From 0ab2d331b54c201e9aa07378ef77d5687efad0c1 Mon Sep 17 00:00:00 2001 From: deepin-ci-robot Date: Wed, 1 Jul 2026 13:40:25 +0800 Subject: [PATCH] fix(libssh2): CVE-2026-58051 Fix potential arbitrary free in libssh2_publickey_list_fetch() due to uninitialized list entry after SSH2_REALLOC. A malicious SSH server offering the publickey subsystem can use a malformed response to make cleanup free an uninitialized, attacker-influenceable attrs pointer in a connecting libssh2 client. Upstream: https://github.com/libssh2/libssh2/commit/a9758da45a52bc8c630ec9493804d0c6ea30b24a Generated-By: deepseek-v4-flash Co-Authored-By: hudeng --- debian/changelog | 9 +++++++++ debian/patches/CVE-2026-58051.patch | 18 ++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 28 insertions(+) create mode 100644 debian/patches/CVE-2026-58051.patch diff --git a/debian/changelog b/debian/changelog index 500e199..7f25e6a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +libssh2 (1.11.1-1deepin3) unstable; urgency=medium + + * Fix CVE-2026-58051: fix potential arbitrary free in + libssh2_publickey_list_fetch() due to uninitialized list entry after + SSH2_REALLOC (upstream commit + a9758da45a52bc8c630ec9493804d0c6ea30b24a) + + -- deepin-ci-robot Wed, 01 Jul 2026 13:40:18 +0800 + libssh2 (1.11.1-1deepin2) unstable; urgency=medium * Fix CVE-2026-7598: integer overflow in userauth_password diff --git a/debian/patches/CVE-2026-58051.patch b/debian/patches/CVE-2026-58051.patch new file mode 100644 index 0000000..d6dfeff --- /dev/null +++ b/debian/patches/CVE-2026-58051.patch @@ -0,0 +1,18 @@ +Description: publickey: fix potential arbitrary free in libssh2_publickey_list_fetch() + Due to uninitialized list entry. After SSH2_REALLOC, zero-initialize + the new entry before parsing populates it, preventing a cleanup path + from operating on uninitialized data. +Origin: upstream, https://github.com/libssh2/libssh2/commit/a9758da45a52bc8c630ec9493804d0c6ea30b24a +Bug: https://github.com/libssh2/libssh2/pull/2127 +Last-Update: 2026-07-01 + +--- a/src/publickey.c ++++ b/src/publickey.c +@@ -905,6 +905,7 @@ int libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY *pkey, + goto err_exit; + } + list = newlist; ++ memset(&list[keys], 0, sizeof(list[keys])); + } + if(pkey->version == 1) { + unsigned long comment_len; diff --git a/debian/patches/series b/debian/patches/series index efb1902..71f7c9e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,4 @@ #maxpathlen.patch #openssh-9.8.patch CVE-2026-7598.patch +CVE-2026-58051.patch