From: Peter Marko <[email protected]> Pick patch mentioned in both NVD and Debian report.
Signed-off-by: Peter Marko <[email protected]> --- .../libssh2/libssh2/CVE-2026-7598.patch | 56 +++++++++++++++++++ .../recipes-support/libssh2/libssh2_1.11.1.bb | 1 + 2 files changed, 57 insertions(+) create mode 100644 meta/recipes-support/libssh2/libssh2/CVE-2026-7598.patch diff --git a/meta/recipes-support/libssh2/libssh2/CVE-2026-7598.patch b/meta/recipes-support/libssh2/libssh2/CVE-2026-7598.patch new file mode 100644 index 0000000000..314e6af370 --- /dev/null +++ b/meta/recipes-support/libssh2/libssh2/CVE-2026-7598.patch @@ -0,0 +1,56 @@ +From 256d04b60d80bf1190e96b0ad1e91b2174d744b1 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove <[email protected]> +Date: Mon, 13 Apr 2026 11:18:25 -0700 +Subject: [PATCH] userauth.c: username_len bounds checking (#1858) + +Return errors when username_len will exceed bounds, fix existing bounds +check. + +Credit: +[dapickle](https://github.com/dapickle) + +CVE: CVE-2026-7598 +Upstream-Status: Backport [https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1] +Signed-off-by: Peter Marko <[email protected]> +--- + src/userauth.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/userauth.c b/src/userauth.c +index f8e02651..43d9ab9b 100644 +--- a/src/userauth.c ++++ b/src/userauth.c +@@ -80,6 +80,12 @@ static char *userauth_list(LIBSSH2_SESSION *session, const char *username, + memset(&session->userauth_list_packet_requirev_state, 0, + sizeof(session->userauth_list_packet_requirev_state)); + ++ if(username_len > UINT32_MAX - 27) { ++ _libssh2_error(session, LIBSSH2_ERROR_PROTO, ++ "username_len out of bounds"); ++ return NULL; ++ } ++ + session->userauth_list_data_len = username_len + 27; + + s = session->userauth_list_data = +@@ -307,6 +313,11 @@ userauth_password(LIBSSH2_SESSION *session, + * 40 = packet_type(1) + username_len(4) + service_len(4) + + * service(14)"ssh-connection" + method_len(4) + method(8)"password" + + * chgpwdbool(1) + password_len(4) */ ++ if(username_len > UINT32_MAX - 40) { ++ return _libssh2_error(session, LIBSSH2_ERROR_PROTO, ++ "username_len out of bounds"); ++ } ++ + session->userauth_pswd_data_len = username_len + 40; + + session->userauth_pswd_data0 = +@@ -447,7 +458,7 @@ password_response: + } + + /* basic data_len + newpw_len(4) */ +- if(username_len + password_len + 44 <= UINT_MAX) { ++ if(username_len <= UINT32_MAX - password_len - 44) { + session->userauth_pswd_data_len = + username_len + password_len + 44; + s = session->userauth_pswd_data = diff --git a/meta/recipes-support/libssh2/libssh2_1.11.1.bb b/meta/recipes-support/libssh2/libssh2_1.11.1.bb index 0d1237852f..e825c8c5bb 100644 --- a/meta/recipes-support/libssh2/libssh2_1.11.1.bb +++ b/meta/recipes-support/libssh2/libssh2_1.11.1.bb @@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2fbf8f834408079bf1fcbadb9814b1bc" SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \ file://run-ptest \ file://0001-Return-error-if-user-KEX-methods-are-invalid.patch \ + file://CVE-2026-7598.patch \ " SRC_URI[sha256sum] = "d9ec76cbe34db98eec3539fe2c899d26b0c837cb3eb466a56b0f109cabf658f7"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#236455): https://lists.openembedded.org/g/openembedded-core/message/236455 Mute This Topic: https://lists.openembedded.org/mt/119149834/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
