mirror of
https://git.yoctoproject.org/poky
synced 2026-07-15 15:37:03 +00:00
libssh2: fix for CVE-2026-7598
Pick patch from [1] also mentioned at NVD report in [2] [1] https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-7598 [3] https://security-tracker.debian.org/tracker/CVE-2026-7598 (From OE-Core rev: 84d6cca01c9d36ec112e5eb4104437f63ad2aee5) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
committed by
Paul Barker
parent
1a099cb1fa
commit
f6b67fe3e8
@@ -0,0 +1,60 @@
|
||||
From 256d04b60d80bf1190e96b0ad1e91b2174d744b1 Mon Sep 17 00:00:00 2001
|
||||
From: Will Cosgrove <will@panic.com>
|
||||
Date: Mon, 13 Apr 2026 11:18:25 -0700
|
||||
Subject: [PATCH] userauth.c: username_len bounds checking (#1858)
|
||||
|
||||
Return errors when username_len will exceed bounds, fix existing bounds
|
||||
check.
|
||||
|
||||
Credit:
|
||||
[dapickle](https://github.com/dapickle)
|
||||
|
||||
|
||||
CVE: CVE-2026-7598
|
||||
Upstream-Status: Backport [https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1]
|
||||
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
|
||||
---
|
||||
src/userauth.c | 13 ++++++++++++-
|
||||
1 file changed, 12 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/userauth.c b/src/userauth.c
|
||||
index 0040c3f..588b83f 100644
|
||||
--- a/src/userauth.c
|
||||
+++ b/src/userauth.c
|
||||
@@ -80,6 +80,12 @@ static char *userauth_list(LIBSSH2_SESSION *session, const char *username,
|
||||
memset(&session->userauth_list_packet_requirev_state, 0,
|
||||
sizeof(session->userauth_list_packet_requirev_state));
|
||||
|
||||
+ if(username_len > UINT32_MAX - 27) {
|
||||
+ _libssh2_error(session, LIBSSH2_ERROR_PROTO,
|
||||
+ "username_len out of bounds");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
session->userauth_list_data_len = username_len + 27;
|
||||
|
||||
s = session->userauth_list_data =
|
||||
@@ -307,6 +313,11 @@ userauth_password(LIBSSH2_SESSION *session,
|
||||
* 40 = packet_type(1) + username_len(4) + service_len(4) +
|
||||
* service(14)"ssh-connection" + method_len(4) + method(8)"password" +
|
||||
* chgpwdbool(1) + password_len(4) */
|
||||
+ if(username_len > UINT32_MAX - 40) {
|
||||
+ return _libssh2_error(session, LIBSSH2_ERROR_PROTO,
|
||||
+ "username_len out of bounds");
|
||||
+ }
|
||||
+
|
||||
session->userauth_pswd_data_len = username_len + 40;
|
||||
|
||||
session->userauth_pswd_data0 =
|
||||
@@ -447,7 +458,7 @@ password_response:
|
||||
}
|
||||
|
||||
/* basic data_len + newpw_len(4) */
|
||||
- if(username_len + password_len + 44 <= UINT_MAX) {
|
||||
+ if(username_len <= UINT32_MAX - password_len - 44) {
|
||||
session->userauth_pswd_data_len =
|
||||
username_len + password_len + 44;
|
||||
s = session->userauth_pswd_data =
|
||||
--
|
||||
2.50.1
|
||||
|
||||
@@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2fbf8f834408079bf1fcbadb9814b1bc"
|
||||
SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \
|
||||
file://run-ptest \
|
||||
file://0001-Return-error-if-user-KEX-methods-are-invalid.patch \
|
||||
file://CVE-2026-7598.patch \
|
||||
"
|
||||
|
||||
SRC_URI[sha256sum] = "d9ec76cbe34db98eec3539fe2c899d26b0c837cb3eb466a56b0f109cabf658f7"
|
||||
|
||||
Reference in New Issue
Block a user