From 00fd9fd0d8c084888466723914261a2051b82034 Mon Sep 17 00:00:00 2001 From: deepin-ci-robot Date: Thu, 2 Jul 2026 09:28:37 +0800 Subject: [PATCH] fix(libssh2): CVE-2026-58051, CVE-2026-58050 - publickey list fixes CVE-2026-58051: publickey list fetch uninitialized entry fix - Zero-initialize new list entry after SSH2_REALLOC - Upstream: https://github.com/libssh2/libssh2/commit/a9758da45a52bc8c630ec9493804d0c6ea30b24a CVE-2026-58050: publickey list fetch attribute overflow fix - Cap list size at 1024 elements to prevent integer overflow - Upstream: https://github.com/libssh2/libssh2/commit/34497525929b9a47f03dfb81887ac896202b7e12 Co-authored-by: hudeng --- debian/changelog | 9 +++++++++ debian/patches/CVE-2026-58050.patch | 20 ++++++++++++++++++++ debian/patches/CVE-2026-58051.patch | 16 ++++++++++++++++ debian/patches/series | 2 ++ 4 files changed, 47 insertions(+) create mode 100644 debian/patches/CVE-2026-58050.patch create mode 100644 debian/patches/CVE-2026-58051.patch diff --git a/debian/changelog b/debian/changelog index a19ef8a..425b1b2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +libssh2 (1.11.1-1+deb13u1deepin2) unstable; urgency=medium + + * CVE-2026-58050: Fix publickey list fetch attribute overflow + Cap list size at 1024 elements to prevent integer overflow. + * CVE-2026-58051: Fix publickey list fetch uninitialized entry + Zero-initialize new list entry after SSH2_REALLOC. + + -- deepin-ci-robot Wed, 01 Jul 2026 16:40:00 +0800 + libssh2 (1.11.1-1+deb13u1deepin1) unstable; urgency=medium * revert t64. diff --git a/debian/patches/CVE-2026-58050.patch b/debian/patches/CVE-2026-58050.patch new file mode 100644 index 0000000..605a0c4 --- /dev/null +++ b/debian/patches/CVE-2026-58050.patch @@ -0,0 +1,20 @@ +Description: publickey: fix potential multiplication overflow in 32-bit + libssh2_publickey_list_fetch(). Cap list size at 1024 elements. +Origin: upstream, https://github.com/libssh2/libssh2/commit/34497525929b9a47f03dfb81887ac896202b7e12 +Bug: https://github.com/libssh2/libssh2/pull/2128 +Last-Update: 2026-07-01 + +--- a/src/publickey.c ++++ b/src/publickey.c +@@ -1114,6 +1115,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys, + } + + if(list[keys].num_attrs) { ++ if(list[keys].num_attrs > 1024) { ++ _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY, ++ "Too many publickey attributes"); ++ goto err_exit; ++ } + list[keys].attrs = + LIBSSH2_ALLOC(session, + list[keys].num_attrs * diff --git a/debian/patches/CVE-2026-58051.patch b/debian/patches/CVE-2026-58051.patch new file mode 100644 index 0000000..3585e24 --- /dev/null +++ b/debian/patches/CVE-2026-58051.patch @@ -0,0 +1,16 @@ +Description: publickey: fix potential arbitrary free in + libssh2_publickey_list_fetch(). Due to uninitialized list entry. +Origin: upstream, https://github.com/libssh2/libssh2/commit/a9758da45a52bc8c630ec9493804d0c6ea30b24a +Bug: https://github.com/libssh2/libssh2/pull/2127 +Last-Update: 2026-07-01 + +--- a/src/publickey.c ++++ b/src/publickey.c +@@ -972,6 +972,7 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys, + goto err_exit; + } + list = newlist; ++ memset(&list[keys], 0, sizeof(list[keys])); + } + if(pkey->version == 1) { + unsigned long comment_len; diff --git a/debian/patches/series b/debian/patches/series index 2e294a8..d8e1053 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -11,3 +11,5 @@ CVE-2026-7598.patch CVE-2026-55199.patch CVE-2026-55200.patch libssh-unconst-backport.patch +CVE-2026-58050.patch +CVE-2026-58051.patch