libssh: Fix CVE-2026-3731

Pick the patch [1] and [2] as mentioned in [3] [1] https://git.libssh.org/projects/libssh.git/commit/?id=f80670a7aba86cbb442c9b115c9eaf4ca04601b8 [2] https://git.libssh.org/projects/libssh.git/commit/?id=02c6f5f7ec8629a7cff6a28cde9701ab10304540 [3] https://security-tracker.debian.org/tracker/CVE-2026-3731 Signed-off-by: Deepak Rathore <deeratho@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
author: Deepak Rathore <deeratho@cisco.com> 2026-03-11 03:25:14 -0700
committer: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-03-26 10:29:23 +0530
commit: 92bfb48d4c9fda7185446d6e04f84bbab3c15558 (patch)
tree: a0b4c2a087067ee49c351bb3f451b5ece5eeaa75
parent: 0fd2ea7e0b0019a6f24708513402b2532c5711a5 (diff)
download: meta-openembedded-92bfb48d4c9fda7185446d6e04f84bbab3c15558.tar.gz
3 files changed, 139 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p1.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p1.patch
new file mode 100644
index 0000000000..bf1fbcc027
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p1.patch
@@ -0,0 +1,35 @@
+From 04d2f831fa8da74c973538cd3f621061a7656771 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 11 Dec 2025 13:22:44 +0100
+Subject: [PATCH 1/2] sftp: Fix out-of-bound read from sftp extensions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+CVE: CVE-2026-3731
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=f80670a7aba86cbb442c9b115c9eaf4ca04601b8]
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
+(cherry picked from commit 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60)
+(cherry picked from commit f80670a7aba86cbb442c9b115c9eaf4ca04601b8)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ src/sftp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/sftp.c b/src/sftp.c
+index 37b4133b..05e05019 100644
+--- a/src/sftp.c
+++ b/src/sftp.c
+@@ -583,7 +583,7 @@ const char *sftp_extensions_get_name(sftp_session sftp, unsigned int idx) {
+     return NULL;
+   }
+-  if (idx > sftp->ext->count) {
+  if (idx >= sftp->ext->count) {
+     ssh_set_error_invalid(sftp->session);
+     return NULL;
+   }
+--
+2.35.6
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p2.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p2.patch
new file mode 100644
index 0000000000..b5a267b808
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p2.patch
@@ -0,0 +1,102 @@
+From df01168bb3863306ba0f35b50e5b2e5dd00ba9f6 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 11 Dec 2025 13:21:23 +0100
+Subject: [PATCH 2/2] Reproducer for out of bounds read of SFTP extensions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+CVE: CVE-2026-3731
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=02c6f5f7ec8629a7cff6a28cde9701ab10304540]
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
+(cherry picked from commit b90b7f24517efa7ab21506db9379aa3dce9fee7d)
+(cherry picked from commit 02c6f5f7ec8629a7cff6a28cde9701ab10304540)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ tests/client/torture_sftp_init.c | 62 +++++++++++++++++++++++++++++++-
+ 1 file changed, 61 insertions(+), 1 deletion(-)
+diff --git a/tests/client/torture_sftp_init.c b/tests/client/torture_sftp_init.c
+index a17f01fe..cdc24426 100644
+--- a/tests/client/torture_sftp_init.c
+++ b/tests/client/torture_sftp_init.c
+@@ -72,6 +72,63 @@ static void session_setup_channel(void **state)
+     assert_non_null(s->ssh.tsftp);
+ }
+static void session_setup_extensions(void **state)
+{
+    struct torture_state *s = *state;
+    struct passwd *pwd = NULL;
+    int rc, count;
+    const char *name = NULL, *data = NULL;
+    sftp_session sftp = NULL;
+
+    pwd = getpwnam("bob");
+    assert_non_null(pwd);
+
+    rc = setuid(pwd->pw_uid);
+    assert_return_code(rc, errno);
+
+    s->ssh.session = torture_ssh_session(s,
+                                         TORTURE_SSH_SERVER,
+                                         NULL,
+                                         TORTURE_SSH_USER_ALICE,
+                                         NULL);
+    assert_non_null(s->ssh.session);
+
+    s->ssh.tsftp = torture_sftp_session(s->ssh.session);
+    assert_non_null(s->ssh.tsftp);
+    sftp = s->ssh.tsftp->sftp;
+
+    /* null parameter */
+    count = sftp_extensions_get_count(NULL);
+    assert_int_equal(count, 0);
