summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVijay Anusuri <vanusuri@mvista.com>2026-03-27 14:39:19 +0530
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-04-03 15:00:47 +0530
commit57fc94a42de71b3bd78ae46b0c92129b98d35dae (patch)
treee48f0465675cb6383b3d238b0eab9b97cf66bb93
parent3b8e032dbc03ef81a0142ea890cab20daf7ab5d1 (diff)
downloadmeta-openembedded-57fc94a42de71b3bd78ae46b0c92129b98d35dae.tar.gz
libssh: Fix CVE-2026-0966
Pick commits according to [1] [1] https://security-tracker.debian.org/tracker/CVE-2026-0966 [2] https://www.libssh.org/security/advisories/CVE-2026-0966.txt Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
-rw-r--r--meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch35
-rw-r--r--meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch71
-rw-r--r--meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-3.patch65
-rw-r--r--meta-oe/recipes-support/libssh/libssh_0.10.6.bb3
4 files changed, 174 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch
new file mode 100644
index 0000000000..346e3e36ce
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch
@@ -0,0 +1,35 @@
1From 6ba5ff1b7b1547a59f750fbc06b89737b7456117 Mon Sep 17 00:00:00 2001
2From: Jakub Jelen <jjelen@redhat.com>
3Date: Thu, 8 Jan 2026 12:09:50 +0100
4Subject: [PATCH] CVE-2026-0966 misc: Avoid heap buffer underflow in ssh_get_hexa
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Signed-off-by: Jakub Jelen <jjelen@redhat.com>
10Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
11(cherry picked from commit 417a095e6749a1f3635e02332061edad3c6a3401)
12
13Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=6ba5ff1b7b1547a59f750fbc06b89737b7456117]
14CVE: CVE-2026-0966
15Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
16---
17 src/misc.c | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-)
19
20diff --git a/src/misc.c b/src/misc.c
21index f371f332..565abcfc 100644
22--- a/src/misc.c
23+++ b/src/misc.c
24@@ -451,7 +451,7 @@ char *ssh_get_hexa(const unsigned char *what, size_t len)
25 size_t i;
26 size_t hlen = len * 3;
27
28- if (len > (UINT_MAX - 1) / 3) {
29+ if (what == NULL || len < 1 || len > (UINT_MAX - 1) / 3) {
30 return NULL;
31 }
32
33--
342.43.0
35
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch
new file mode 100644
index 0000000000..efe90942d2
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch
@@ -0,0 +1,71 @@
1From b156391833c66322436cf177d57e10b0325fbcc8 Mon Sep 17 00:00:00 2001
2From: Jakub Jelen <jjelen@redhat.com>
3Date: Thu, 8 Jan 2026 12:10:16 +0100
4Subject: [PATCH] CVE-2026-0966 tests: Test coverage for ssh_get_hexa
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Signed-off-by: Jakub Jelen <jjelen@redhat.com>
10Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
11(cherry picked from commit 9be83584a56580da5a2f41e47137056dc0249b52)
12
13Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=b156391833c66322436cf177d57e10b0325fbcc8]
14CVE: CVE-2026-0966
15Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
16---
17 tests/unittests/torture_misc.c | 31 +++++++++++++++++++++++++++++++
18 1 file changed, 31 insertions(+)
19
20diff --git a/tests/unittests/torture_misc.c b/tests/unittests/torture_misc.c
21index 77166759..82d6cf16 100644
22--- a/tests/unittests/torture_misc.c
23+++ b/tests/unittests/torture_misc.c
24@@ -877,6 +877,36 @@ static void torture_ssh_is_ipaddr(void **state) {
25 assert_int_equal(rc, 0);
26 }
27
28+static void torture_ssh_get_hexa(void **state)
29+{
30+ const unsigned char *bin = NULL;
31+ char *hex = NULL;
32+
33+ (void)state;
34+
35+ /* Null pointer should not crash */
36+ bin = NULL;
37+ hex = ssh_get_hexa(bin, 0);
38+ assert_null(hex);
39+
40+ /* Null pointer should not crash regardless the length */
41+ bin = NULL;
42+ hex = ssh_get_hexa(bin, 99);
43+ assert_null(hex);
44+
45+ /* Zero length input is not much useful. Just expect NULL too */
