Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions debian/changelog
Original file line number Diff line number Diff line change
@@ -1,3 +1,17 @@
libssh2 (1.11.1-1deepin4) unstable; urgency=medium

* Fix CVE-2026-55199: pre-authentication DoS via SSH_MSG_EXT_INFO handler
(upstream commit 17626857d20b3c9a1addfa45979dadcee1cd84a4)

-- deepin-ci-robot <packages@deepin.org> Wed, 24 Jun 2026 19:30:00 +0800

libssh2 (1.11.1-1deepin3) unstable; urgency=medium

* Fix CVE-2025-15661: heap buffer over-read in sftp_symlink
(upstream commit 2dae3024897e1898d389835151f4e9606227721d)

-- deepin-ci-robot <packages@deepin.org> Wed, 24 Jun 2026 19:30:00 +0800

libssh2 (1.11.1-1deepin2) unstable; urgency=medium

* Fix CVE-2026-7598: integer overflow in userauth_password
Expand Down
99 changes: 99 additions & 0 deletions debian/patches/CVE-2025-15661.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
Index: libssh2/src/sftp.c
===================================================================
--- libssh2.orig/src/sftp.c
+++ libssh2/src/sftp.c
@@ -3795,7 +3795,11 @@
{
LIBSSH2_CHANNEL *channel = sftp->channel;
LIBSSH2_SESSION *session = channel->session;
- size_t data_len = 0, link_len;
+ size_t data_len = 0, lk_len;
+ unsigned char *lk_target;
+ struct string_buf buf;
+ unsigned char packet_type;
+ uint32_t tmp_u32;
/* 13 = packet_len(4) + packet_type(1) + request_id(4) + path_len(4) */
ssize_t packet_len =
path_len + 13 +
@@ -3891,8 +3895,25 @@

sftp->symlink_state = libssh2_NB_state_idle;

- if(data[0] == SSH_FXP_STATUS) {
- retcode = _libssh2_ntohu32(data + 5);
+ buf.data = data;
+ buf.dataptr = buf.data;
+ buf.len = data_len;
+
+ if(_libssh2_get_byte(&buf, &packet_type)) {
+ LIBSSH2_FREE(session, data);
+ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
+ "SFTP Protocol Error (type)");
+ }
+
+ if(packet_type == SSH_FXP_STATUS) {
+ if(_libssh2_get_u32(&buf, &tmp_u32)) {
+ LIBSSH2_FREE(session, data);
+ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
+ "SFTP Protocol Error (code)");
+ }
+
+ retcode = (int)tmp_u32;
+
LIBSSH2_FREE(session, data);
if(retcode == LIBSSH2_FX_OK)
return LIBSSH2_ERROR_NONE;
@@ -3903,30 +3924,37 @@
}
}

- if(_libssh2_ntohu32(data + 5) < 1) {
+ /* advance past id */
+ if(_libssh2_get_u32(&buf, &tmp_u32)) {
LIBSSH2_FREE(session, data);
return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
- "Invalid READLINK/REALPATH response, "
- "no name entries");
+ "SFTP Protocol Error (id)");
}

- if(data_len < 13) {
- if(data_len > 0) {
- LIBSSH2_FREE(session, data);
- }
+ /* look for at least one link */
+ if(_libssh2_get_u32(&buf, &tmp_u32) || tmp_u32 < 1) {
+ LIBSSH2_FREE(session, data);
return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
- "SFTP stat packet too short");
+ "Invalid READLINK/REALPATH response, "
+ "no name entries");
}

- /* this reads a u32 and stores it into a signed 32bit value */
- link_len = _libssh2_ntohu32(data + 9);
- if(link_len < target_len) {
- memcpy(target, data + 13, link_len);
- target[link_len] = 0;
- retcode = (int)link_len;
+ if(_libssh2_get_string(&buf, &lk_target, &lk_len) == LIBSSH2_ERROR_NONE) {
+ if(lk_len < target_len) {
+ memcpy(target, lk_target, lk_len);
+ target[lk_len] = '\0';
+ retcode = (int)lk_len;
+ }
+ else {
+ retcode = LIBSSH2_ERROR_BUFFER_TOO_SMALL;
+ }
}
- else
- retcode = LIBSSH2_ERROR_BUFFER_TOO_SMALL;
+ else {
+ LIBSSH2_FREE(session, data);
+ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
+ "SFTP Protocol Error (filename)");
+ }
+
LIBSSH2_FREE(session, data);

return retcode;
17 changes: 17 additions & 0 deletions debian/patches/CVE-2026-55199.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
Index: libssh2/src/packet.c
===================================================================
--- libssh2.orig/src/packet.c
+++ libssh2/src/packet.c
@@ -868,8 +868,10 @@

nr_extensions -= 1;

- _libssh2_get_string(&buf, &name, &name_len);
- _libssh2_get_string(&buf, &value, &value_len);
+ if(_libssh2_get_string(&buf, &name, &name_len))
+ break;
+ if(_libssh2_get_string(&buf, &value, &value_len))
+ break;

if(name && value) {
_libssh2_debug((session,
2 changes: 2 additions & 0 deletions debian/patches/series
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,5 @@
#maxpathlen.patch
#openssh-9.8.patch
CVE-2026-7598.patch
CVE-2025-15661.patch
CVE-2026-55199.patch
Loading