Skip to content

fix(libssh2): CVE-2026-58051, CVE-2026-58050 - publickey list fixes#7

Open
deepin-ci-robot wants to merge 1 commit into
masterfrom
fix/CVE-2026-58050-58051
Open

fix(libssh2): CVE-2026-58051, CVE-2026-58050 - publickey list fixes#7
deepin-ci-robot wants to merge 1 commit into
masterfrom
fix/CVE-2026-58050-58051

Conversation

@deepin-ci-robot

Copy link
Copy Markdown
Contributor

Summary

Fix two CVEs in libssh2 publickey list handling.

Changes

CVE-2026-58051: publickey list fetch uninitialized entry fix

  • Zero-initialize new list entry after SSH2_REALLOC to prevent cleanup path from operating on uninitialized data
  • Upstream: libssh2/libssh2@a9758da

CVE-2026-58050: publickey list fetch attribute overflow fix

  • Cap list size at 1024 elements to prevent integer overflow when computing attribute allocation size
  • Upstream: libssh2/libssh2@3449752

Generated-By

deepseek-v4-flash (uos/deepseek-v4-flash)

Co-Authored-By

hudeng hudeng@deepin.org

@deepin-ci-robot deepin-ci-robot requested a review from BLumia July 1, 2026 06:35
@deepin-ci-robot

Copy link
Copy Markdown
Contributor Author

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign liujianqiang-niu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

TAG Bot

TAG: 1.11.1-1+deb13u1deepin2
EXISTED: no
DISTRIBUTION: unstable

@deepin-ci-robot

Copy link
Copy Markdown
Contributor Author

\OBS CI build shows a service error on libssh2 (same on PR #6).
This appears to be an OBS infrastructure issue, not a patch problem.
Requesting rebuild...

@deepin-ci-robot deepin-ci-robot force-pushed the fix/CVE-2026-58050-58051 branch 2 times, most recently from 5c4107c to 3670aaf Compare July 2, 2026 01:28
CVE-2026-58051: publickey list fetch uninitialized entry fix
- Zero-initialize new list entry after SSH2_REALLOC
- Upstream: libssh2/libssh2@a9758da

CVE-2026-58050: publickey list fetch attribute overflow fix
- Cap list size at 1024 elements to prevent integer overflow
- Upstream: libssh2/libssh2@3449752

Co-authored-by: hudeng <hudeng@deepin.org>
@deepin-ci-robot deepin-ci-robot force-pushed the fix/CVE-2026-58050-58051 branch from 3670aaf to 00fd9fd Compare July 2, 2026 01:35
@hudeng-go

Copy link
Copy Markdown
Contributor

/integrate

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

AutoIntegrationPr Bot
auto integrate with pr url: deepin-community/Repository-Integration#4222
PrNumber: 4222
PrBranch: auto-integration-28559342243

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants