_kexinit{} = CounterPart,
#ssh_msg_kexinit{} = Own,
+ key_exchange_first_msg(Algos#alg.kex,
+ Ssh#ssh{algorithms = Algos})
+ catch
+- Class:Error ->
+- Msg = kexinit_error(Class, Error, client, Own, CounterPart),
++ Class:Reason0 ->
++ Reason = ssh_lib:trim_reason(Reason0),
++ Msg = kexinit_error(Class, Reason, client, Own, CounterPart, Ssh),
+ ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED, Msg)
+ end;
+
+@@ -422,31 +423,38 @@ handle_kexinit_msg(#ssh_msg_kexinit{} = CounterPart,
#ssh_msg_kexinit{} = Own,
+ Algos ->
+ {ok, Ssh#ssh{algorithms = Algos}}
+ catch
+- Class:Error ->
+- Msg = kexinit_error(Class, Error, server, Own, CounterPart),
++ Class:Reason0 ->
++ Reason = ssh_lib:trim_reason(Reason0),
++ Msg = kexinit_error(Class, Reason, server, Own, CounterPart, Ssh),
+ ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED, Msg)
+ end.
+
+-kexinit_error(Class, Error, Role, Own, CounterPart) ->
++kexinit_error(Class, Error, Role, Own, CounterPart, Ssh) ->
+ {Fmt,Args} =
+ case {Class,Error} of
+ {error, {badmatch,{false,Alg}}} ->
+ {Txt,W,C} = alg_info(Role, Alg),
+- {"No common ~s algorithm,~n"
+- " we have:~n ~s~n"
+- " peer have:~n ~s~n",
+- [Txt,
+- lists:join(", ", element(W,Own)),
+- lists:join(", ", element(C,CounterPart))
+- ]};
++ MsgFun =
++ fun(debug) ->
++ {"No common ~s algorithm,~n"
++ " we have:~n ~s~n"
++ " peer have:~n ~s~n",
++ [Txt,
++ lists:join(", ", element(W,Own)),
++ lists:join(", ", element(C,CounterPart))]};
++ (_) ->
++ {"No common ~s algorithm", [Txt]}
++ end,
++ ?SELECT_MSG(MsgFun);
+ _ ->
+ {"Kexinit failed in ~p: ~p:~p", [Role,Class,Error]}
+ end,
+- try io_lib:format(Fmt, Args) of
++ try io_lib:format(Fmt, Args, [{chars_limit, ssh_lib:max_log_len(Ssh)}]) of
+ R -> R
+ catch
+ _:_ ->
+- io_lib:format("Kexinit failed in ~p: ~p:~p", [Role, Class, Error])
++ io_lib:format("Kexinit failed in ~p: ~p:~p", [Role, Class, Error],
++ [{chars_limit, ssh_lib:max_log_len(Ssh)}])
+ end.
+
+ alg_info(client, Alg) ->
+@@ -598,14 +606,19 @@ handle_kexdh_init(#ssh_msg_kexdh_init{e = E},
+ session_id = sid(Ssh1, H)}};
+ {error,unsupported_sign_alg} ->
+ ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
+- io_lib:format("Unsupported algorithm ~p",
[SignAlg])
+- )
++ io_lib:format("Unsupported algorithm ~p",
[SignAlg],
++ [{chars_limit,
ssh_lib:max_log_len(Opts)}]))
+ end;
+ true ->
+- ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
++ MsgFun =
++ fun(debug) ->
+ io_lib:format("Kexdh init failed, received 'e' out of
bounds~n E=~p~n P=~p",
+- [E,P])
+- )
++ [E,P], [{chars_limit,
ssh_lib:max_log_len(Opts)}]);
++ (_) ->
++ io_lib:format("Kexdh init failed, received 'e' out of
bounds", [],
++ [{chars_limit,
ssh_lib:max_log_len(Opts)}] )
++ end,
++ ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
?SELECT_MSG(MsgFun))
+ end.
+
+ handle_kexdh_reply(#ssh_msg_kexdh_reply{public_host_key = PeerPubHostKey,
+@@ -626,14 +639,15 @@ handle_kexdh_reply(#ssh_msg_kexdh_reply{public_host_key
= PeerPubHostKey,
+ session_id =
sid(Ssh, H)})};
+ Error ->
+ ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
+- io_lib:format("Kexdh init failed. Verify host
key: ~p",[Error])
++ io_lib:format("Kexdh init failed. Verify host
key: ~p",[Error],
++ [{chars_limit,
ssh_lib:max_log_len(Ssh0)}])
+ )
+ end;
+
+ true ->
+ ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
+ io_lib:format("Kexdh init failed, received 'f' out of
bounds~n F=~p~n P=~p",
+- [F,P])
++ [F,P], [{chars_limit,
ssh_lib:max_log_len(Ssh0)}])
+ )
+ end.
+
+@@ -659,7 +673,8 @@ handle_kex_dh_gex_request(#ssh_msg_kex_dh_gex_request{min
= Min0,
+ }};
+ {error,_} ->
+ ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
+- io_lib:format("No possible
diffie-hellman-group-exchange group found",[])
++ io_lib:format("No possible
diffie-hellman-group-exchange group found",[],
++ [{chars_limit,
ssh_lib:max_log_len(Opts)}])
+ )
+ end;
+
+@@ -691,8 +706,8 @@
handle_kex_dh_gex_request(#ssh_msg_kex_dh_gex_request_old{n = NBits},
+ }};
+ {error,_} ->
+ ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
+- io_lib:format("No possible
diffie-hellman-group-exchange group found",[])
+- )
++ io_lib:format("No possible
diffie-hellman-group-exchange group found",[],
++ [{chars_limit,
ssh_lib:max_log_len(Opts)}]))
+ end;
+
+ handle_kex_dh_gex_request(_, _) ->
+@@ -718,7 +733,6 @@ handle_kex_dh_gex_group(#ssh_msg_kex_dh_gex_group{p = P, g
= G}, Ssh0) ->
+ {Public, Private} = generate_key(dh, [P,G,2*Sz]),
+ {SshPacket, Ssh1} =
+ ssh_packet(#ssh_msg_kex_dh_gex_init{e = Public}, Ssh0), % Pub = G^Priv
mod P (def)
+-
+ {ok, SshPacket,
+ Ssh1#ssh{keyex_key = {{Private, Public}, {G, P}}}}.
+
+@@ -749,19 +763,22 @@ handle_kex_dh_gex_init(#ssh_msg_kex_dh_gex_init{e = E},
+ }};
+ {error,unsupported_sign_alg} ->
+ ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
+- io_lib:format("Unsupported algorithm
~p", [SignAlg])
+- )
++ io_lib:format("Unsupported algorithm
~p", [SignAlg],
++ [{chars_limit,
ssh_lib:max_log_len(Opts)}]))
+ end;
+ true ->
+ ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
+- "Kexdh init failed, received 'k' out of
bounds"
+- )
++ "Kexdh init failed, received 'k' out of
bounds")
+ end;
+ true ->
+- ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
+- io_lib:format("Kexdh gex init failed, received 'e'
out of bounds~n E=~p~n P=~p",
+- [E,P])
+- )
++ MsgFun =
++ fun(debug) ->
++ io_lib:format("Kexdh gex init failed, received 'e'
out of bounds~n"
++ " E=~p~n P=~p", [E,P]);
++ (_) ->
++ io_lib:format("Kexdh gex init failed, received 'e'
out of bounds", [])
++ end,
++ ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
?SELECT_MSG(MsgFun))
+ end.
+
+ handle_kex_dh_gex_reply(#ssh_msg_kex_dh_gex_reply{public_host_key =
PeerPubHostKey,
+@@ -786,20 +803,18 @@
handle_kex_dh_gex_reply(#ssh_msg_kex_dh_gex_reply{public_host_key = PeerPubHostK
+
session_id = sid(Ssh, H)})};
+ Error ->
+ ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
+- io_lib:format("Kexdh gex reply
failed. Verify host key: ~p",[Error])
+- )
++ io_lib:format("Kexdh gex reply
failed. Verify host key: ~p",
++ [Error], [{chars_limit,
ssh_lib:max_log_len(Ssh0)}]))
+ end;
+
+ true ->
+ ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
+- "Kexdh gex init failed, 'K' out of bounds"
+- )
++ "Kexdh gex init failed, 'K' out of bounds")
+ end;
+ true ->
+ ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
+ io_lib:format("Kexdh gex init failed, received 'f'
out of bounds~n F=~p~n P=~p",
+- [F,P])
+- )
++ [F,P], [{chars_limit,
ssh_lib:max_log_len(Ssh0)}]))
+ end.
+
+ %%%----------------------------------------------------------------
+@@ -833,17 +848,25 @@ handle_kex_ecdh_init(#ssh_msg_kex_ecdh_init{q_c =
PeerPublic},
+ session_id = sid(Ssh1, H)}};
+ {error,unsupported_sign_alg} ->
+ ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
+- io_lib:format("Unsupported algorithm ~p",
[SignAlg])
+- )
++ io_lib:format("Unsupported algorithm ~p",
[SignAlg],
++ [{chars_limit,
ssh_lib:max_log_len(Opts)}]))
+ end
+ catch
+- Class:Error ->
+- ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
++ Class:Reason0 ->
++ Reason = ssh_lib:trim_reason(Reason0),
++ MsgFun =
++ fun(debug) ->
+ io_lib:format("ECDH compute key failed in server:
~p:~p~n"
+ "Kex: ~p, Curve: ~p~n"
+ "PeerPublic: ~p",
+- [Class,Error,Kex,Curve,PeerPublic])
+- )
++ [Class,Reason,Kex,Curve,PeerPublic],
++ [{chars_limit,
ssh_lib:max_log_len(Ssh0)}]);
++ (_) ->
++ io_lib:format("ECDH compute key failed in server:
~p:~p",
++ [Class,Reason],
++ [{chars_limit,
ssh_lib:max_log_len(Ssh0)}])
++ end,
++ ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
?SELECT_MSG(MsgFun))
+ end.
+
+ handle_kex_ecdh_reply(#ssh_msg_kex_ecdh_reply{public_host_key =
PeerPubHostKey,
+@@ -866,15 +889,14 @@
handle_kex_ecdh_reply(#ssh_msg_kex_ecdh_reply{public_host_key = PeerPubHostKey,
+ session_id =
sid(Ssh, H)})};
+ Error ->
+ ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
+- io_lib:format("ECDH reply failed. Verify host
key: ~p",[Error])
+- )
++ io_lib:format("ECDH reply failed. Verify host
key: ~p",[Error],
++ [{chars_limit,
ssh_lib:max_log_len(Ssh0)}]))
+ end
+ catch
+ Class:Error ->
+ ?DISCONNECT(?SSH_DISCONNECT_KEY_EXCHANGE_FAILED,
+ io_lib:format("Peer ECDH public key seem invalid:
~p:~p",
+- [Class,Error])
+- )
++ [Class,Error], [{chars_limit,
ssh_lib:max_log_len(Ssh0)}]))
+ end.
+
+
+diff --git a/lib/ssh/test/ssh_connection_SUITE.erl
b/lib/ssh/test/ssh_connection_SUITE.erl
+index 06d90cc..d529cf5 100644
+--- a/lib/ssh/test/ssh_connection_SUITE.erl
++++ b/lib/ssh/test/ssh_connection_SUITE.erl
+@@ -1345,6 +1345,8 @@ gracefull_invalid_long_start_no_nl(Config) when
is_list(Config) ->
+ end.