46+ bin = (const unsigned char *)"";
47+ hex = ssh_get_hexa(bin, 0);
48+ assert_null(hex);
49+
50+ /* Valid inputs */
51+ bin = (const unsigned char *)"\x00\xFF";
52+ hex = ssh_get_hexa(bin, 2);
53+ assert_non_null(hex);
54+ assert_string_equal(hex, "00:ff");
55+ ssh_string_free_char(hex);
56+}
57+
58 int torture_run_tests(void) {
59 int rc;
60 struct CMUnitTest tests[] = {
61@@ -903,6 +933,7 @@ int torture_run_tests(void) {
62 cmocka_unit_test(torture_ssh_strerror),
63 cmocka_unit_test(torture_ssh_check_hostname_syntax),
64 cmocka_unit_test(torture_ssh_is_ipaddr),
65+ cmocka_unit_test(torture_ssh_get_hexa),
66 };
67
68 ssh_init();
69--
702.43.0
71
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-3.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-3.patch
new file mode 100644
index 0000000000..853ab15c5a
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-3.patch
@@ -0,0 +1,65 @@
1From 3e1d276a5a030938a8f144f46ff4f2a2efe31ced Mon Sep 17 00:00:00 2001
2From: Jakub Jelen <jjelen@redhat.com>
3Date: Thu, 8 Jan 2026 12:10:44 +0100
4Subject: [PATCH] CVE-2026-0966 doc: Update guided tour to use SHA256 fingerprints
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Signed-off-by: Jakub Jelen <jjelen@redhat.com>
10Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
11(cherry picked from commit 1b2a4f760bec35121c490f2294f915ebb9c992ae)
12
13Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=3e1d276a5a030938a8f144f46ff4f2a2efe31ced]
14CVE: CVE-2026-0966
15Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
16---
17 doc/guided_tour.dox | 10 ++++------
18 1 file changed, 4 insertions(+), 6 deletions(-)
19
20diff --git a/doc/guided_tour.dox b/doc/guided_tour.dox
21index 60f4087e..331c4b0a 100644
22--- a/doc/guided_tour.dox
23+++ b/doc/guided_tour.dox
24@@ -190,7 +190,6 @@ int verify_knownhost(ssh_session session)
25 ssh_key srv_pubkey = NULL;
26 size_t hlen;
27 char buf[10];
28- char *hexa = NULL;
29 char *p = NULL;
30 int cmp;
31 int rc;
32@@ -201,7 +200,7 @@ int verify_knownhost(ssh_session session)
33 }
34
35 rc = ssh_get_publickey_hash(srv_pubkey,
36- SSH_PUBLICKEY_HASH_SHA1,
37+ SSH_PUBLICKEY_HASH_SHA256,
38 &hash,
39 &hlen);
40 ssh_key_free(srv_pubkey);
41@@ -217,7 +216,7 @@ int verify_knownhost(ssh_session session)
42 break;
43 case SSH_KNOWN_HOSTS_CHANGED:
44 fprintf(stderr, "Host key for server changed: it is now:\n");
45- ssh_print_hexa("Public key hash", hash, hlen);
46+ ssh_print_hash(SSH_PUBLICKEY_HASH_SHA256, hash, hlen);
47 fprintf(stderr, "For security reasons, connection will be stopped\n");
48 ssh_clean_pubkey_hash(&hash);
49
50@@ -238,10 +237,9 @@ int verify_knownhost(ssh_session session)
51 /* FALL THROUGH to SSH_SERVER_NOT_KNOWN behavior */
52
53 case SSH_KNOWN_HOSTS_UNKNOWN:
54- hexa = ssh_get_hexa(hash, hlen);
55 fprintf(stderr,"The server is unknown. Do you trust the host key?\n");
56- fprintf(stderr, "Public key hash: %s\n", hexa);
57- ssh_string_free_char(hexa);
58+ fprintf(stderr, "Public key hash: ");
59+ ssh_print_hash(SSH_PUBLICKEY_HASH_SHA256, hash, hlen);
60 ssh_clean_pubkey_hash(&hash);
61 p = fgets(buf, sizeof(buf), stdin);
62 if (p == NULL) {
63--
642.43.0
65
diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
index d37fccf26c..30f68f87ce 100644
--- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
+++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
@@ -25,6 +25,9 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
25 file://CVE-2026-3731-1.patch \ 25 file://CVE-2026-3731-1.patch \
26 file://CVE-2026-3731-2.patch \ 26 file://CVE-2026-3731-2.patch \
27 file://CVE-2026-0964.patch \ 27 file://CVE-2026-0964.patch \
28 file://CVE-2026-0966-1.patch \
29 file://CVE-2026-0966-2.patch \
30 file://CVE-2026-0966-3.patch \
28 " 31 "
29SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6" 32SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"
30 33