diff options
| author | Ankur Tyagi <ankur.tyagi85@gmail.com> | 2026-04-28 17:01:06 +1200 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2026-04-29 10:14:29 +0530 |
| commit | 015b974b6b7e7e302725012096432e260fb2c39c (patch) | |
| tree | 0c554ee8bb4edf2fdde92fa94e63a971c565342a /meta-oe | |
| parent | 5ce7602ce108f1aefccaa3afcc2b4081dc654a4c (diff) | |
| download | meta-openembedded-015b974b6b7e7e302725012096432e260fb2c39c.tar.gz | |
libssh: patch CVE-2026-0968
Backport patches [1] and [2] as mentioned in [3]
[1] https://git.libssh.org/projects/libssh.git/commit/?id=796d85f786dff62bd4bcc4408d9b7bbc855841e9
[2] https://git.libssh.org/projects/libssh.git/commit/?id=212121971fb26e1e00b72bd5402c0454a4d84c03
[3] https://security-tracker.debian.org/tracker/CVE-2026-0968
Certain functions from sftp.c were moved to a new file sftp_common.c
in version 0.11.0 by following commit:
https://git.libssh.org/projects/libssh.git/commit/src/sftp_common.c?id=c3e03ab4651e4f3382e3a51c0273ade894f0c48a
This is the backport of the changes using the original file sftp.c
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-oe')
3 files changed, 202 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-1.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-1.patch new file mode 100644 index 0000000000..5ed1a4e940 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-1.patch | |||
| @@ -0,0 +1,64 @@ | |||
| 1 | From 9fd388141c973ba6fb7d45966c25d1fad9e1d419 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jakub Jelen <jjelen@redhat.com> | ||
| 3 | Date: Mon, 22 Dec 2025 20:59:11 +0100 | ||
| 4 | Subject: [PATCH] CVE-2026-0968: sftp: Sanitize input handling in | ||
| 5 | sftp_parse_longname() | ||
| 6 | |||
| 7 | Signed-off-by: Jakub Jelen <jjelen@redhat.com> | ||
| 8 | Reviewed-by: Andreas Schneider <asn@cryptomilk.org> | ||
| 9 | |||
| 10 | CVE: CVE-2026-0968 | ||
| 11 | Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=796d85f786dff62bd4bcc4408d9b7bbc855841e9] | ||
| 12 | |||
| 13 | Certain functions from sftp.c were moved to a new file sftp_common.c | ||
| 14 | in version 0.11.0 by following commit: | ||
| 15 | https://git.libssh.org/projects/libssh.git/commit/src/sftp_common.c?id=c3e03ab4651e4f3382e3a51c0273ade894f0c48a | ||
| 16 | |||
| 17 | This is the backport of the changes which fixes the CVE in the original file | ||
| 18 | sftp.c | ||
| 19 | |||
| 20 | Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> | ||
| 21 | --- | ||
| 22 | src/sftp.c | 16 +++++++++++++--- | ||
| 23 | 1 file changed, 13 insertions(+), 3 deletions(-) | ||
| 24 | |||
| 25 | diff --git a/src/sftp.c b/src/sftp.c | ||
| 26 | index 4a77141b..2194a9ef 100644 | ||
| 27 | --- a/src/sftp.c | ||
| 28 | +++ b/src/sftp.c | ||
| 29 | @@ -1289,13 +1289,18 @@ static char *sftp_parse_longname(const char *longname, | ||
| 30 | const char *p, *q; | ||
| 31 | size_t len, field = 0; | ||
| 32 | |||
| 33 | + if (longname == NULL || longname_field < SFTP_LONGNAME_PERM || | ||
| 34 | + longname_field > SFTP_LONGNAME_NAME) { | ||
| 35 | + return NULL; | ||
| 36 | + } | ||
| 37 | + | ||
| 38 | p = longname; | ||
| 39 | /* Find the beginning of the field which is specified by sftp_longname_field_e. */ | ||
| 40 | - while(field != longname_field) { | ||
| 41 | + while (*p != '\0' && field != longname_field) { | ||
| 42 | if(isspace(*p)) { | ||
| 43 | field++; | ||
| 44 | p++; | ||
| 45 | - while(*p && isspace(*p)) { | ||
| 46 | + while (*p != '\0' && isspace(*p)) { | ||
| 47 | p++; | ||
| 48 | } | ||
| 49 | } else { | ||
| 50 | @@ -1303,8 +1308,13 @@ static char *sftp_parse_longname(const char *longname, | ||
