mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-13 17:39:57 +00:00
Code Issues Projects Releases Wiki Activity

libssh: Fix CVE-2026-0964

Browse Source 
Pick commits according to [1]

[1] https://security-tracker.debian.org/tracker/CVE-2026-0964
[2] https://www.libssh.org/security/advisories/CVE-2026-0964.txt

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Vijay Anusuri
2026-03-27 14:39:18 +05:30
committed by Anuj Mittal
parent 0e43651ad3
commit 3b8e032dbc
2 changed files with 47 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-support/libssh/libssh/CVE-2026-0964.patch
+46
View File
@@ -0,0 +1,46 @@
From a5e4b12090b0c939d85af4f29280e40c5b6600aa Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 22 Dec 2025 19:16:44 +0100
Subject: [PATCH] CVE-2026-0964 scp: Reject invalid paths received through scp
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit daa80818f89347b4d80b0c5b80659f9a9e55e8cc)
Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=a5e4b12090b0c939d85af4f29280e40c5b6600aa]
CVE: CVE-2026-0964
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
src/scp.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/src/scp.c b/src/scp.c
index 103822ce..09dc1a1b 100644
--- a/src/scp.c
+++ b/src/scp.c
@@ -848,6 +848,22 @@ int ssh_scp_pull_request(ssh_scp scp)
size = strtoull(tmp, NULL, 10);
p++;
name = strdup(p);
+ /* Catch invalid name:
+ * - empty ones
+ * - containing any forward slash -- directory traversal handled
+ * differently
+ * - special names "." and ".." referring to the current and parent
+ * directories -- they are not expected either
+ */
+ if (name == NULL || name[0] == '\0' || strchr(name, '/') ||
+ strcmp(name, ".") == 0 || strcmp(name, "..") == 0) {
+ ssh_set_error(scp->session,
+ SSH_FATAL,
+ "Received invalid filename: %s",
+ name == NULL ? "<NULL>" : name);
+ SAFE_FREE(name);
+ goto error;
+ }
SAFE_FREE(scp->request_name);
scp->request_name = name;
if (buffer[0] == 'C') {
--
2.43.0
meta-oe/recipes-support/libssh/libssh_0.10.6.bb
+1
View File
@@ -24,6 +24,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
file://CVE-2025-8277-4.patch \
file://CVE-2026-3731-1.patch \
file://CVE-2026-3731-2.patch \
file://CVE-2026-0964.patch \
"
SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"