diff mbox series

[wrynose] libssh2: fix CVE-2026-58050

Message ID 20260717135013.869197-1-adarsh.jagadish.kamini@est.tech
State New
Headers show
Series [wrynose] libssh2: fix CVE-2026-58050 | expand

Commit Message

Adarsh Jagadish Kamini July 17, 2026, 1:50 p.m. UTC
From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>

Backport patch to fix CVE-2026-58050.
https://nvd.nist.gov/vuln/detail/CVE-2026-58050

Upstream fix:
  https://github.com/libssh2/libssh2/commit/7c8a170c6dca3cd4cf24de836f43ba1a20e662d5

The upstream commit uses the shortened private-symbol namespace
introduced in commit 076838de2697a4185125bfd601fbcd6e7286bfb6
("src: shorten namespace for private functions and macros"), which is
not present in libssh2 1.11.1. The only change made when backporting was
to spell the helper calls back to the names used in 1.11.1:

  ssh2_err()     -> _libssh2_error()
  ssh2_ntohu32() -> _libssh2_ntohu32()

The added "> LIBSSH2_PACKET_MAXPAYLOAD" cap checks were kept as-is,
written against this tree's existing bounds-check style
(s + len <= data + data_len).

Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
---
 .../libssh2/libssh2/CVE-2026-58050.patch      | 177 ++++++++++++++++++
 .../recipes-support/libssh2/libssh2_1.11.1.bb |   1 +
 2 files changed, 178 insertions(+)
 create mode 100644 meta/recipes-support/libssh2/libssh2/CVE-2026-58050.patch
diff mbox series

