diff --git a/debian/changelog b/debian/changelog index 500e199..2dc241a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +libssh2 (1.11.1-1deepin4) unstable; urgency=medium + + * Fix CVE-2026-58050: fix potential multiplication overflow in 32-bit + libssh2_publickey_list_fetch() when computing attribute allocation + size (upstream commit 34497525929b9a47f03dfb81887ac896202b7e12) + + -- deepin-ci-robot Wed, 01 Jul 2026 13:40:42 +0800 + libssh2 (1.11.1-1deepin2) unstable; urgency=medium * Fix CVE-2026-7598: integer overflow in userauth_password diff --git a/debian/patches/CVE-2026-58050.patch b/debian/patches/CVE-2026-58050.patch new file mode 100644 index 0000000..731a80d --- /dev/null +++ b/debian/patches/CVE-2026-58050.patch @@ -0,0 +1,21 @@ +Description: publickey: fix potential multiplication overflow in 32-bit + libssh2_publickey_list_fetch(). Cap list size at 1024 elements to + prevent integer overflow when computing attribute allocation size. +Origin: upstream, https://github.com/libssh2/libssh2/commit/34497525929b9a47f03dfb81887ac896202b7e12 +Bug: https://github.com/libssh2/libssh2/pull/2128 +Last-Update: 2026-07-01 + +--- a/src/publickey.c ++++ b/src/publickey.c +@@ -1048,6 +1048,11 @@ int libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY *pkey, + } + + if(list[keys].num_attrs) { ++ if(list[keys].num_attrs > 1024) { ++ ssh2_err(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY, ++ "Too many publickey attributes"); ++ goto err_exit; ++ } + list[keys].attrs = + SSH2_ALLOC(session, + list[keys].num_attrs * diff --git a/debian/patches/series b/debian/patches/series index efb1902..2956931 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,4 @@ #maxpathlen.patch #openssh-9.8.patch CVE-2026-7598.patch +CVE-2026-58050.patch