Hi, it is the same patch for scarthgap, wrynose and master. The last release of libssh2 was libssh2 1.11.1, released on 2024-10-16
Best regards, Daniel ________________________________ From: Daniel Turull <[email protected]> Sent: Monday, June 22, 2026 11:33 AM To: [email protected] <[email protected]> Cc: [email protected] <[email protected]>; Daniel Turull <[email protected]> Subject: [PATCH] libssh2: fix CVE-2026-55200 From: Daniel Turull <[email protected]> Backport patch to fix CVE-2026-55200. https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2026-55200&data=05%7C02%7Cdaniel.turull%40ericsson.com%7C380160d5f0454d1ff74708ded0415503%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C639177176172245168%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=x0PEtNrUxDn3ap4t8IRPibWGSluDhB2fvbhGfqB5zI0%3D&reserved=0<https://nvd.nist.gov/vuln/detail/CVE-2026-55200> Upstream fix: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flibssh2%2Flibssh2%2Fcommit%2F97acf3dfda80c91c3a8c9f2372546301d4a1a7a8&data=05%7C02%7Cdaniel.turull%40ericsson.com%7C380160d5f0454d1ff74708ded0415503%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C639177176172278243%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=pLfxTiNg%2BKJc2KzfvPBJHTRCYdt7ruSljxCyiK9T6o4%3D&reserved=0<https://github.com/libssh2/libssh2/commit/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8> Tested with ptest: Before: PASSED: 3, FAILED: 0, SKIPPED: 0 After: PASSED: 3, FAILED: 0, SKIPPED: 0 Reviewed-by: Anders Heimer <[email protected] Signed-off-by: Daniel Turull <[email protected]> --- .../libssh2/libssh2/CVE-2026-55200.patch | 36 +++++++++++++++++++ .../recipes-support/libssh2/libssh2_1.11.1.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-support/libssh2/libssh2/CVE-2026-55200.patch diff --git a/meta/recipes-support/libssh2/libssh2/CVE-2026-55200.patch b/meta/recipes-support/libssh2/libssh2/CVE-2026-55200.patch new file mode 100644 index 0000000000..9a71277cce --- /dev/null +++ b/meta/recipes-support/libssh2/libssh2/CVE-2026-55200.patch @@ -0,0 +1,36 @@ +From df0b03ee5ef12f3a46fccc0fc688ebfb91702972 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove <[email protected]> +Date: Fri, 12 Jun 2026 15:57:44 -0700 +Subject: [PATCH] transport.c: Additional boundary checks for packet length + (#2052) + +Add additional bounds checking on packet length to prevent OOB write. + +Credit: [TristanInSec](https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FTristanInSec&data=05%7C02%7Cdaniel.turull%40ericsson.com%7C380160d5f0454d1ff74708ded0415503%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C639177176172291860%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=burE%2BssH971QHGaL54oTCRH4KtOJmV7HARO9YVZ7t1U%3D&reserved=0) + +CVE: CVE-2026-55200 +Upstream-Status: Backport [https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flibssh2%2Flibssh2%2Fcommit%2F97acf3dfda80c91c3a8c9f2372546301d4a1a7a8&data=05%7C02%7Cdaniel.turull%40ericsson.com%7C380160d5f0454d1ff74708ded0415503%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C639177176172309431%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=xl8wl5MyK8t6qDm%2BCnhVF5MJ4%2BYwPWLgZwRVs%2Foll%2FA%3D&reserved=0<https://github.com/libssh2/libssh2/commit/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8>] + +Signed-off-by: Daniel Turull <[email protected]> +--- + src/transport.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/transport.c b/src/transport.c +index e1120656..d147505b 100644 +--- a/src/transport.c ++++ b/src/transport.c +@@ -639,8 +639,12 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session) + total_num = 4; + + p->packet_length = _libssh2_ntohu32(block); +- if(p->packet_length < 1) ++ if(p->packet_length < 1) { + return LIBSSH2_ERROR_DECRYPT; ++ } ++ else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) { ++ return LIBSSH2_ERROR_OUT_OF_BOUNDARY; ++ } + + /* total_num may include size field, however due to existing + * logic it needs to be removed after the entire packet is read diff --git a/meta/recipes-support/libssh2/libssh2_1.11.1.bb b/meta/recipes-support/libssh2/libssh2_1.11.1.bb index e825c8c5bb..5ffc40b8fc 100644 --- a/meta/recipes-support/libssh2/libssh2_1.11.1.bb +++ b/meta/recipes-support/libssh2/libssh2_1.11.1.bb @@ -11,6 +11,7 @@ SRC_URI = "https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.libssh2.org%2Fdownload%2F%24&data=05%7C02%7Cdaniel.turull%40ericsson.com%7C380160d5f0454d1ff74708ded0415503%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C639177176172325100%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=YtFT2NdDTIZ6wdi0A9BWMoMd2dZAKxKfbjG8UFFq9rM%3D&reserved=0{BP}.tar.gz \ file://run-ptest \ file://0001-Return-error-if-user-KEX-methods-are-invalid.patch \ file://CVE-2026-7598.patch \ + file://CVE-2026-55200.patch \ " SRC_URI[sha256sum] = "d9ec76cbe34db98eec3539fe2c899d26b0c837cb3eb466a56b0f109cabf658f7" -- 2.51.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239280): https://lists.openembedded.org/g/openembedded-core/message/239280 Mute This Topic: https://lists.openembedded.org/mt/119921119/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