| 51 | } | ||
| 52 | } | ||
| 53 | |||
| 54 | + /* If we reached NULL before we got our field fail */ | ||
| 55 | + if (field != longname_field) { | ||
| 56 | + return NULL; | ||
| 57 | + } | ||
| 58 | + | ||
| 59 | q = p; | ||
| 60 | - while (! isspace(*q)) { | ||
| 61 | + while (*q != '\0' && !isspace(*q)) { | ||
| 62 | q++; | ||
| 63 | } | ||
| 64 | |||
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-2.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-2.patch new file mode 100644 index 0000000000..42642ee1ed --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-2.patch | |||
| @@ -0,0 +1,136 @@ | |||
| 1 | From 04cd54c7302195055d208e0ca00d6e519d674bb2 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jakub Jelen <jjelen@redhat.com> | ||
| 3 | Date: Mon, 22 Dec 2025 21:00:03 +0100 | ||
| 4 | Subject: [PATCH] CVE-2026-0968 tests: Reproducer for invalid longname data | ||
| 5 | |||
| 6 | Signed-off-by: Jakub Jelen <jjelen@redhat.com> | ||
| 7 | Reviewed-by: Andreas Schneider <asn@cryptomilk.org> | ||
| 8 | (cherry picked from commit 90a5d8f47399e8db61b56793cd21476ff6a528e0) | ||
| 9 | (cherry picked from commit 212121971fb26e1e00b72bd5402c0454a4d84c03) | ||
| 10 | |||
| 11 | CVE: CVE-2026-0968 | ||
| 12 | Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=212121971fb26e1e00b72bd5402c0454a4d84c03] | ||
| 13 | |||
| 14 | Certain functions from sftp.c were moved to a new file sftp_common.c | ||
| 15 | in version 0.11.0 by following commit: | ||
| 16 | https://git.libssh.org/projects/libssh.git/commit/src/sftp_common.c?id=c3e03ab4651e4f3382e3a51c0273ade894f0c48a | ||
| 17 | |||
| 18 | Updated unit test to include sftp.c during the backport. | ||
| 19 | |||
| 20 | Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> | ||
| 21 | --- | ||
| 22 | tests/unittests/CMakeLists.txt | 7 +++ | ||
| 23 | tests/unittests/torture_unit_sftp.c | 86 +++++++++++++++++++++++++++++ | ||
| 24 | 2 files changed, 93 insertions(+) | ||
| 25 | create mode 100644 tests/unittests/torture_unit_sftp.c | ||
| 26 | |||
| 27 | diff --git a/tests/unittests/CMakeLists.txt b/tests/unittests/CMakeLists.txt | ||
| 28 | index f85da72b..41f25830 100644 | ||
| 29 | --- a/tests/unittests/CMakeLists.txt | ||
| 30 | +++ b/tests/unittests/CMakeLists.txt | ||
| 31 | @@ -101,6 +101,13 @@ if (UNIX AND NOT WIN32) | ||
| 32 | endif (WITH_SERVER) | ||
| 33 | endif (UNIX AND NOT WIN32) | ||
| 34 | |||
| 35 | +if (WITH_SFTP) | ||
| 36 | + set(LIBSSH_UNIT_TESTS | ||
| 37 | + ${LIBSSH_UNIT_TESTS} | ||
| 38 | + torture_unit_sftp | ||
| 39 | + ) | ||
| 40 | +endif (WITH_SFTP) | ||
| 41 | + | ||
| 42 | foreach(_UNIT_TEST ${LIBSSH_UNIT_TESTS}) | ||
| 43 | add_cmocka_test(${_UNIT_TEST} | ||
| 44 | SOURCES ${_UNIT_TEST}.c | ||
| 45 | diff --git a/tests/unittests/torture_unit_sftp.c b/tests/unittests/torture_unit_sftp.c | ||
| 46 | new file mode 100644 | ||
| 47 | index 00000000..8cdaba8e | ||
| 48 | --- /dev/null | ||
| 49 | +++ b/tests/unittests/torture_unit_sftp.c | ||
| 50 | @@ -0,0 +1,86 @@ | ||
| 51 | +#include "config.h" | ||
| 52 | + | ||
| 53 | +#include "sftp.c" | ||
| 54 | +#include "torture.h" | ||
| 55 | + | ||
| 56 | +#define LIBSSH_STATIC | ||
| 57 | + | ||
| 58 | +static void test_sftp_parse_longname(void **state) | ||
| 59 | +{ | ||
| 60 | + const char *lname = NULL; | ||
| 61 | + char *value = NULL; | ||
| 62 | + | ||
| 63 | + /* state not used */ | ||
| 64 | + (void)state; | ||
| 65 | + | ||
| 66 | + /* Valid example from SFTP draft, page 18: | ||
| 67 | + * https://datatracker.ietf.org/doc/draft-spaghetti-sshm-filexfer/ | ||
| 68 | + */ | ||
