diff options
| author | Vijay Anusuri <vanusuri@mvista.com> | 2026-03-27 14:39:19 +0530 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2026-04-03 15:00:47 +0530 |
| commit | 57fc94a42de71b3bd78ae46b0c92129b98d35dae (patch) | |
| tree | e48f0465675cb6383b3d238b0eab9b97cf66bb93 | |
| parent | 3b8e032dbc03ef81a0142ea890cab20daf7ab5d1 (diff) | |
| download | meta-openembedded-57fc94a42de71b3bd78ae46b0c92129b98d35dae.tar.gz | |
libssh: Fix CVE-2026-0966
Pick commits according to [1]
[1] https://security-tracker.debian.org/tracker/CVE-2026-0966
[2] https://www.libssh.org/security/advisories/CVE-2026-0966.txt
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
4 files changed, 174 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch new file mode 100644 index 0000000000..346e3e36ce --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch | |||
| @@ -0,0 +1,35 @@ | |||
| 1 | From 6ba5ff1b7b1547a59f750fbc06b89737b7456117 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jakub Jelen <jjelen@redhat.com> | ||
| 3 | Date: Thu, 8 Jan 2026 12:09:50 +0100 | ||
| 4 | Subject: [PATCH] CVE-2026-0966 misc: Avoid heap buffer underflow in ssh_get_hexa | ||
| 5 | MIME-Version: 1.0 | ||
| 6 | Content-Type: text/plain; charset=UTF-8 | ||
| 7 | Content-Transfer-Encoding: 8bit | ||
| 8 | |||
| 9 | Signed-off-by: Jakub Jelen <jjelen@redhat.com> | ||
| 10 | Reviewed-by: Pavol Žáčik <pzacik@redhat.com> | ||
| 11 | (cherry picked from commit 417a095e6749a1f3635e02332061edad3c6a3401) | ||
| 12 | |||
| 13 | Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=6ba5ff1b7b1547a59f750fbc06b89737b7456117] | ||
| 14 | CVE: CVE-2026-0966 | ||
| 15 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 16 | --- | ||
| 17 | src/misc.c | 2 +- | ||
| 18 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 19 | |||
| 20 | diff --git a/src/misc.c b/src/misc.c | ||
| 21 | index f371f332..565abcfc 100644 | ||
| 22 | --- a/src/misc.c | ||
| 23 | +++ b/src/misc.c | ||
| 24 | @@ -451,7 +451,7 @@ char *ssh_get_hexa(const unsigned char *what, size_t len) | ||
| 25 | size_t i; | ||
| 26 | size_t hlen = len * 3; | ||
| 27 | |||
| 28 | - if (len > (UINT_MAX - 1) / 3) { | ||
| 29 | + if (what == NULL || len < 1 || len > (UINT_MAX - 1) / 3) { | ||
| 30 | return NULL; | ||
| 31 | } | ||
| 32 | |||
| 33 | -- | ||
| 34 | 2.43.0 | ||
| 35 | |||
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch new file mode 100644 index 0000000000..efe90942d2 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch | |||
| @@ -0,0 +1,71 @@ | |||
| 1 | From b156391833c66322436cf177d57e10b0325fbcc8 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jakub Jelen <jjelen@redhat.com> | ||
| 3 | Date: Thu, 8 Jan 2026 12:10:16 +0100 | ||
| 4 | Subject: [PATCH] CVE-2026-0966 tests: Test coverage for ssh_get_hexa | ||
| 5 | MIME-Version: 1.0 | ||
| 6 | Content-Type: text/plain; charset=UTF-8 | ||
| 7 | Content-Transfer-Encoding: 8bit | ||
| 8 | |||
| 9 | Signed-off-by: Jakub Jelen <jjelen@redhat.com> | ||
| 10 | Reviewed-by: Pavol Žáčik <pzacik@redhat.com> | ||
| 11 | (cherry picked from commit 9be83584a56580da5a2f41e47137056dc0249b52) | ||