+
+ kex_error(Config) ->
++ #{level := Level} = logger:get_primary_config(),
++ ok = logger:set_primary_config(level, debug),
+ PrivDir = proplists:get_value(priv_dir, Config),
+ UserDir = filename:join(PrivDir, nopubkey), % to make sure we don't use
public-key-auth
+ file:make_dir(UserDir),
+@@ -1365,6 +1367,10 @@ kex_error(Config) ->
+ ok % Other msg
+ end,
+ self()),
++ Cleanup = fun() ->
++ ok = logger:remove_handler(kex_error),
++ ok = logger:set_primary_config(level, Level)
++ end,
+ try
+ ssh_test_lib:connect(Host, Port, [{silently_accept_hosts, true},
+ {user, "foo"},
+@@ -1382,7 +1388,7 @@ kex_error(Config) ->
+ %% ok
+ receive
+ {Ref, ErrMsgTxt} ->
+- ok = logger:remove_handler(kex_error),
++ Cleanup(),
+ ct:log("ErrMsgTxt = ~n~s", [ErrMsgTxt]),
+ Lines = lists:map(fun string:trim/1,
string:tokens(ErrMsgTxt, "\n")),
+ OK = (lists:all(fun(S) -> lists:member(S,Lines) end,
+@@ -1400,12 +1406,12 @@ kex_error(Config) ->
+ ct:fail("unexpected error text msg", [])
+ end
+ after 20000 ->
+- ok = logger:remove_handler(kex_error),
++ Cleanup(),
+ ct:fail("timeout", [])
+ end;
+
+ error:{badmatch,{error,_}} ->
+- ok = logger:remove_handler(kex_error),
++ Cleanup(),
+ ct:fail("unexpected error msg", [])
+ end.
+
diff --git a/debian/patches/CVE-2025-48041.patch
b/debian/patches/CVE-2025-48041.patch
new file mode 100644
index 0000000000..45ee9b7d0f
--- /dev/null
+++ b/debian/patches/CVE-2025-48041.patch
@@ -0,0 +1,268 @@
+From: Jakub Witczak <[email protected]>
+Date: Wed, 20 Aug 2025 10:31:50 +0200
+Subject: ssh: max_handles option added to ssh_sftpd
+
+- add max_handles option and update tests (1000 by default)
+- remove sshd_read_file redundant testcase
+
+Origin:
https://github.com/erlang/otp/commit/d49efa2d4fa9e6f7ee658719cd76ffe7a33c2401
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48041
+---
+ lib/ssh/doc/src/ssh_sftpd.xml | 4 ++
+ lib/ssh/src/ssh_sftpd.erl | 30 +++++++++++----
+ lib/ssh/test/ssh_sftpd_SUITE.erl | 83 ++++++++++++++++++----------------------
+ 3 files changed, 64 insertions(+), 53 deletions(-)
+
+diff --git a/lib/ssh/doc/src/ssh_sftpd.xml b/lib/ssh/doc/src/ssh_sftpd.xml
+index efabf3f..7c250a9 100644
+--- a/lib/ssh/doc/src/ssh_sftpd.xml
++++ b/lib/ssh/doc/src/ssh_sftpd.xml
+@@ -65,6 +65,10 @@
+ If supplied, the number of filenames returned to the SFTP client
per <c>READDIR</c>
+ request is limited to at most the given value.</p>
+ </item>
++ <tag><c>max_handles</c></tag>
++ <item>
++ <p>The default value is <c>1000</c>. Positive integer value
represents the maximum number of file handles allowed for a connection.</p>
++ </item>
+ <tag><c>max_path</c></tag>
+ <item>
+ <p>The default value is <c>4096</c>. Positive integer
+diff --git a/lib/ssh/src/ssh_sftpd.erl b/lib/ssh/src/ssh_sftpd.erl
+index 5632848..dfa566a 100644
+--- a/lib/ssh/src/ssh_sftpd.erl
++++ b/lib/ssh/src/ssh_sftpd.erl
+@@ -52,6 +52,7 @@
+ file_handler, % atom() - callback module
+ file_state, % state for the file callback module
+ max_files, % integer >= 0 max no files sent during
READDIR
++ max_handles, % integer > 0 - max number of file
handles
+ max_path, % integer > 0 - max length of path
