diff options
| author | Vijay Anusuri <vanusuri@mvista.com> | 2026-03-27 15:29:04 +0530 |
|---|---|---|
| committer | Gyorgy Sarvari <skandigraun@gmail.com> | 2026-03-29 11:11:33 +0200 |
| commit | 9d8ef26a9693e2c70ae34abe1a753873d42ec588 (patch) | |
| tree | 23fbb2a7747998505e1926d336ea10d8ff4709e6 | |
| parent | f589378b4835499affa7d5d6f362628580f59b7f (diff) | |
| download | meta-openembedded-kirkstone.tar.gz | |
libssh: Fix CVE-2026-0964kirkstone
Pick commit according to [1]
[1] https://security-tracker.debian.org/tracker/CVE-2026-0964
[2] https://www.libssh.org/security/advisories/CVE-2026-0964.txt
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
| -rw-r--r-- | meta-oe/recipes-support/libssh/libssh/CVE-2026-0964.patch | 46 | ||||
| -rw-r--r-- | meta-oe/recipes-support/libssh/libssh_0.8.9.bb | 1 |
2 files changed, 47 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0964.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0964.patch new file mode 100644 index 0000000000..7ad76c6e5e --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0964.patch | |||
| @@ -0,0 +1,46 @@ | |||
| 1 | From a5e4b12090b0c939d85af4f29280e40c5b6600aa Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jakub Jelen <jjelen@redhat.com> | ||
| 3 | Date: Mon, 22 Dec 2025 19:16:44 +0100 | ||
| 4 | Subject: [PATCH] CVE-2026-0964 scp: Reject invalid paths received through scp | ||
| 5 | |||
| 6 | Signed-off-by: Jakub Jelen <jjelen@redhat.com> | ||
| 7 | Reviewed-by: Andreas Schneider <asn@cryptomilk.org> | ||
| 8 | (cherry picked from commit daa80818f89347b4d80b0c5b80659f9a9e55e8cc) | ||
| 9 | |||
| 10 | Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=a5e4b12090b0c939d85af4f29280e40c5b6600aa] | ||
| 11 | CVE: CVE-2026-0964 | ||
| 12 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 13 | --- | ||
| 14 | src/scp.c | 16 ++++++++++++++++ | ||
| 15 | 1 file changed, 16 insertions(+) | ||
| 16 | |||
| 17 | diff --git a/src/scp.c b/src/scp.c | ||
| 18 | index 652551e3..4590cf79 100644 | ||
| 19 | --- a/src/scp.c | ||
| 20 | +++ b/src/scp.c | ||
| 21 | @@ -738,6 +738,22 @@ int ssh_scp_pull_request(ssh_scp scp) | ||
| 22 | size = strtoull(tmp, NULL, 10); | ||
| 23 | p++; | ||
| 24 | name = strdup(p); | ||
| 25 | + /* Catch invalid name: | ||
| 26 | + * - empty ones | ||
| 27 | + * - containing any forward slash -- directory traversal handled | ||
| 28 | + * differently | ||
| 29 | + * - special names "." and ".." referring to the current and parent | ||
| 30 | + * directories -- they are not expected either | ||
| 31 | + */ | ||
| 32 | + if (name == NULL || name[0] == '\0' || strchr(name, '/') || | ||
| 33 | + strcmp(name, ".") == 0 || strcmp(name, "..") == 0) { | ||
| 34 | + ssh_set_error(scp->session, | ||
| 35 | + SSH_FATAL, | ||
| 36 | + "Received invalid filename: %s", | ||
| 37 | + name == NULL ? "<NULL>" : name); | ||
| 38 | + SAFE_FREE(name); | ||
| 39 | + goto error; | ||
| 40 | + } | ||
| 41 | SAFE_FREE(scp->request_name); | ||
| 42 | scp->request_name = name; | ||
| 43 | if (buffer[0] == 'C') { | ||
| 44 | -- | ||
| 45 | 2.25.1 | ||
| 46 | |||
diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb index 8cc0883b2b..387720f7dd 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb | |||
| @@ -31,6 +31,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable | |||
| 31 | file://CVE-2026-3731.patch \ | 31 | file://CVE-2026-3731.patch \ |
| 32 | file://CVE-2026-0966-1.patch \ | 32 | file://CVE-2026-0966-1.patch \ |
| 33 | file://CVE-2026-0966-2.patch \ | 33 | file://CVE-2026-0966-2.patch \ |
| 34 | file://CVE-2026-0964.patch \ | ||
| 34 | " | 35 | " |
| 35 | SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8" | 36 | SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8" |
| 36 | 37 | ||