Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions debian/changelog
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
libssh2 (1.11.1-1deepin2) unstable; urgency=medium
libssh2 (1.11.1-1+deb13u1deepin1) unstable; urgency=medium

* Fix CVE-2026-7598: integer overflow in userauth_password
(upstream commit 256d04b60d80bf1190e96b0ad1e91b2174d744b1)
* revert t64.

-- deepin-ci-robot <packages@deepin.org> Thu, 04 Jun 2026 09:00:00 +0800
-- Tianyu Chen <sweetyfish@deepin.org> Tue, 30 Jun 2026 09:49:45 +0800

libssh2 (1.11.1-1deepin1) unstable; urgency=medium
libssh2 (1.11.1-1+deb13u1) trixie-security; urgency=medium

* revert t64.
* CVE-2026-7598 (Closes: #1135647)
* CVE-2025-15661 / CVE-2026-55199 / CVE-2026-55200 (Closes: #1140401)

-- lichenggang <lichenggang@deepin.org> Mon, 14 Apr 2025 17:53:34 +0800
-- Moritz Mühlenhoff <jmm@debian.org> Tue, 23 Jun 2026 23:01:56 +0200

libssh2 (1.11.1-1) unstable; urgency=medium

Expand Down
111 changes: 111 additions & 0 deletions debian/patches/CVE-2025-15661.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
From 2dae3024897e1898d389835151f4e9606227721d Mon Sep 17 00:00:00 2001
From: Will Cosgrove <will@panic.com>
Date: Fri, 10 Oct 2025 08:26:20 -0700
Subject: [PATCH] Update sftp_symlink to avoid out of bounds read on malformed
packet #1705 (#1717)

--- libssh2-1.11.1.orig/src/sftp.c
+++ libssh2-1.11.1/src/sftp.c
@@ -3795,15 +3795,19 @@ static int sftp_symlink(LIBSSH2_SFTP *sf
{
LIBSSH2_CHANNEL *channel = sftp->channel;
LIBSSH2_SESSION *session = channel->session;
- size_t data_len = 0, link_len;
+ size_t data_len = 0, lk_len;
/* 13 = packet_len(4) + packet_type(1) + request_id(4) + path_len(4) */
ssize_t packet_len =
path_len + 13 +
((link_type == LIBSSH2_SFTP_SYMLINK) ? (4 + target_len) : 0);
unsigned char *s, *data = NULL;
+ struct string_buf buf;
static const unsigned char link_responses[2] =
{ SSH_FXP_NAME, SSH_FXP_STATUS };
int retcode;
+ unsigned char packet_type;
+ uint32_t tmp_u32;
+ unsigned char *lk_target;

if(sftp->symlink_state == libssh2_NB_state_idle) {
sftp->last_errno = LIBSSH2_FX_OK;
@@ -3891,8 +3895,25 @@ static int sftp_symlink(LIBSSH2_SFTP *sf

sftp->symlink_state = libssh2_NB_state_idle;

- if(data[0] == SSH_FXP_STATUS) {
- retcode = _libssh2_ntohu32(data + 5);
+ buf.data = (unsigned char *)LIBSSH2_UNCONST(data);
+ buf.dataptr = buf.data;
+ buf.len = data_len;
+
+ if(_libssh2_get_byte(&buf, &packet_type)) {
+ LIBSSH2_FREE(session, data);
+ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
+ "SFTP Protocol Error (type)");
+ }
+
+ if(packet_type == SSH_FXP_STATUS) {
+ if(_libssh2_get_u32(&buf, &tmp_u32)) {
+ LIBSSH2_FREE(session, data);
+ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
+ "SFTP Protocol Error (code)");
+ }
+
+ retcode = (int)tmp_u32;
+
LIBSSH2_FREE(session, data);
if(retcode == LIBSSH2_FX_OK)
return LIBSSH2_ERROR_NONE;
@@ -3903,30 +3924,37 @@ static int sftp_symlink(LIBSSH2_SFTP *sf
}
}