Patch

diff --git a/meta/recipes-support/libssh2/libssh2/CVE-2026-58050.patch b/meta/recipes-support/libssh2/libssh2/CVE-2026-58050.patch
new file mode 100644
index 0000000000..bad801fece
--- /dev/null
+++ b/meta/recipes-support/libssh2/libssh2/CVE-2026-58050.patch
@@ -0,0 +1,177 @@ 
+From ffe23ddb76c6fe320f3a90f5876abd429b6ddc61 Mon Sep 17 00:00:00 2001
+From: Viktor Szakats <commit@vsz.me>
+Date: Sat, 4 Jul 2026 17:18:50 +0200
+Subject: [PATCH] publickey: cap variable-length packet element sizes
+
+To avoid potential offset wrap in 32-bit builds when receiving overly
+large values in length fields. Limit them to the maximum packet size.
+
+Bug: https://github.com/libssh2/libssh2/pull/2205#discussion_r3523193089
+
+Closes #2207
+
+[Cherry-pick adaptation notes]
+
+The upstream commit uses the shortened private-symbol namespace
+introduced in commit 076838de2697a4185125bfd601fbcd6e7286bfb6
+("src: shorten namespace for private functions and macros"), which is
+not present in libssh2 1.11.1. The only change made when backporting was
+to spell the helper calls back to the names used in 1.11.1:
+
+  ssh2_err()     -> _libssh2_error()
+  ssh2_ntohu32() -> _libssh2_ntohu32()
+
+The added "> LIBSSH2_PACKET_MAXPAYLOAD" cap checks were kept as-is,
+written against this tree's existing bounds-check style
+(s + len <= data + data_len).
+
+CVE: CVE-2026-58050
+Upstream-Status: Backport [https://github.com/libssh2/libssh2/commit/7c8a170c6dca3cd4cf24de836f43ba1a20e662d5]
+
+Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
+---
+ src/publickey.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 61 insertions(+)
+
+diff --git a/src/publickey.c b/src/publickey.c
+index 9c9fa618..583935fe 100644
+--- a/src/publickey.c
++++ b/src/publickey.c
+@@ -472,6 +472,11 @@ static LIBSSH2_PUBLICKEY *publickey_init(LIBSSH2_SESSION *session)
+                     goto err_exit;
+                 }
+ 
++                if(descr_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++                    _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                                   "Public key description too large");
++                    goto err_exit;
++                }
+                 if(s + descr_len + 4 <=
+                    session->pkeyInit_data + session->pkeyInit_data_len) {
+                     /* description starts here */
+@@ -485,6 +490,11 @@ static LIBSSH2_PUBLICKEY *publickey_init(LIBSSH2_SESSION *session)
+                     goto err_exit;
+                 }
+ 
++                if(lang_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++                    _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                                   "Public key language too large");
++                    goto err_exit;
++                }
+                 if(s + lang_len <=
+                    session->pkeyInit_data + session->pkeyInit_data_len) {
+                     /* lang starts here */
+@@ -912,6 +922,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+                 goto err_exit;
+             }
+ 
++            if(descr_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++                _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                               "Public key description too large");
++                goto err_exit;
++            }
+             if(pkey->listFetch_s + descr_len + 4 <=
+                pkey->listFetch_data + pkey->listFetch_data_len) {
+                 /* description starts at pkey->listFetch_s */
+@@ -925,6 +940,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+                 goto err_exit;
+             }
+ 
++            if(lang_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++                _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                               "Public key language too large");
++                goto err_exit;
++            }
+             if(pkey->listFetch_s + lang_len <=
+                pkey->listFetch_data + pkey->listFetch_data_len) {
+                 /* lang starts at pkey->listFetch_s */
+@@ -988,6 +1008,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+                 }
+ 
+                 if(comment_len) {
++                    if(comment_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++                        _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                                       "Public key comment too large");
++                        goto err_exit;
++                    }
+                     list[keys].num_attrs = 1;
+                     list[keys].attrs =
+                         LIBSSH2_ALLOC(session,
+@@ -1022,6 +1047,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+                     goto err_exit;
+                 }
+ 
++                if(list[keys].name_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++                    _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                                   "Public key name too large");
++                    goto err_exit;
++                }
+                 if(pkey->listFetch_s + list[keys].name_len <=
+                    pkey->listFetch_data + pkey->listFetch_data_len) {
+                     list[keys].name = pkey->listFetch_s;
+@@ -1044,6 +1069,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+                     goto err_exit;
+                 }
+ 
++                if(list[keys].blob_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++                    _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                                   "Public key blob too large");
++                    goto err_exit;
++                }
+                 if(pkey->listFetch_s + list[keys].blob_len <=
+                    pkey->listFetch_data + pkey->listFetch_data_len) {
+                     list[keys].blob = pkey->listFetch_s;
+@@ -1069,6 +1094,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+                     goto err_exit;
+                 }
+ 
++                if(list[keys].name_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++                    _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                                   "Public key name too large");
++                    goto err_exit;
++                }
+                 if(pkey->listFetch_s + list[keys].name_len <=
+                    pkey->listFetch_data + pkey->listFetch_data_len) {
+                     list[keys].name = pkey->listFetch_s;
+@@ -1091,6 +1116,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+                     goto err_exit;
+                 }
+ 
++                if(list[keys].blob_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++                    _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                                   "Public key blob too large");
++                    goto err_exit;
++                }
+                 if(pkey->listFetch_s + list[keys].blob_len <=
+                    pkey->listFetch_data + pkey->listFetch_data_len) {
+                     list[keys].blob = pkey->listFetch_s;
+@@ -1138,6 +1163,14 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+                             goto err_exit;
+                         }
+ 
++                        if(list[keys].attrs[i].name_len >
++                           LIBSSH2_PACKET_MAXPAYLOAD) {
++                            _libssh2_error(session,
++                                           LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                                           "Public key attribute name "
++                                           "too large");
++                            goto err_exit;
++                        }
+                         if(pkey->listFetch_s + list[keys].attrs[i].name_len <=
+                            pkey->listFetch_data + pkey->listFetch_data_len) {
+                             list[keys].attrs[i].name =
+@@ -1164,6 +1197,14 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+                             goto err_exit;
+                         }
+ 
++                        if(list[keys].attrs[i].value_len >
++                           LIBSSH2_PACKET_MAXPAYLOAD) {
++                            _libssh2_error(session,
++                                           LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                                           "Public key attribute value "
++                                           "too large");
++                            goto err_exit;
++                        }
+                         if(pkey->listFetch_s +
+                            list[keys].attrs[i].value_len <=
+                            pkey->listFetch_data + pkey->listFetch_data_len) {
diff --git a/meta/recipes-support/libssh2/libssh2_1.11.1.bb b/meta/recipes-support/libssh2/libssh2_1.11.1.bb
index 2407ed34d9..21e7ed30da 100644
--- a/meta/recipes-support/libssh2/libssh2_1.11.1.bb
+++ b/meta/recipes-support/libssh2/libssh2_1.11.1.bb
@@ -13,6 +13,7 @@  SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \
            file://CVE-2026-7598.patch \
            file://CVE-2026-55200.patch \
            file://CVE-2026-55199.patch \
+           file://CVE-2026-58050.patch \
            "
 
 SRC_URI[sha256sum] = "d9ec76cbe34db98eec3539fe2c899d26b0c837cb3eb466a56b0f109cabf658f7"