summaryrefslogtreecommitdiffstats
path: root/meta-oe
diff options
context:
space:
mode:
authorAnkur Tyagi <ankur.tyagi85@gmail.com>2026-04-28 17:01:06 +1200
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-04-29 10:14:29 +0530
commit015b974b6b7e7e302725012096432e260fb2c39c (patch)
tree0c554ee8bb4edf2fdde92fa94e63a971c565342a /meta-oe
parent5ce7602ce108f1aefccaa3afcc2b4081dc654a4c (diff)
downloadmeta-openembedded-015b974b6b7e7e302725012096432e260fb2c39c.tar.gz
libssh: patch CVE-2026-0968
Backport patches [1] and [2] as mentioned in [3] [1] https://git.libssh.org/projects/libssh.git/commit/?id=796d85f786dff62bd4bcc4408d9b7bbc855841e9 [2] https://git.libssh.org/projects/libssh.git/commit/?id=212121971fb26e1e00b72bd5402c0454a4d84c03 [3] https://security-tracker.debian.org/tracker/CVE-2026-0968 Certain functions from sftp.c were moved to a new file sftp_common.c in version 0.11.0 by following commit: https://git.libssh.org/projects/libssh.git/commit/src/sftp_common.c?id=c3e03ab4651e4f3382e3a51c0273ade894f0c48a This is the backport of the changes using the original file sftp.c Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-oe')
-rw-r--r--meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-1.patch64
-rw-r--r--meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-2.patch136
-rw-r--r--meta-oe/recipes-support/libssh/libssh_0.10.6.bb2
3 files changed, 202 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-1.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-1.patch
new file mode 100644
index 0000000000..5ed1a4e940
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-1.patch
@@ -0,0 +1,64 @@
1From 9fd388141c973ba6fb7d45966c25d1fad9e1d419 Mon Sep 17 00:00:00 2001
2From: Jakub Jelen <jjelen@redhat.com>
3Date: Mon, 22 Dec 2025 20:59:11 +0100
4Subject: [PATCH] CVE-2026-0968: sftp: Sanitize input handling in
5 sftp_parse_longname()
6
7Signed-off-by: Jakub Jelen <jjelen@redhat.com>
8Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
9
10CVE: CVE-2026-0968
11Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=796d85f786dff62bd4bcc4408d9b7bbc855841e9]
12
13Certain functions from sftp.c were moved to a new file sftp_common.c
14in version 0.11.0 by following commit:
15https://git.libssh.org/projects/libssh.git/commit/src/sftp_common.c?id=c3e03ab4651e4f3382e3a51c0273ade894f0c48a
16
17This is the backport of the changes which fixes the CVE in the original file
18sftp.c
19
20Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
21---
22 src/sftp.c | 16 +++++++++++++---
23 1 file changed, 13 insertions(+), 3 deletions(-)
24
25diff --git a/src/sftp.c b/src/sftp.c
26index 4a77141b..2194a9ef 100644
27--- a/src/sftp.c
28+++ b/src/sftp.c
29@@ -1289,13 +1289,18 @@ static char *sftp_parse_longname(const char *longname,
30 const char *p, *q;
31 size_t len, field = 0;
32
33+ if (longname == NULL || longname_field < SFTP_LONGNAME_PERM ||
34+ longname_field > SFTP_LONGNAME_NAME) {
35+ return NULL;
36+ }
37+
38 p = longname;
39 /* Find the beginning of the field which is specified by sftp_longname_field_e. */
40- while(field != longname_field) {
41+ while (*p != '\0' && field != longname_field) {
42 if(isspace(*p)) {
43 field++;
44 p++;
45- while(*p && isspace(*p)) {
46+ while (*p != '\0' && isspace(*p)) {
47 p++;
48 }
49 } else {
50@@ -1303,8 +1308,13 @@ static char *sftp_parse_longname(const char *longname,
51 }
52 }
53
54+ /* If we reached NULL before we got our field fail */
55+ if (field != longname_field) {
56+ return NULL;
57+ }
58+
59 q = p;
60- while (! isspace(*q)) {
61+ while (*q != '\0' && !isspace(*q)) {
62 q++;
63 }
64
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-2.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-2.patch
new file mode 100644
index 0000000000..42642ee1ed
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-2.patch
@@ -0,0 +1,136 @@
1From 04cd54c7302195055d208e0ca00d6e519d674bb2 Mon Sep 17 00:00:00 2001
2From: Jakub Jelen <jjelen@redhat.com>
3Date: Mon, 22 Dec 2025 21:00:03 +0100
4Subject: [PATCH] CVE-2026-0968 tests: Reproducer for invalid longname data
5
6Signed-off-by: Jakub Jelen <jjelen@redhat.com>
7Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
8(cherry picked from commit 90a5d8f47399e8db61b56793cd21476ff6a528e0)
9(cherry picked from commit 212121971fb26e1e00b72bd5402c0454a4d84c03)
10
11CVE: CVE-2026-0968
12Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=212121971fb26e1e00b72bd5402c0454a4d84c03]
13
14Certain functions from sftp.c were moved to a new file sftp_common.c
15in version 0.11.0 by following commit:
16https://git.libssh.org/projects/libssh.git/commit/src/sftp_common.c?id=c3e03ab4651e4f3382e3a51c0273ade894f0c48a
17
18Updated unit test to include sftp.c during the backport.