+
+    count = sftp_extensions_get_count(sftp);
+    assert_int_not_equal(count, 0);
+
+    /* first null parameter */
+    name = sftp_extensions_get_name(NULL, 0);
+    assert_null(name);
+    data = sftp_extensions_get_data(NULL, 0);
+    assert_null(data);
+
+    /* First extension */
+    name = sftp_extensions_get_name(sftp, 0);
+    assert_non_null(name);
+    data = sftp_extensions_get_data(sftp, 0);
+    assert_non_null(data);
+
+    /* Last extension */
+    name = sftp_extensions_get_name(sftp, count - 1);
+    assert_non_null(name);
+    data = sftp_extensions_get_data(sftp, count - 1);
+    assert_non_null(data);
+
+    /* Overrun */
+    name = sftp_extensions_get_name(sftp, count);
+    assert_null(name);
+    data = sftp_extensions_get_data(sftp, count);
+    assert_null(data);
+}
+
+ static int session_teardown(void **state)
+ {
+     struct torture_state *s = *state;
+@@ -92,7 +149,10 @@ int torture_run_tests(void) {
+                                         session_teardown),
+         cmocka_unit_test_setup_teardown(session_setup_channel,
+                                         NULL,
+-                                        session_teardown)
+                                        session_teardown),
+        cmocka_unit_test_setup_teardown(session_setup_extensions,
+                                        NULL,
+                                        session_teardown),
+     };
+     ssh_init();
+--
+2.35.6
diff --git a/meta-oe/recipes-support/libssh/libssh_0.11.3.bb b/meta-oe/recipes-support/libssh/libssh_0.11.3.bb
index 5928581312..ab47931fa3 100644
--- a/meta-oe/recipes-support/libssh/libssh_0.11.3.bb
+++ b/meta-oe/recipes-support/libssh/libssh_0.11.3.bb
@@ -9,6 +9,8 @@ DEPENDS = "zlib openssl"
 SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable-0.11;tag=${BPN}-${PV} \
           file://0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch \
           file://run-ptest \
+           file://CVE-2026-3731_p1.patch \
+           file://CVE-2026-3731_p2.patch \
          "
 SRC_URI:append:toolchain-clang = " file://0001-CompilerChecks.cmake-drop-Wunused-variable-flag.patch"
author	Deepak Rathore <deeratho@cisco.com>	2026-03-11 03:25:14 -0700
committer	Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-03-26 10:29:23 +0530
commit	92bfb48d4c9fda7185446d6e04f84bbab3c15558 (patch)
tree	a0b4c2a087067ee49c351bb3f451b5ece5eeaa75
parent	0fd2ea7e0b0019a6f24708513402b2532c5711a5 (diff)
download	meta-openembedded-92bfb48d4c9fda7185446d6e04f84bbab3c15558.tar.gz

diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p1.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p1.patch new file mode 100644 index 0000000000..bf1fbcc027 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p1.patch
@@ -0,0 +1,35 @@
		1	From 04d2f831fa8da74c973538cd3f621061a7656771 Mon Sep 17 00:00:00 2001
		2	From: Jakub Jelen <jjelen@redhat.com>
		3	Date: Thu, 11 Dec 2025 13:22:44 +0100
		4	Subject: [PATCH 1/2] sftp: Fix out-of-bound read from sftp extensions
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	CVE: CVE-2026-3731
		10	Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=f80670a7aba86cbb442c9b115c9eaf4ca04601b8]
		11
		12	Signed-off-by: Jakub Jelen <jjelen@redhat.com>
		13	Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
		14	(cherry picked from commit 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60)
		15	(cherry picked from commit f80670a7aba86cbb442c9b115c9eaf4ca04601b8)
		16	Signed-off-by: Deepak Rathore <deeratho@cisco.com>
		17	---
		18	src/sftp.c \| 2 +-
		19	1 file changed, 1 insertion(+), 1 deletion(-)
		20
		21	diff --git a/src/sftp.c b/src/sftp.c
		22	index 37b4133b..05e05019 100644
		23	--- a/src/sftp.c
		24	+++ b/src/sftp.c
		25	@@ -583,7 +583,7 @@ const char *sftp_extensions_get_name(sftp_session sftp, unsigned int idx) {
		26	return NULL;
		27	}
		28
		29	- if (idx > sftp->ext->count) {
		30	+ if (idx >= sftp->ext->count) {
		31	ssh_set_error_invalid(sftp->session);
		32	return NULL;
		33	}
		34	--
		35	2.35.6


diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p2.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p2.patch new file mode 100644 index 0000000000..b5a267b808 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p2.patch
@@ -0,0 +1,102 @@