+ options, % from the subsystem declaration
+ handles % list of open handles
+@@ -66,6 +67,7 @@
+ Options :: [ {cwd, string()} |
+ {file_handler, CbMod | {CbMod, FileState}} |
+ {max_files, integer()} |
++ {max_handles, integer()} |
+ {max_path, integer()} |
+ {root, string()} |
+ {sftpd_vsn, integer()}
+@@ -117,11 +119,13 @@ init(Options) ->
+ {Root0, State0}
+ end,
+ MaxLength = proplists:get_value(max_files, Options, 0),
++ MaxHandles = proplists:get_value(max_handles, Options, 1000),
+ MaxPath = proplists:get_value(max_path, Options, 4096),
+ Vsn = proplists:get_value(sftpd_vsn, Options, 5),
+ {ok, State#state{cwd = CWD,
+ root = Root,
+ max_files = MaxLength,
++ max_handles = MaxHandles,
+ max_path = MaxPath,
+ options = Options,
+ handles = [], pending = <<>>,
+@@ -286,14 +290,16 @@ handle_op(?SSH_FXP_REALPATH, ReqId,
+ end;
+ handle_op(?SSH_FXP_OPENDIR, ReqId,
+ <<?UINT32(RLen), RPath:RLen/binary>>,
+- State0 = #state{xf = #ssh_xfer{vsn = Vsn},
+- file_handler = FileMod, file_state = FS0}) ->
++ State0 = #state{xf = #ssh_xfer{vsn = Vsn},
++ file_handler = FileMod, file_state = FS0,
++ max_handles = MaxHandles}) ->
+ RelPath = unicode:characters_to_list(RPath),
+ AbsPath = relate_file_name(RelPath, State0),
+
+ XF = State0#state.xf,
+ {IsDir, FS1} = FileMod:is_dir(AbsPath, FS0),
+ State1 = State0#state{file_state = FS1},
++ HandlesCnt = length(State0#state.handles),
+ case IsDir of
+ false when Vsn > 5 ->
+ ssh_xfer:xf_send_status(XF, ReqId, ?SSH_FX_NOT_A_DIRECTORY,
+@@ -303,8 +309,12 @@ handle_op(?SSH_FXP_OPENDIR, ReqId,
+ ssh_xfer:xf_send_status(XF, ReqId, ?SSH_FX_FAILURE,
+ "Not a directory"),
+ State1;
+- true ->
+- add_handle(State1, XF, ReqId, directory, {RelPath,unread})
++ true when HandlesCnt < MaxHandles ->
++ add_handle(State1, XF, ReqId, directory, {RelPath,unread});
++ true ->
++ ssh_xfer:xf_send_status(XF, ReqId, ?SSH_FX_FAILURE,
++ "max_handles limit reached"),
++ State1
+ end;
+ handle_op(?SSH_FXP_READDIR, ReqId,
+ <<?UINT32(HLen), BinHandle:HLen/binary>>,
+@@ -755,7 +765,9 @@ open(Vsn, ReqId, Data, State) when Vsn >= 4 ->
+ do_open(ReqId, State, Path, Flags).
+
+ do_open(ReqId, State0, Path, Flags) ->
+- #state{file_handler = FileMod, file_state = FS0, xf = #ssh_xfer{vsn =
Vsn}} = State0,
++ #state{file_handler = FileMod, file_state = FS0, xf = #ssh_xfer{vsn =
Vsn},
++ max_handles = MaxHandles} = State0,
++ HandlesCnt = length(State0#state.handles),
+ AbsPath = relate_file_name(Path, State0),
+ {IsDir, _FS1} = FileMod:is_dir(AbsPath, FS0),
+ case IsDir of
+@@ -767,7 +779,7 @@ do_open(ReqId, State0, Path, Flags) ->
+ ssh_xfer:xf_send_status(State0#state.xf, ReqId,
+ ?SSH_FX_FAILURE, "File is a directory"),
+ State0;
+- false ->
++ false when HandlesCnt < MaxHandles ->
+ OpenFlags = [binary | Flags],
+ {Res, FS1} = FileMod:open(AbsPath, OpenFlags, FS0),
+ State1 = State0#state{file_state = FS1},
+@@ -778,7 +790,11 @@ do_open(ReqId, State0, Path, Flags) ->
+ ssh_xfer:xf_send_status(State1#state.xf, ReqId,
+
ssh_xfer:encode_erlang_status(Error)),
+ State1
+- end
++ end;
++ false ->
++ ssh_xfer:xf_send_status(State0#state.xf, ReqId,
++ ?SSH_FX_FAILURE, "max_handles limit
reached"),
++ State0
+ end.
