helium-3rd-party/meta-openembedded
1
0
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-04-02 02:49:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

libssh: Fix CVE-2026-0964

Browse Source 
Pick commit according to [1]

[1] https://security-tracker.debian.org/tracker/CVE-2026-0964
[2] https://www.libssh.org/security/advisories/CVE-2026-0964.txt

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Vijay Anusuri 2026-03-27 15:29:04 +05:30 committed by Gyorgy Sarvari
parent f589378b48
commit 9d8ef26a96
2 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
meta-oe/recipes-support/libssh/libssh/CVE-2026-0964.patch Normal file
View File

@ -0,0 +1,46 @@
From a5e4b12090b0c939d85af4f29280e40c5b6600aa Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 22 Dec 2025 19:16:44 +0100
Subject: [PATCH] CVE-2026-0964 scp: Reject invalid paths received through scp
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit daa80818f89347b4d80b0c5b80659f9a9e55e8cc)
Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=a5e4b12090b0c939d85af4f29280e40c5b6600aa]
CVE: CVE-2026-0964
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
src/scp.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/src/scp.c b/src/scp.c
index 652551e3..4590cf79 100644
--- a/src/scp.c
+++ b/src/scp.c
@@ -738,6 +738,22 @@ int ssh_scp_pull_request(ssh_scp scp)
size = strtoull(tmp, NULL, 10);
p++;
name = strdup(p);
+ /* Catch invalid name:
+ * - empty ones
+ * - containing any forward slash -- directory traversal handled
+ * differently
+ * - special names "." and ".." referring to the current and parent
+ * directories -- they are not expected either
+ */
+ if (name == NULL || name[0] == '\0' || strchr(name, '/') ||
+ strcmp(name, ".") == 0 || strcmp(name, "..") == 0) {
+ ssh_set_error(scp->session,
+ SSH_FATAL,
+ "Received invalid filename: %s",
+ name == NULL ? "<NULL>" : name);
+ SAFE_FREE(name);
+ goto error;
+ }
SAFE_FREE(scp->request_name);
scp->request_name = name;
if (buffer[0] == 'C') {
--
2.25.1

1
meta-oe/recipes-support/libssh/libssh_0.8.9.bb
View File

@ -31,6 +31,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
file://CVE-2026-3731.patch \ file://CVE-2026-3731.patch \
file://CVE-2026-0966-1.patch \ file://CVE-2026-0966-1.patch \
file://CVE-2026-0966-2.patch \ file://CVE-2026-0966-2.patch \
file://CVE-2026-0964.patch \
" "
SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8" SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8"