| Message ID | 20260310121417.194408-1-deeratho@cisco.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-openembedded,master] libssh 0.11.3: Fix CVE-2026-3731 | expand |
Why not upgrade it to 0.11.4 in master, instead of patching it? On 3/10/26 13:14, Deepak Rathore via lists.openembedded.org wrote: > From: Deepak Rathore <deeratho@cisco.com> > > Upstream Repository: https://git.libssh.org/projects/libssh.git > > Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3731 > Type: Security Fix > CVE: CVE-2026-3731 > Score: 9.8 > Patch: https://git.libssh.org/projects/libssh.git/commit/?id=855a0853ad3a > > Signed-off-by: Deepak Rathore <deeratho@cisco.com> > > diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731.patch > new file mode 100644 > index 0000000000..88e6ff1c48 > --- /dev/null > +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731.patch > @@ -0,0 +1,43 @@ > +From e46f096ad5294428509077c887233554d62ead0e Mon Sep 17 00:00:00 2001 > +From: Jakub Jelen <jjelen@redhat.com> > +Date: Thu, 11 Dec 2025 13:22:44 +0100 > +Subject: [PATCH] sftp: Fix out-of-bound read from sftp extensions > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +CVE: CVE-2026-3731 > +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=855a0853ad3a] > + > +Signed-off-by: Jakub Jelen <jjelen@redhat.com> > +Reviewed-by: Pavol Žáčik <pzacik@redhat.com> > +(cherry picked from commit 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60) > +Signed-off-by: Deepak Rathore <deeratho@cisco.com> > +--- > + src/sftp.c | 4 ++-- > + 1 file changed, 2 insertions(+), 2 deletions(-) > + > +diff --git a/src/sftp.c b/src/sftp.c > +index 37b4133b..cbcdb066 100644 > +--- a/src/sftp.c > ++++ b/src/sftp.c > +@@ -583,7 +583,7 @@ const char *sftp_extensions_get_name(sftp_session sftp, unsigned int idx) { > + return NULL; > + } > + > +- if (idx > sftp->ext->count) { > ++ if (idx >= sftp->ext->count) { > + ssh_set_error_invalid(sftp->session); > + return NULL; > + } > +@@ -599,7 +599,7 @@ const char *sftp_extensions_get_data(sftp_session sftp, unsigned int idx) { > + return NULL; > + } > + > +- if (idx > sftp->ext->count) { > ++ if (idx >= sftp->ext->count) { > + ssh_set_error_invalid(sftp->session); > + return NULL; > + } > +-- > +2.51.0 > diff --git a/meta-oe/recipes-support/libssh/libssh_0.11.3.bb b/meta-oe/recipes-support/libssh/libssh_0.11.3.bb > index 5928581312..9f66736b29 100644 > --- a/meta-oe/recipes-support/libssh/libssh_0.11.3.bb > +++ b/meta-oe/recipes-support/libssh/libssh_0.11.3.bb > @@ -9,6 +9,7 @@ DEPENDS = "zlib openssl" > SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable-0.11;tag=${BPN}-${PV} \ > file://0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch \ > file://run-ptest \ > + file://CVE-2026-3731.patch \ > " > > SRC_URI:append:toolchain-clang = " file://0001-CompilerChecks.cmake-drop-Wunused-variable-flag.patch" > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#125024): https://lists.openembedded.org/g/openembedded-devel/message/125024 > Mute This Topic: https://lists.openembedded.org/mt/118239463/6084445 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hi Gyorgy Sarvari, This CVE is fixed in libssh-0.12.0 tag and master branch which is major upgrade for master branch. Please refer below URL: projects/libssh.git - libssh shared repository ( https://git.libssh.org/projects/libssh.git/commit/?h=libssh-0.12.0&id=855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60 ) Please suggest if we can upgrade to libssh-0.12.0 release or not. Regards, Deepak
On 3/10/26 16:13, Deepak Rathore via lists.openembedded.org wrote: > Hi Gyorgy Sarvari, > > This CVE is fixed in libssh-0.12.0 tag and master branch which is > major upgrade for master branch. Please refer below URL: > projects/libssh.git - libssh shared repository > <https://git.libssh.org/projects/libssh.git/commit/?h=libssh-0.12.0&id=855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60> > > Please suggest if we can upgrade to libssh-0.12.0 release or not. Certainly you can - the Stable/LTS policy for frozen major versions is only valid for the named branches. Master branch can take all version updates anytime, without any special process. > > Regards, > Deepak > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#125033): https://lists.openembedded.org/g/openembedded-devel/message/125033 > Mute This Topic: https://lists.openembedded.org/mt/118239463/6084445 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731.patch new file mode 100644 index 0000000000..88e6ff1c48 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731.patch @@ -0,0 +1,43 @@ +From e46f096ad5294428509077c887233554d62ead0e Mon Sep 17 00:00:00 2001 +From: Jakub Jelen <jjelen@redhat.com> +Date: Thu, 11 Dec 2025 13:22:44 +0100 +Subject: [PATCH] sftp: Fix out-of-bound read from sftp extensions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE: CVE-2026-3731 +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=855a0853ad3a] + +Signed-off-by: Jakub Jelen <jjelen@redhat.com> +Reviewed-by: Pavol Žáčik <pzacik@redhat.com> +(cherry picked from commit 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60) +Signed-off-by: Deepak Rathore <deeratho@cisco.com> +--- + src/sftp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/sftp.c b/src/sftp.c +index 37b4133b..cbcdb066 100644 +--- a/src/sftp.c ++++ b/src/sftp.c +@@ -583,7 +583,7 @@ const char *sftp_extensions_get_name(sftp_session sftp, unsigned int idx) { + return NULL; + } + +- if (idx > sftp->ext->count) { ++ if (idx >= sftp->ext->count) { + ssh_set_error_invalid(sftp->session); + return NULL; + } +@@ -599,7 +599,7 @@ const char *sftp_extensions_get_data(sftp_session sftp, unsigned int idx) { + return NULL; + } + +- if (idx > sftp->ext->count) { ++ if (idx >= sftp->ext->count) { + ssh_set_error_invalid(sftp->session); + return NULL; + } +-- +2.51.0 diff --git a/meta-oe/recipes-support/libssh/libssh_0.11.3.bb b/meta-oe/recipes-support/libssh/libssh_0.11.3.bb index 5928581312..9f66736b29 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.11.3.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.11.3.bb @@ -9,6 +9,7 @@ DEPENDS = "zlib openssl" SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable-0.11;tag=${BPN}-${PV} \ file://0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch \ file://run-ptest \ + file://CVE-2026-3731.patch \ " SRC_URI:append:toolchain-clang = " file://0001-CompilerChecks.cmake-drop-Wunused-variable-flag.patch"