| 12 | |||
| 13 | Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=b156391833c66322436cf177d57e10b0325fbcc8] | ||
| 14 | CVE: CVE-2026-0966 | ||
| 15 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 16 | --- | ||
| 17 | tests/unittests/torture_misc.c | 31 +++++++++++++++++++++++++++++++ | ||
| 18 | 1 file changed, 31 insertions(+) | ||
| 19 | |||
| 20 | diff --git a/tests/unittests/torture_misc.c b/tests/unittests/torture_misc.c | ||
| 21 | index 77166759..82d6cf16 100644 | ||
| 22 | --- a/tests/unittests/torture_misc.c | ||
| 23 | +++ b/tests/unittests/torture_misc.c | ||
| 24 | @@ -877,6 +877,36 @@ static void torture_ssh_is_ipaddr(void **state) { | ||
| 25 | assert_int_equal(rc, 0); | ||
| 26 | } | ||
| 27 | |||
| 28 | +static void torture_ssh_get_hexa(void **state) | ||
| 29 | +{ | ||
| 30 | + const unsigned char *bin = NULL; | ||
| 31 | + char *hex = NULL; | ||
| 32 | + | ||
| 33 | + (void)state; | ||
| 34 | + | ||
| 35 | + /* Null pointer should not crash */ | ||
| 36 | + bin = NULL; | ||
| 37 | + hex = ssh_get_hexa(bin, 0); | ||
| 38 | + assert_null(hex); | ||
| 39 | + | ||
| 40 | + /* Null pointer should not crash regardless the length */ | ||
| 41 | + bin = NULL; | ||
| 42 | + hex = ssh_get_hexa(bin, 99); | ||
| 43 | + assert_null(hex); | ||
| 44 | + | ||
| 45 | + /* Zero length input is not much useful. Just expect NULL too */ | ||
| 46 | + bin = (const unsigned char *)""; | ||
| 47 | + hex = ssh_get_hexa(bin, 0); | ||
| 48 | + assert_null(hex); | ||
| 49 | + | ||
| 50 | + /* Valid inputs */ | ||
| 51 | + bin = (const unsigned char *)"\x00\xFF"; | ||
| 52 | + hex = ssh_get_hexa(bin, 2); | ||
| 53 | + assert_non_null(hex); | ||
| 54 | + assert_string_equal(hex, "00:ff"); | ||
| 55 | + ssh_string_free_char(hex); | ||
| 56 | +} | ||
| 57 | + | ||
| 58 | int torture_run_tests(void) { | ||
| 59 | int rc; | ||
| 60 | struct CMUnitTest tests[] = { | ||
| 61 | @@ -903,6 +933,7 @@ int torture_run_tests(void) { | ||
| 62 | cmocka_unit_test(torture_ssh_strerror), | ||
| 63 | cmocka_unit_test(torture_ssh_check_hostname_syntax), | ||
| 64 | cmocka_unit_test(torture_ssh_is_ipaddr), | ||
| 65 | + cmocka_unit_test(torture_ssh_get_hexa), | ||
| 66 | }; | ||
| 67 | |||
| 68 | ssh_init(); | ||
| 69 | -- | ||
| 70 | 2.43.0 | ||
| 71 | |||
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-3.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-3.patch new file mode 100644 index 0000000000..853ab15c5a --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-3.patch | |||
| @@ -0,0 +1,65 @@ | |||
| 1 | From 3e1d276a5a030938a8f144f46ff4f2a2efe31ced Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jakub Jelen <jjelen@redhat.com> | ||
| 3 | Date: Thu, 8 Jan 2026 12:10:44 +0100 | ||
| 4 | Subject: [PATCH] CVE-2026-0966 doc: Update guided tour to use SHA256 fingerprints | ||
| 5 | MIME-Version: 1.0 | ||
| 6 | Content-Type: text/plain; charset=UTF-8 | ||
| 7 | Content-Transfer-Encoding: 8bit | ||
| 8 | |||
| 9 | Signed-off-by: Jakub Jelen <jjelen@redhat.com> | ||
| 10 | Reviewed-by: Pavol Žáčik <pzacik@redhat.com> | ||