- if(_libssh2_ntohu32(data + 5) < 1) {
+ /* advance past id */
+ if(_libssh2_get_u32(&buf, &tmp_u32)) {
LIBSSH2_FREE(session, data);
return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
- "Invalid READLINK/REALPATH response, "
- "no name entries");
+ "SFTP Protocol Error (id)");
}

- if(data_len < 13) {
- if(data_len > 0) {
- LIBSSH2_FREE(session, data);
- }
+ /* look for at least one link */
+ if(_libssh2_get_u32(&buf, &tmp_u32) || tmp_u32 < 1) {
+ LIBSSH2_FREE(session, data);
return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
- "SFTP stat packet too short");
+ "Invalid READLINK/REALPATH response, "
+ "no name entries");
}

- /* this reads a u32 and stores it into a signed 32bit value */
- link_len = _libssh2_ntohu32(data + 9);
- if(link_len < target_len) {
- memcpy(target, data + 13, link_len);
- target[link_len] = 0;
- retcode = (int)link_len;
+ if(_libssh2_get_string(&buf, &lk_target, &lk_len) == LIBSSH2_ERROR_NONE) {
+ if(lk_len < target_len) {
+ memcpy(target, lk_target, lk_len);
+ target[lk_len] = '\0';
+ retcode = (int)lk_len;
+ }
+ else {
+ retcode = LIBSSH2_ERROR_BUFFER_TOO_SMALL;
+ }
}
- else
- retcode = LIBSSH2_ERROR_BUFFER_TOO_SMALL;
+ else {
+ LIBSSH2_FREE(session, data);
+ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
+ "SFTP Protocol Error (filename)");
+ }
+
LIBSSH2_FREE(session, data);

return retcode;
21 changes: 21 additions & 0 deletions debian/patches/CVE-2026-55199.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
From 17626857d20b3c9a1addfa45979dadcee1cd84a4 Mon Sep 17 00:00:00 2001
From: TristanInSec <tristan.mtn@gmail.com>
Date: Wed, 15 Apr 2026 14:51:08 -0400
Subject: [PATCH] packet: check `_libssh2_get_string()` return in `EXT_INFO`
handler

--- libssh2-1.11.1.orig/src/packet.c
+++ libssh2-1.11.1/src/packet.c
@@ -868,8 +868,10 @@ _libssh2_packet_add(LIBSSH2_SESSION * se

nr_extensions -= 1;

- _libssh2_get_string(&buf, &name, &name_len);
- _libssh2_get_string(&buf, &value, &value_len);
+ if(_libssh2_get_string(&buf, &name, &name_len))
+ break;
+ if(_libssh2_get_string(&buf, &value, &value_len))
+ break;

if(name && value) {
_libssh2_debug((session,
22 changes: 22 additions & 0 deletions debian/patches/CVE-2026-55200.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
From 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 Mon Sep 17 00:00:00 2001
From: Will Cosgrove <will@panic.com>
Date: Fri, 12 Jun 2026 15:57:44 -0700
Subject: [PATCH] transport.c: Additional boundary checks for packet length
(#2052)

--- libssh2-1.11.1.orig/src/transport.c
+++ libssh2-1.11.1/src/transport.c
@@ -639,8 +639,12 @@ int _libssh2_transport_read(LIBSSH2_SESS
total_num = 4;

p->packet_length = _libssh2_ntohu32(block);
- if(p->packet_length < 1)
+ if(p->packet_length < 1) {
return LIBSSH2_ERROR_DECRYPT;
+ }
+ else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) {
+ return LIBSSH2_ERROR_OUT_OF_BOUNDARY;
+ }

