diff --git a/debian/changelog b/debian/changelog index a19ef8a..425b1b2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +libssh2 (1.11.1-1+deb13u1deepin2) unstable; urgency=medium + + * CVE-2026-58050: Fix publickey list fetch attribute overflow + Cap list size at 1024 elements to prevent integer overflow. + * CVE-2026-58051: Fix publickey list fetch uninitialized entry + Zero-initialize new list entry after SSH2_REALLOC. + + -- deepin-ci-robot Wed, 01 Jul 2026 16:40:00 +0800 + libssh2 (1.11.1-1+deb13u1deepin1) unstable; urgency=medium * revert t64. diff --git a/debian/patches/CVE-2026-58050.patch b/debian/patches/CVE-2026-58050.patch new file mode 100644 index 0000000..605a0c4 --- /dev/null +++ b/debian/patches/CVE-2026-58050.patch @@ -0,0 +1,20 @@ +Description: publickey: fix potential multiplication overflow in 32-bit + libssh2_publickey_list_fetch(). Cap list size at 1024 elements. +Origin: upstream, https://github.com/libssh2/libssh2/commit/34497525929b9a47f03dfb81887ac896202b7e12 +Bug: https://github.com/libssh2/libssh2/pull/2128 +Last-Update: 2026-07-01 + +--- a/src/publickey.c ++++ b/src/publickey.c +@@ -1114,6 +1115,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys, + } + + if(list[keys].num_attrs) { ++ if(list[keys].num_attrs > 1024) { ++ _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY, ++ "Too many publickey attributes"); ++ goto err_exit; ++ } + list[keys].attrs = + LIBSSH2_ALLOC(session, + list[keys].num_attrs * diff --git a/debian/patches/CVE-2026-58051.patch b/debian/patches/CVE-2026-58051.patch new file mode 100644 index 0000000..3585e24 --- /dev/null +++ b/debian/patches/CVE-2026-58051.patch @@ -0,0 +1,16 @@ +Description: publickey: fix potential arbitrary free in + libssh2_publickey_list_fetch(). Due to uninitialized list entry. +Origin: upstream, https://github.com/libssh2/libssh2/commit/a9758da45a52bc8c630ec9493804d0c6ea30b24a +Bug: https://github.com/libssh2/libssh2/pull/2127 +Last-Update: 2026-07-01 + +--- a/src/publickey.c ++++ b/src/publickey.c +@@ -972,6 +972,7 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys, + goto err_exit; + } + list = newlist; ++ memset(&list[keys], 0, sizeof(list[keys])); + } + if(pkey->version == 1) { + unsigned long comment_len; diff --git a/debian/patches/series b/debian/patches/series index 2e294a8..d8e1053 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -11,3 +11,5 @@ CVE-2026-7598.patch CVE-2026-55199.patch CVE-2026-55200.patch libssh-unconst-backport.patch +CVE-2026-58050.patch +CVE-2026-58051.patch