| 11 | (cherry picked from commit 1b2a4f760bec35121c490f2294f915ebb9c992ae) | ||
| 12 | |||
| 13 | Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=3e1d276a5a030938a8f144f46ff4f2a2efe31ced] | ||
| 14 | CVE: CVE-2026-0966 | ||
| 15 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 16 | --- | ||
| 17 | doc/guided_tour.dox | 10 ++++------ | ||
| 18 | 1 file changed, 4 insertions(+), 6 deletions(-) | ||
| 19 | |||
| 20 | diff --git a/doc/guided_tour.dox b/doc/guided_tour.dox | ||
| 21 | index 60f4087e..331c4b0a 100644 | ||
| 22 | --- a/doc/guided_tour.dox | ||
| 23 | +++ b/doc/guided_tour.dox | ||
| 24 | @@ -190,7 +190,6 @@ int verify_knownhost(ssh_session session) | ||
| 25 | ssh_key srv_pubkey = NULL; | ||
| 26 | size_t hlen; | ||
| 27 | char buf[10]; | ||
| 28 | - char *hexa = NULL; | ||
| 29 | char *p = NULL; | ||
| 30 | int cmp; | ||
| 31 | int rc; | ||
| 32 | @@ -201,7 +200,7 @@ int verify_knownhost(ssh_session session) | ||
| 33 | } | ||
| 34 | |||
| 35 | rc = ssh_get_publickey_hash(srv_pubkey, | ||
| 36 | - SSH_PUBLICKEY_HASH_SHA1, | ||
| 37 | + SSH_PUBLICKEY_HASH_SHA256, | ||
| 38 | &hash, | ||
| 39 | &hlen); | ||
| 40 | ssh_key_free(srv_pubkey); | ||
| 41 | @@ -217,7 +216,7 @@ int verify_knownhost(ssh_session session) | ||
| 42 | break; | ||
| 43 | case SSH_KNOWN_HOSTS_CHANGED: | ||
| 44 | fprintf(stderr, "Host key for server changed: it is now:\n"); | ||
| 45 | - ssh_print_hexa("Public key hash", hash, hlen); | ||
| 46 | + ssh_print_hash(SSH_PUBLICKEY_HASH_SHA256, hash, hlen); | ||
| 47 | fprintf(stderr, "For security reasons, connection will be stopped\n"); | ||
| 48 | ssh_clean_pubkey_hash(&hash); | ||
| 49 | |||
| 50 | @@ -238,10 +237,9 @@ int verify_knownhost(ssh_session session) | ||
| 51 | /* FALL THROUGH to SSH_SERVER_NOT_KNOWN behavior */ | ||
| 52 | |||
| 53 | case SSH_KNOWN_HOSTS_UNKNOWN: | ||
| 54 | - hexa = ssh_get_hexa(hash, hlen); | ||
| 55 | fprintf(stderr,"The server is unknown. Do you trust the host key?\n"); | ||
| 56 | - fprintf(stderr, "Public key hash: %s\n", hexa); | ||
| 57 | - ssh_string_free_char(hexa); | ||
| 58 | + fprintf(stderr, "Public key hash: "); | ||
| 59 | + ssh_print_hash(SSH_PUBLICKEY_HASH_SHA256, hash, hlen); | ||
| 60 | ssh_clean_pubkey_hash(&hash); | ||
| 61 | p = fgets(buf, sizeof(buf), stdin); | ||
| 62 | if (p == NULL) { | ||
| 63 | -- | ||
| 64 | 2.43.0 | ||
| 65 | |||
diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb index d37fccf26c..30f68f87ce 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb | |||
| @@ -25,6 +25,9 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable | |||
| 25 | file://CVE-2026-3731-1.patch \ | 25 | file://CVE-2026-3731-1.patch \ |
| 26 | file://CVE-2026-3731-2.patch \ | 26 | file://CVE-2026-3731-2.patch \ |
| 27 | file://CVE-2026-0964.patch \ | 27 | file://CVE-2026-0964.patch \ |
| 28 | file://CVE-2026-0966-1.patch \ | ||
| 29 | file://CVE-2026-0966-2.patch \ | ||
| 30 | file://CVE-2026-0966-3.patch \ | ||
| 28 | " | 31 | " |
| 29 | SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6" | 32 | SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6" |
| 30 | 33 | ||