/* total_num may include size field, however due to existing
* logic it needs to be removed after the entire packet is read
37 changes: 20 additions & 17 deletions debian/patches/CVE-2026-7598.patch
Original file line number Diff line number Diff line change
@@ -1,32 +1,35 @@
Index: libssh2/src/userauth.c
===================================================================
--- libssh2.orig/src/userauth.c
+++ libssh2/src/userauth.c
@@ -84,6 +84,12 @@ static char *userauth_list(LIBSSH2_SESSI
From 256d04b60d80bf1190e96b0ad1e91b2174d744b1 Mon Sep 17 00:00:00 2001
From: Will Cosgrove <will@panic.com>
Date: Mon, 13 Apr 2026 11:18:25 -0700
Subject: [PATCH] userauth.c: username_len bounds checking (#1858)

--- libssh2-1.11.1.orig/src/userauth.c
+++ libssh2-1.11.1/src/userauth.c
@@ -80,6 +80,12 @@ static char *userauth_list(LIBSSH2_SESSI
memset(&session->userauth_list_packet_requirev_state, 0,
sizeof(session->userauth_list_packet_requirev_state));

s = session->userauth_list_data =
LIBSSH2_ALLOC(session, session->userauth_list_data_len);
+ if(username_len > UINT32_MAX - 27) {
+ _libssh2_error(session, LIBSSH2_ERROR_PROTO,
+ "username_len out of bounds");
+ return NULL;
+ }
+
if(!session->userauth_list_data) {
_libssh2_error(session, LIBSSH2_ERROR_ALLOC,
"Unable to allocate memory for userauth_list");
@@ -316,6 +322,11 @@ userauth_password(LIBSSH2_SESSION *sessi
struct */
s = session->userauth_pswd_data =
LIBSSH2_ALLOC(session, session->userauth_pswd_data_len);
session->userauth_list_data_len = username_len + 27;

s = session->userauth_list_data =
@@ -307,6 +313,11 @@ userauth_password(LIBSSH2_SESSION *sessi
* 40 = packet_type(1) + username_len(4) + service_len(4) +
* service(14)"ssh-connection" + method_len(4) + method(8)"password" +
* chgpwdbool(1) + password_len(4) */
+ if(username_len > UINT32_MAX - 40) {
+ return _libssh2_error(session, LIBSSH2_ERROR_PROTO,
+ "username_len out of bounds");
+ }
+
if(!session->userauth_pswd_data) {
return _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
"Unable to allocate memory for "
session->userauth_pswd_data_len = username_len + 40;

session->userauth_pswd_data0 =
@@ -447,7 +458,7 @@ password_response:
}

Expand Down
24 changes: 24 additions & 0 deletions debian/patches/libssh-unconst-backport.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
Needed by the fix for CVE-2025-15661

Cherrypicked from
commit 606c102e52f8447de2b745dd6c5ddf418defc519
Author: Viktor Szakats <commit@vsz.me>
Date: Thu Jan 30 21:18:23 2025 +0100

--- libssh2-1.11.1.orig/src/libssh2_priv.h
+++ libssh2-1.11.1/src/libssh2_priv.h
@@ -117,6 +117,14 @@
#define UINT32_MAX 0xffffffffU
#endif

+#ifdef _WIN64
+#define LIBSSH2_UNCONST(p) ((void *)(libssh2_uint64_t)(const void *)(p))
+#elif defined(_MSC_VER)
+#define LIBSSH2_UNCONST(p) ((void *)(unsigned int)(const void *)(p))
+#else
+#define LIBSSH2_UNCONST(p) ((void *)(uintptr_t)(const void *)(p))
+#endif
+
#if (defined(__GNUC__) || defined(__clang__)) && \
defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) && \
!defined(LIBSSH2_NO_FMT_CHECKS)
4 changes: 4 additions & 0 deletions debian/patches/series
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,8 @@
#CVE-2023-48795.patch
#maxpathlen.patch
#openssh-9.8.patch
CVE-2025-15661.patch
CVE-2026-7598.patch
CVE-2026-55199.patch
CVE-2026-55200.patch
libssh-unconst-backport.patch
Loading