| 69 | + lname = "-rwxr-xr-x 1 mjos staff 348911 Mar 25 14:29 t-filexfer"; | ||
| 70 | + value = sftp_parse_longname(lname, SFTP_LONGNAME_PERM); | ||
| 71 | + assert_string_equal(value, "-rwxr-xr-x"); | ||
| 72 | + free(value); | ||
| 73 | + value = sftp_parse_longname(lname, SFTP_LONGNAME_OWNER); | ||
| 74 | + assert_string_equal(value, "mjos"); | ||
| 75 | + free(value); | ||
| 76 | + value = sftp_parse_longname(lname, SFTP_LONGNAME_GROUP); | ||
| 77 | + assert_string_equal(value, "staff"); | ||
| 78 | + free(value); | ||
| 79 | + value = sftp_parse_longname(lname, SFTP_LONGNAME_SIZE); | ||
| 80 | + assert_string_equal(value, "348911"); | ||
| 81 | + free(value); | ||
| 82 | + /* This function is broken further as the date contains space which breaks | ||
| 83 | + * the parsing altogether */ | ||
| 84 | + value = sftp_parse_longname(lname, SFTP_LONGNAME_DATE); | ||
| 85 | + assert_string_equal(value, "Mar"); | ||
| 86 | + free(value); | ||
| 87 | + value = sftp_parse_longname(lname, SFTP_LONGNAME_TIME); | ||
| 88 | + assert_string_equal(value, "25"); | ||
| 89 | + free(value); | ||
| 90 | + value = sftp_parse_longname(lname, SFTP_LONGNAME_NAME); | ||
| 91 | + assert_string_equal(value, "14:29"); | ||
| 92 | + free(value); | ||
| 93 | +} | ||
| 94 | + | ||
| 95 | +static void test_sftp_parse_longname_invalid(void **state) | ||
| 96 | +{ | ||
| 97 | + const char *lname = NULL; | ||
| 98 | + char *value = NULL; | ||
| 99 | + | ||
| 100 | + /* state not used */ | ||
| 101 | + (void)state; | ||
| 102 | + | ||
| 103 | + /* Invalid inputs should not crash | ||
| 104 | + */ | ||
| 105 | + lname = NULL; | ||
| 106 | + value = sftp_parse_longname(lname, SFTP_LONGNAME_PERM); | ||
| 107 | + assert_null(value); | ||
| 108 | + value = sftp_parse_longname(lname, SFTP_LONGNAME_NAME); | ||
| 109 | + assert_null(value); | ||
| 110 | + | ||
| 111 | + lname = ""; | ||
| 112 | + value = sftp_parse_longname(lname, SFTP_LONGNAME_PERM); | ||
| 113 | + assert_string_equal(value, ""); | ||
| 114 | + free(value); | ||
| 115 | + value = sftp_parse_longname(lname, SFTP_LONGNAME_NAME); | ||
| 116 | + assert_null(value); | ||
| 117 | + | ||
| 118 | + lname = "-rwxr-xr-x 1"; | ||
| 119 | + value = sftp_parse_longname(lname, SFTP_LONGNAME_PERM); | ||
| 120 | + assert_string_equal(value, "-rwxr-xr-x"); | ||
| 121 | + free(value); | ||
| 122 | + value = sftp_parse_longname(lname, SFTP_LONGNAME_NAME); | ||
| 123 | + assert_null(value); | ||
| 124 | +} | ||
| 125 | + | ||
| 126 | +int torture_run_tests(void) | ||
| 127 | +{ | ||
| 128 | + int rc; | ||
| 129 | + const struct CMUnitTest tests[] = { | ||
| 130 | + cmocka_unit_test(test_sftp_parse_longname), | ||
| 131 | + cmocka_unit_test(test_sftp_parse_longname_invalid), | ||
| 132 | + }; | ||
| 133 | + | ||
| 134 | + rc = cmocka_run_group_tests(tests, NULL, NULL); | ||
| 135 | + return rc; | ||
| 136 | +} | ||
diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb index 30f68f87ce..e0ade7f67c 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb | |||
| @@ -28,6 +28,8 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable | |||
| 28 | file://CVE-2026-0966-1.patch \ | 28 | file://CVE-2026-0966-1.patch \ |
| 29 | file://CVE-2026-0966-2.patch \ | 29 | file://CVE-2026-0966-2.patch \ |
| 30 | file://CVE-2026-0966-3.patch \ | 30 | file://CVE-2026-0966-3.patch \ |
| 31 | file://CVE-2026-0968-1.patch \ | ||
| 32 | file://CVE-2026-0968-2.patch \ | ||
| 31 | " | 33 | " |
| 32 | SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6" | 34 | SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6" |
| 33 | 35 | ||
