helium-3rd-party/meta-openembedded
1
0
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-04-02 02:49:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

libssh: Fix CVE-2026-3731

Browse Source 
Pick commit according to [1]

[1] https://security-tracker.debian.org/tracker/CVE-2026-3731
[2] https://www.libssh.org/security/advisories/libssh-2026-sftp-extensions.txt

Skip the test file change as it's not available in libssh-0.8.9

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Vijay Anusuri 2026-03-12 09:57:28 +05:30 committed by Gyorgy Sarvari
parent 9b58919732
commit 8af1978e48
2 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
meta-oe/recipes-support/libssh/libssh/CVE-2026-3731.patch Normal file
View File

@ -0,0 +1,44 @@
From f80670a7aba86cbb442c9b115c9eaf4ca04601b8 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 11 Dec 2025 13:22:44 +0100
Subject: [PATCH] sftp: Fix out-of-bound read from sftp extensions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Pavol ŽáÄ<C2A1>ik <pzacik@redhat.com>
(cherry picked from commit 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60)
Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=f80670a7aba86cbb442c9b115c9eaf4ca04601b8]
CVE: CVE-2026-3731
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
src/sftp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/sftp.c b/src/sftp.c
index 43eb1ad6..be473793 100644
--- a/src/sftp.c
+++ b/src/sftp.c
@@ -686,7 +686,7 @@ const char *sftp_extensions_get_name(sftp_session sftp, unsigned int idx) {
return NULL;
}
- if (idx > sftp->ext->count) {
+ if (idx >= sftp->ext->count) {
ssh_set_error_invalid(sftp->session);
return NULL;
}
@@ -702,7 +702,7 @@ const char *sftp_extensions_get_data(sftp_session sftp, unsigned int idx) {
return NULL;
}
- if (idx > sftp->ext->count) {
+ if (idx >= sftp->ext->count) {
ssh_set_error_invalid(sftp->session);
return NULL;
}
--
2.25.1

1
meta-oe/recipes-support/libssh/libssh_0.8.9.bb
View File

@ -28,6 +28,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
file://CVE-2025-8277-2.patch \
file://CVE-2025-8277-3.patch \
file://CVE-2025-8114.patch \
file://CVE-2026-3731.patch \
"
SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8"