From 5432618a2125031ee39b63ef40f8d9e85626db20 Mon Sep 17 00:00:00 2001 From: deepin-ci-robot Date: Wed, 24 Jun 2026 19:36:16 +0800 Subject: [PATCH 1/2] fix(libssh2): CVE-2025-15661 Fix heap buffer over-read in sftp_symlink() by using the string_buf struct to guard against out-of-bounds reads and malformed packets. Upstream: https://github.com/libssh2/libssh2/commit/2dae3024897e1898d389835151f4e9606227721d Generated-By: uos/deepseek-v4-flash Co-Authored-By: hudeng --- debian/changelog | 7 ++ debian/patches/CVE-2025-15661.patch | 99 +++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 107 insertions(+) create mode 100644 debian/patches/CVE-2025-15661.patch diff --git a/debian/changelog b/debian/changelog index 500e199..780a606 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +libssh2 (1.11.1-1deepin3) unstable; urgency=medium + + * Fix CVE-2025-15661: heap buffer over-read in sftp_symlink + (upstream commit 2dae3024897e1898d389835151f4e9606227721d) + + -- deepin-ci-robot Wed, 24 Jun 2026 19:30:00 +0800 + libssh2 (1.11.1-1deepin2) unstable; urgency=medium * Fix CVE-2026-7598: integer overflow in userauth_password diff --git a/debian/patches/CVE-2025-15661.patch b/debian/patches/CVE-2025-15661.patch new file mode 100644 index 0000000..e17252a --- /dev/null +++ b/debian/patches/CVE-2025-15661.patch @@ -0,0 +1,99 @@ +Index: libssh2/src/sftp.c +=================================================================== +--- libssh2.orig/src/sftp.c ++++ libssh2/src/sftp.c +@@ -3795,7 +3795,11 @@ + { + LIBSSH2_CHANNEL *channel = sftp->channel; + LIBSSH2_SESSION *session = channel->session; +- size_t data_len = 0, link_len; ++ size_t data_len = 0, lk_len; ++ unsigned char *lk_target; ++ struct string_buf buf; ++ unsigned char packet_type; ++ uint32_t tmp_u32; + /* 13 = packet_len(4) + packet_type(1) + request_id(4) + path_len(4) */ + ssize_t packet_len = + path_len + 13 + +@@ -3891,8 +3895,25 @@ + + sftp->symlink_state = libssh2_NB_state_idle; + +- if(data[0] == SSH_FXP_STATUS) { +- retcode = _libssh2_ntohu32(data + 5); ++ buf.data = data; ++ buf.dataptr = buf.data; ++ buf.len = data_len; ++ ++ if(_libssh2_get_byte(&buf, &packet_type)) { ++ LIBSSH2_FREE(session, data); ++ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, ++ "SFTP Protocol Error (type)"); ++ } ++ ++ if(packet_type == SSH_FXP_STATUS) { ++ if(_libssh2_get_u32(&buf, &tmp_u32)) { ++ LIBSSH2_FREE(session, data); ++ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, ++ "SFTP Protocol Error (code)"); ++ } ++ ++ retcode = (int)tmp_u32; ++ + LIBSSH2_FREE(session, data); + if(retcode == LIBSSH2_FX_OK) + return LIBSSH2_ERROR_NONE; +@@ -3903,30 +3924,37 @@ + } + } + +- if(_libssh2_ntohu32(data + 5) < 1) { ++ /* advance past id */ ++ if(_libssh2_get_u32(&buf, &tmp_u32)) { + LIBSSH2_FREE(session, data); + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, +- "Invalid READLINK/REALPATH response, " +- "no name entries"); ++ "SFTP Protocol Error (id)"); + } + +- if(data_len < 13) { +- if(data_len > 0) { +- LIBSSH2_FREE(session, data); +- } ++ /* look for at least one link */ ++ if(_libssh2_get_u32(&buf, &tmp_u32) || tmp_u32 < 1) { ++ LIBSSH2_FREE(session, data); + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, +- "SFTP stat packet too short"); ++ "Invalid READLINK/REALPATH response, " ++ "no name entries"); + } + +- /* this reads a u32 and stores it into a signed 32bit value */ +- link_len = _libssh2_ntohu32(data + 9); +- if(link_len < target_len) { +- memcpy(target, data + 13, link_len); +- target[link_len] = 0; +- retcode = (int)link_len; ++ if(_libssh2_get_string(&buf, &lk_target, &lk_len) == LIBSSH2_ERROR_NONE) { ++ if(lk_len < target_len) { ++ memcpy(target, lk_target, lk_len); ++ target[lk_len] = '\0'; ++ retcode = (int)lk_len; ++ } ++ else { ++ retcode = LIBSSH2_ERROR_BUFFER_TOO_SMALL; ++ } + } +- else +- retcode = LIBSSH2_ERROR_BUFFER_TOO_SMALL; ++ else { ++ LIBSSH2_FREE(session, data); ++ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, ++ "SFTP Protocol Error (filename)"); ++ } ++ + LIBSSH2_FREE(session, data); + + return retcode; diff --git a/debian/patches/series b/debian/patches/series index efb1902..c311e06 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,4 @@ #maxpathlen.patch #openssh-9.8.patch CVE-2026-7598.patch +CVE-2025-15661.patch From 899b522894b56cfd1f25c9d7136d51463b50eebd Mon Sep 17 00:00:00 2001 From: hudeng Date: Wed, 24 Jun 2026 19:36:31 +0800 Subject: [PATCH 2/2] fix(libssh2): CVE-2026-55199 Fix pre-authentication DoS by checking return values from _libssh2_get_string() in the SSH_MSG_EXT_INFO handler. Upstream: https://github.com/libssh2/libssh2/commit/17626857d20b3c9a1addfa45979dadcee1cd84a4 Generated-By: uos/deepseek-v4-flash Co-Authored-By: hudeng --- debian/changelog | 7 +++++++ debian/patches/CVE-2026-55199.patch | 17 +++++++++++++++++ debian/patches/series | 1 + 3 files changed, 25 insertions(+) create mode 100644 debian/patches/CVE-2026-55199.patch diff --git a/debian/changelog b/debian/changelog index 780a606..0b3eaed 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +libssh2 (1.11.1-1deepin4) unstable; urgency=medium + + * Fix CVE-2026-55199: pre-authentication DoS via SSH_MSG_EXT_INFO handler + (upstream commit 17626857d20b3c9a1addfa45979dadcee1cd84a4) + + -- deepin-ci-robot Wed, 24 Jun 2026 19:30:00 +0800 + libssh2 (1.11.1-1deepin3) unstable; urgency=medium * Fix CVE-2025-15661: heap buffer over-read in sftp_symlink diff --git a/debian/patches/CVE-2026-55199.patch b/debian/patches/CVE-2026-55199.patch new file mode 100644 index 0000000..d7ba779 --- /dev/null +++ b/debian/patches/CVE-2026-55199.patch @@ -0,0 +1,17 @@ +Index: libssh2/src/packet.c +=================================================================== +--- libssh2.orig/src/packet.c ++++ libssh2/src/packet.c +@@ -868,8 +868,10 @@ + + nr_extensions -= 1; + +- _libssh2_get_string(&buf, &name, &name_len); +- _libssh2_get_string(&buf, &value, &value_len); ++ if(_libssh2_get_string(&buf, &name, &name_len)) ++ break; ++ if(_libssh2_get_string(&buf, &value, &value_len)) ++ break; + + if(name && value) { + _libssh2_debug((session, diff --git a/debian/patches/series b/debian/patches/series index c311e06..aaac57d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -8,3 +8,4 @@ #openssh-9.8.patch CVE-2026-7598.patch CVE-2025-15661.patch +CVE-2026-55199.patch