19
20Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
21---
22 tests/unittests/CMakeLists.txt | 7 +++
23 tests/unittests/torture_unit_sftp.c | 86 +++++++++++++++++++++++++++++
24 2 files changed, 93 insertions(+)
25 create mode 100644 tests/unittests/torture_unit_sftp.c
26
27diff --git a/tests/unittests/CMakeLists.txt b/tests/unittests/CMakeLists.txt
28index f85da72b..41f25830 100644
29--- a/tests/unittests/CMakeLists.txt
30+++ b/tests/unittests/CMakeLists.txt
31@@ -101,6 +101,13 @@ if (UNIX AND NOT WIN32)
32 endif (WITH_SERVER)
33 endif (UNIX AND NOT WIN32)
34
35+if (WITH_SFTP)
36+ set(LIBSSH_UNIT_TESTS
37+ ${LIBSSH_UNIT_TESTS}
38+ torture_unit_sftp
39+ )
40+endif (WITH_SFTP)
41+
42 foreach(_UNIT_TEST ${LIBSSH_UNIT_TESTS})
43 add_cmocka_test(${_UNIT_TEST}
44 SOURCES ${_UNIT_TEST}.c
45diff --git a/tests/unittests/torture_unit_sftp.c b/tests/unittests/torture_unit_sftp.c
46new file mode 100644
47index 00000000..8cdaba8e
48--- /dev/null
49+++ b/tests/unittests/torture_unit_sftp.c
50@@ -0,0 +1,86 @@
51+#include "config.h"
52+
53+#include "sftp.c"
54+#include "torture.h"
55+
56+#define LIBSSH_STATIC
57+
58+static void test_sftp_parse_longname(void **state)
59+{
60+ const char *lname = NULL;
61+ char *value = NULL;
62+
63+ /* state not used */
64+ (void)state;
65+
66+ /* Valid example from SFTP draft, page 18:
67+ * https://datatracker.ietf.org/doc/draft-spaghetti-sshm-filexfer/
68+ */
69+ lname = "-rwxr-xr-x 1 mjos staff 348911 Mar 25 14:29 t-filexfer";
70+ value = sftp_parse_longname(lname, SFTP_LONGNAME_PERM);
71+ assert_string_equal(value, "-rwxr-xr-x");
72+ free(value);
73+ value = sftp_parse_longname(lname, SFTP_LONGNAME_OWNER);
74+ assert_string_equal(value, "mjos");
75+ free(value);
76+ value = sftp_parse_longname(lname, SFTP_LONGNAME_GROUP);
77+ assert_string_equal(value, "staff");
78+ free(value);
79+ value = sftp_parse_longname(lname, SFTP_LONGNAME_SIZE);
80+ assert_string_equal(value, "348911");
81+ free(value);
82+ /* This function is broken further as the date contains space which breaks
83+ * the parsing altogether */
84+ value = sftp_parse_longname(lname, SFTP_LONGNAME_DATE);
85+ assert_string_equal(value, "Mar");
86+ free(value);
87+ value = sftp_parse_longname(lname, SFTP_LONGNAME_TIME);
88+ assert_string_equal(value, "25");
89+ free(value);
90+ value = sftp_parse_longname(lname, SFTP_LONGNAME_NAME);
91+ assert_string_equal(value, "14:29");
92+ free(value);
93+}
94+
95+static void test_sftp_parse_longname_invalid(void **state)
96+{
97+ const char *lname = NULL;
98+ char *value = NULL;
99+
100+ /* state not used */
101+ (void)state;
102+
103+ /* Invalid inputs should not crash
104+ */
105+ lname = NULL;
106+ value = sftp_parse_longname(lname, SFTP_LONGNAME_PERM);
107+ assert_null(value);
108+ value = sftp_parse_longname(lname, SFTP_LONGNAME_NAME);
109+ assert_null(value);
110+
111+ lname = "";
112+ value = sftp_parse_longname(lname, SFTP_LONGNAME_PERM);
113+ assert_string_equal(value, "");
114+ free(value);
115+ value = sftp_parse_longname(lname, SFTP_LONGNAME_NAME);
116+ assert_null(value);
117+
118+ lname = "-rwxr-xr-x 1";
119+ value = sftp_parse_longname(lname, SFTP_LONGNAME_PERM);
120+ assert_string_equal(value, "-rwxr-xr-x");
121+ free(value);
122+ value = sftp_parse_longname(lname, SFTP_LONGNAME_NAME);
123+ assert_null(value);
124+}
125+
126+int torture_run_tests(void)
127+{
128+ int rc;
129+ const struct CMUnitTest tests[] = {
130+ cmocka_unit_test(test_sftp_parse_longname),
131+ cmocka_unit_test(test_sftp_parse_longname_invalid),
132+ };
133+
134+ rc = cmocka_run_group_tests(tests, NULL, NULL);
135+ return rc;
136+}
diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
index 30f68f87ce..e0ade7f67c 100644
--- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
+++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb
@@ -28,6 +28,8 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
28 file://CVE-2026-0966-1.patch \ 28 file://CVE-2026-0966-1.patch \
29 file://CVE-2026-0966-2.patch \ 29 file://CVE-2026-0966-2.patch \
30 file://CVE-2026-0966-3.patch \ 30 file://CVE-2026-0966-3.patch \
31 file://CVE-2026-0968-1.patch \
32 file://CVE-2026-0968-2.patch \
31 " 33 "
32SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6" 34SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"
33 35