diff --git a/debian/changelog b/debian/changelog index 500e199..7f25e6a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +libssh2 (1.11.1-1deepin3) unstable; urgency=medium + + * Fix CVE-2026-58051: fix potential arbitrary free in + libssh2_publickey_list_fetch() due to uninitialized list entry after + SSH2_REALLOC (upstream commit + a9758da45a52bc8c630ec9493804d0c6ea30b24a) + + -- deepin-ci-robot Wed, 01 Jul 2026 13:40:18 +0800 + libssh2 (1.11.1-1deepin2) unstable; urgency=medium * Fix CVE-2026-7598: integer overflow in userauth_password diff --git a/debian/patches/CVE-2026-58051.patch b/debian/patches/CVE-2026-58051.patch new file mode 100644 index 0000000..d6dfeff --- /dev/null +++ b/debian/patches/CVE-2026-58051.patch @@ -0,0 +1,18 @@ +Description: publickey: fix potential arbitrary free in libssh2_publickey_list_fetch() + Due to uninitialized list entry. After SSH2_REALLOC, zero-initialize + the new entry before parsing populates it, preventing a cleanup path + from operating on uninitialized data. +Origin: upstream, https://github.com/libssh2/libssh2/commit/a9758da45a52bc8c630ec9493804d0c6ea30b24a +Bug: https://github.com/libssh2/libssh2/pull/2127 +Last-Update: 2026-07-01 + +--- a/src/publickey.c ++++ b/src/publickey.c +@@ -905,6 +905,7 @@ int libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY *pkey, + goto err_exit; + } + list = newlist; ++ memset(&list[keys], 0, sizeof(list[keys])); + } + if(pkey->version == 1) { + unsigned long comment_len; diff --git a/debian/patches/series b/debian/patches/series index efb1902..71f7c9e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,4 @@ #maxpathlen.patch #openssh-9.8.patch CVE-2026-7598.patch +CVE-2026-58051.patch