+
+ %% resolve all symlinks in a path
+diff --git a/lib/ssh/test/ssh_sftpd_SUITE.erl
b/lib/ssh/test/ssh_sftpd_SUITE.erl
+index f04cde3..fade45b 100644
+--- a/lib/ssh/test/ssh_sftpd_SUITE.erl
++++ b/lib/ssh/test/ssh_sftpd_SUITE.erl
+@@ -52,7 +52,6 @@
+ retrieve_attributes/1,
+ root_with_cwd/1,
+ set_attributes/1,
+- sshd_read_file/1,
+ ver3_open_flags/1,
+ ver3_rename/1,
+ ver6_basic/1,
+@@ -72,6 +71,7 @@
+ -define(SSH_TIMEOUT, 10000).
+ -define(REG_ATTERS, <<0,0,0,0,1>>).
+ -define(UNIX_EPOCH, 62167219200).
++-define(MAX_HANDLES, 10).
+ -define(MAX_PATH, 200).
+ -define(is_set(F, Bits), ((F) band (Bits)) == (F)).
+
+@@ -98,8 +98,7 @@ all() ->
+ links,
+ ver3_rename,
+ ver3_open_flags,
+- relpath,
+- sshd_read_file,
++ relpath,
+ ver6_basic,
+ access_outside_root,
+ root_with_cwd,
+@@ -182,7 +181,8 @@ init_per_testcase(TestCase, Config) ->
+ ssh:daemon(0, [{subsystems, SubSystems}|Options]);
+ _ ->
+ SubSystems = [ssh_sftpd:subsystem_spec(
+- [{max_path, ?MAX_PATH}])],
++ [{max_handles, ?MAX_HANDLES},
++ {max_path, ?MAX_PATH}])],
+ ssh:daemon(0, [{subsystems, SubSystems}|Options])
+ end,
+
+@@ -318,22 +318,25 @@ open_close_dir(Config) when is_list(Config) ->
+ read_file(Config) when is_list(Config) ->
+ PrivDir = proplists:get_value(priv_dir, Config),
+ FileName = filename:join(PrivDir, "test.txt"),
+-
+- ReqId = 0,
+- {Cm, Channel} = proplists:get_value(sftp, Config),
+-
+- {ok, <<?SSH_FXP_HANDLE, ?UINT32(ReqId), Handle/binary>>, _} =
+- open_file(FileName, Cm, Channel, ReqId,
+- ?ACE4_READ_DATA bor ?ACE4_READ_ATTRIBUTES,
+- ?SSH_FXF_OPEN_EXISTING),
+-
+- NewReqId = 1,
+-
+- {ok, <<?SSH_FXP_DATA, ?UINT32(NewReqId), ?UINT32(_Length),
+- Data/binary>>, _} =
+- read_file(Handle, 100, 0, Cm, Channel, NewReqId),
+-
+- {ok, Data} = file:read_file(FileName).
++ {Cm, Channel} = proplists:get_value(sftp, Config),
++ [begin
++ R1 = req_id(),
++ {ok, <<?SSH_FXP_HANDLE, ?UINT32(R1), Handle/binary>>, _} =
++ open_file(FileName, Cm, Channel, R1, ?ACE4_READ_DATA bor
?ACE4_READ_ATTRIBUTES,
++ ?SSH_FXF_OPEN_EXISTING),
++ R2 = req_id(),
++ {ok, <<?SSH_FXP_DATA, ?UINT32(R2), ?UINT32(_Length), Data/binary>>,
_} =
++ read_file(Handle, 100, 0, Cm, Channel, R2),
++ {ok, Data} = file:read_file(FileName)
++ end || _I <- lists:seq(0, ?MAX_HANDLES-1)],
++ ReqId = req_id(),
++ {ok, <<?SSH_FXP_STATUS, ?UINT32(ReqId), ?UINT32(?SSH_FX_FAILURE),
++ ?UINT32(MsgLen), Msg:MsgLen/binary,
++ ?UINT32(LangTagLen), _LangTag:LangTagLen/binary>>, _} =
++ open_file(FileName, Cm, Channel, ReqId, ?ACE4_READ_DATA bor
?ACE4_READ_ATTRIBUTES,
++ ?SSH_FXF_OPEN_EXISTING),
++ ct:log("Message: ~s", [Msg]),
++ ok.