		1	From df01168bb3863306ba0f35b50e5b2e5dd00ba9f6 Mon Sep 17 00:00:00 2001
		2	From: Jakub Jelen <jjelen@redhat.com>
		3	Date: Thu, 11 Dec 2025 13:21:23 +0100
		4	Subject: [PATCH 2/2] Reproducer for out of bounds read of SFTP extensions
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	CVE: CVE-2026-3731
		10	Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=02c6f5f7ec8629a7cff6a28cde9701ab10304540]
		11
		12	Signed-off-by: Jakub Jelen <jjelen@redhat.com>
		13	Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
		14	(cherry picked from commit b90b7f24517efa7ab21506db9379aa3dce9fee7d)
		15	(cherry picked from commit 02c6f5f7ec8629a7cff6a28cde9701ab10304540)
		16	Signed-off-by: Deepak Rathore <deeratho@cisco.com>
		17	---
		18	tests/client/torture_sftp_init.c \| 62 +++++++++++++++++++++++++++++++-
		19	1 file changed, 61 insertions(+), 1 deletion(-)
		20
		21	diff --git a/tests/client/torture_sftp_init.c b/tests/client/torture_sftp_init.c
		22	index a17f01fe..cdc24426 100644
		23	--- a/tests/client/torture_sftp_init.c
		24	+++ b/tests/client/torture_sftp_init.c
		25	@@ -72,6 +72,63 @@ static void session_setup_channel(void **state)
		26	assert_non_null(s->ssh.tsftp);
		27	}
		28
		29	+static void session_setup_extensions(void **state)
		30	+{
		31	+ struct torture_state s = state;
		32	+ struct passwd *pwd = NULL;
		33	+ int rc, count;
		34	+ const char name = NULL, data = NULL;
		35	+ sftp_session sftp = NULL;
		36	+
		37	+ pwd = getpwnam("bob");
		38	+ assert_non_null(pwd);
		39	+
		40	+ rc = setuid(pwd->pw_uid);
		41	+ assert_return_code(rc, errno);
		42	+
		43	+ s->ssh.session = torture_ssh_session(s,
		44	+ TORTURE_SSH_SERVER,
		45	+ NULL,
		46	+ TORTURE_SSH_USER_ALICE,
		47	+ NULL);
		48	+ assert_non_null(s->ssh.session);
		49	+
		50	+ s->ssh.tsftp = torture_sftp_session(s->ssh.session);
		51	+ assert_non_null(s->ssh.tsftp);
		52	+ sftp = s->ssh.tsftp->sftp;
		53	+
		54	+ /* null parameter */
		55	+ count = sftp_extensions_get_count(NULL);
		56	+ assert_int_equal(count, 0);
		57	+
		58	+ count = sftp_extensions_get_count(sftp);
		59	+ assert_int_not_equal(count, 0);
		60	+
		61	+ /* first null parameter */
		62	+ name = sftp_extensions_get_name(NULL, 0);
		63	+ assert_null(name);
		64	+ data = sftp_extensions_get_data(NULL, 0);
		65	+ assert_null(data);
		66	+
		67	+ /* First extension */
		68	+ name = sftp_extensions_get_name(sftp, 0);
		69	+ assert_non_null(name);
		70	+ data = sftp_extensions_get_data(sftp, 0);
		71	+ assert_non_null(data);
		72	+
		73	+ /* Last extension */
		74	+ name = sftp_extensions_get_name(sftp, count - 1);
		75	+ assert_non_null(name);
		76	+ data = sftp_extensions_get_data(sftp, count - 1);
		77	+ assert_non_null(data);
		78	+
		79	+ /* Overrun */
		80	+ name = sftp_extensions_get_name(sftp, count);
		81	+ assert_null(name);
		82	+ data = sftp_extensions_get_data(sftp, count);
		83	+ assert_null(data);
		84	+}
		85	+
		86	static int session_teardown(void **state)
		87	{
		88	struct torture_state s = state;
		89	@@ -92,7 +149,10 @@ int torture_run_tests(void) {
		90	session_teardown),
		91	cmocka_unit_test_setup_teardown(session_setup_channel,
		92	NULL,
		93	- session_teardown)
		94	+ session_teardown),
		95	+ cmocka_unit_test_setup_teardown(session_setup_extensions,
		96	+ NULL,
		97	+ session_teardown),
		98	};
		99
		100	ssh_init();
		101	--
		102	2.35.6


diff --git a/meta-oe/recipes-support/libssh/libssh_0.11.3.bb b/meta-oe/recipes-support/libssh/libssh_0.11.3.bb index 5928581312..ab47931fa3 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.11.3.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.11.3.bb
@@ -9,6 +9,8 @@ DEPENDS = "zlib openssl"
9	SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable-0.11;tag=${BPN}-${PV} \	9	SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable-0.11;tag=${BPN}-${PV} \
10	file://0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch \	10	file://0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch \
11	file://run-ptest \	11	file://run-ptest \
		12	file://CVE-2026-3731_p1.patch \
		13	file://CVE-2026-3731_p2.patch \
12	"	14	"
13		15
14	SRC_URI:append:toolchain-clang = " file://0001-CompilerChecks.cmake-drop-Wunused-variable-flag.patch"	16	SRC_URI:append:toolchain-clang = " file://0001-CompilerChecks.cmake-drop-Wunused-variable-flag.patch"