1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-15 15:37:03 +00:00

libssh2: fix for CVE-2026-7598

Pick patch from [1] also mentioned at NVD report in [2]

[1] https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-7598
[3] https://security-tracker.debian.org/tracker/CVE-2026-7598

(From OE-Core rev: 84d6cca01c9d36ec112e5eb4104437f63ad2aee5)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Hitendra Prajapati
2026-05-13 16:39:47 +05:30
committed by Paul Barker
parent 1a099cb1fa
commit f6b67fe3e8
2 changed files with 61 additions and 0 deletions
@@ -0,0 +1,60 @@
From 256d04b60d80bf1190e96b0ad1e91b2174d744b1 Mon Sep 17 00:00:00 2001
From: Will Cosgrove <will@panic.com>
Date: Mon, 13 Apr 2026 11:18:25 -0700
Subject: [PATCH] userauth.c: username_len bounds checking (#1858)
Return errors when username_len will exceed bounds, fix existing bounds
check.
Credit:
[dapickle](https://github.com/dapickle)
CVE: CVE-2026-7598
Upstream-Status: Backport [https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
src/userauth.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/userauth.c b/src/userauth.c
index 0040c3f..588b83f 100644
--- a/src/userauth.c
+++ b/src/userauth.c
@@ -80,6 +80,12 @@ static char *userauth_list(LIBSSH2_SESSION *session, const char *username,
memset(&session->userauth_list_packet_requirev_state, 0,
sizeof(session->userauth_list_packet_requirev_state));
+ if(username_len > UINT32_MAX - 27) {
+ _libssh2_error(session, LIBSSH2_ERROR_PROTO,
+ "username_len out of bounds");
+ return NULL;
+ }
+
session->userauth_list_data_len = username_len + 27;
s = session->userauth_list_data =
@@ -307,6 +313,11 @@ userauth_password(LIBSSH2_SESSION *session,
* 40 = packet_type(1) + username_len(4) + service_len(4) +
* service(14)"ssh-connection" + method_len(4) + method(8)"password" +
* chgpwdbool(1) + password_len(4) */
+ if(username_len > UINT32_MAX - 40) {
+ return _libssh2_error(session, LIBSSH2_ERROR_PROTO,
+ "username_len out of bounds");
+ }
+
session->userauth_pswd_data_len = username_len + 40;
session->userauth_pswd_data0 =
@@ -447,7 +458,7 @@ password_response:
}
/* basic data_len + newpw_len(4) */
- if(username_len + password_len + 44 <= UINT_MAX) {
+ if(username_len <= UINT32_MAX - password_len - 44) {
session->userauth_pswd_data_len =
username_len + password_len + 44;
s = session->userauth_pswd_data =
--
2.50.1
@@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2fbf8f834408079bf1fcbadb9814b1bc"
SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \
file://run-ptest \
file://0001-Return-error-if-user-KEX-methods-are-invalid.patch \
file://CVE-2026-7598.patch \
"
SRC_URI[sha256sum] = "d9ec76cbe34db98eec3539fe2c899d26b0c837cb3eb466a56b0f109cabf658f7"