From 50dd9e81684a403456f51505f3b121b86e1fbe2a Mon Sep 17 00:00:00 2001 From: deepin-ci-robot Date: Wed, 1 Jul 2026 13:40:48 +0800 Subject: [PATCH] fix(libssh2): CVE-2026-58050 Fix potential multiplication overflow in 32-bit libssh2_publickey_list_fetch(). An attacker-controlled 32-bit attribute count could overflow the multiplication num_attrs * sizeof(...) on 32-bit platforms, leading to an undersized buffer and subsequent heap overflow. Cap list size at 1024 elements. Upstream: https://github.com/libssh2/libssh2/commit/34497525929b9a47f03dfb81887ac896202b7e12 Generated-By: deepseek-v4-flash Co-Authored-By: hudeng --- debian/changelog | 8 ++++++++ debian/patches/CVE-2026-58050.patch | 21 +++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 30 insertions(+) create mode 100644 debian/patches/CVE-2026-58050.patch diff --git a/debian/changelog b/debian/changelog index 500e199..2dc241a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +libssh2 (1.11.1-1deepin4) unstable; urgency=medium + + * Fix CVE-2026-58050: fix potential multiplication overflow in 32-bit + libssh2_publickey_list_fetch() when computing attribute allocation + size (upstream commit 34497525929b9a47f03dfb81887ac896202b7e12) + + -- deepin-ci-robot Wed, 01 Jul 2026 13:40:42 +0800 + libssh2 (1.11.1-1deepin2) unstable; urgency=medium * Fix CVE-2026-7598: integer overflow in userauth_password diff --git a/debian/patches/CVE-2026-58050.patch b/debian/patches/CVE-2026-58050.patch new file mode 100644 index 0000000..731a80d --- /dev/null +++ b/debian/patches/CVE-2026-58050.patch @@ -0,0 +1,21 @@ +Description: publickey: fix potential multiplication overflow in 32-bit + libssh2_publickey_list_fetch(). Cap list size at 1024 elements to + prevent integer overflow when computing attribute allocation size. +Origin: upstream, https://github.com/libssh2/libssh2/commit/34497525929b9a47f03dfb81887ac896202b7e12 +Bug: https://github.com/libssh2/libssh2/pull/2128 +Last-Update: 2026-07-01 + +--- a/src/publickey.c ++++ b/src/publickey.c +@@ -1048,6 +1048,11 @@ int libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY *pkey, + } + + if(list[keys].num_attrs) { ++ if(list[keys].num_attrs > 1024) { ++ ssh2_err(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY, ++ "Too many publickey attributes"); ++ goto err_exit; ++ } + list[keys].attrs = + SSH2_ALLOC(session, + list[keys].num_attrs * diff --git a/debian/patches/series b/debian/patches/series index efb1902..2956931 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,4 @@ #maxpathlen.patch #openssh-9.8.patch CVE-2026-7598.patch +CVE-2026-58050.patch