+
+ %%--------------------------------------------------------------------
+ max_path(Config) when is_list(Config) ->
+@@ -356,12 +359,21 @@ max_path(Config) when is_list(Config) ->
+ read_dir(Config) when is_list(Config) ->
+ PrivDir = proplists:get_value(priv_dir, Config),
+ {Cm, Channel} = proplists:get_value(sftp, Config),
+- ReqId = 0,
+- {ok, <<?SSH_FXP_HANDLE, ?UINT32(ReqId), Handle/binary>>, _} =
+- open_dir(PrivDir, Cm, Channel, ReqId),
+- ok = read_dir(Handle, Cm, Channel, ReqId).
++ [begin
++ R1 = req_id(),
++ {ok, <<?SSH_FXP_HANDLE, ?UINT32(R1), Handle/binary>>, _} =
++ open_dir(PrivDir, Cm, Channel, R1),
++ R2 = req_id(),
++ ok = read_dir(Handle, Cm, Channel, R2)
++ end || _I <- lists:seq(0, ?MAX_HANDLES-1)],
++ ReqId = req_id(),
++ {ok, <<?SSH_FXP_STATUS, ?UINT32(ReqId), ?UINT32(?SSH_FX_FAILURE),
++ ?UINT32(MsgLen), Msg:MsgLen/binary,
++ ?UINT32(LangTagLen), _LangTag:LangTagLen/binary>>, _} =
++ open_dir(PrivDir, Cm, Channel, ReqId),
++ ct:log("Message: ~s", [Msg]),
++ ok.
+
+-%%--------------------------------------------------------------------
+ write_file(Config) when is_list(Config) ->
+ PrivDir = proplists:get_value(priv_dir, Config),
+ FileName = filename:join(PrivDir, "test.txt"),
+@@ -661,27 +673,6 @@ relpath(Config) when is_list(Config) ->
+ Root = Path
+ end.
+
+-%%--------------------------------------------------------------------
+-sshd_read_file(Config) when is_list(Config) ->
+- PrivDir = proplists:get_value(priv_dir, Config),
+- FileName = filename:join(PrivDir, "test.txt"),
+-
+- ReqId = 0,
+- {Cm, Channel} = proplists:get_value(sftp, Config),
+-
+- {ok, <<?SSH_FXP_HANDLE, ?UINT32(ReqId), Handle/binary>>, _} =
+- open_file(FileName, Cm, Channel, ReqId,
+- ?ACE4_READ_DATA bor ?ACE4_READ_ATTRIBUTES,
+- ?SSH_FXF_OPEN_EXISTING),
+-
+- NewReqId = 1,
+-
+- {ok, <<?SSH_FXP_DATA, ?UINT32(NewReqId), ?UINT32(_Length),
+- Data/binary>>, _} =
+- read_file(Handle, 100, 0, Cm, Channel, NewReqId),
+-
+- {ok, Data} = file:read_file(FileName).
+-%%--------------------------------------------------------------------
+ ver6_basic(Config) when is_list(Config) ->
+ PrivDir = proplists:get_value(priv_dir, Config),
+ %FileName = filename:join(PrivDir, "test.txt"),
diff --git a/debian/patches/series b/debian/patches/series
index 405ebf00f2..2fdd8154c8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -16,3 +16,7 @@ ssh-early-RCE-fix.patch
ssh-strict-KEX-exchange-hardening.patch
zip-sanitize-paths.patch
xslt-for-each.patch
+CVE-2025-48038.patch
+CVE-2025-48039.patch
+CVE-2025-48040.patch
+CVE-2025-48041.patch
diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml
new file mode 100644
index 0000000000..f437b7ffa5
--- /dev/null
+++ b/debian/salsa-ci.yml
@@ -0,0 +1,6 @@
+---
+include:
+ -
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+ RELEASE: 'bookworm'
--- End Message ---
