new file mode 100644
@@ -0,0 +1,177 @@
+From ffe23ddb76c6fe320f3a90f5876abd429b6ddc61 Mon Sep 17 00:00:00 2001
+From: Viktor Szakats <commit@vsz.me>
+Date: Sat, 4 Jul 2026 17:18:50 +0200
+Subject: [PATCH] publickey: cap variable-length packet element sizes
+
+To avoid potential offset wrap in 32-bit builds when receiving overly
+large values in length fields. Limit them to the maximum packet size.
+
+Bug: https://github.com/libssh2/libssh2/pull/2205#discussion_r3523193089
+
+Closes #2207
+
+[Cherry-pick adaptation notes]
+
+The upstream commit uses the shortened private-symbol namespace
+introduced in commit 076838de2697a4185125bfd601fbcd6e7286bfb6
+("src: shorten namespace for private functions and macros"), which is
+not present in libssh2 1.11.1. The only change made when backporting was
+to spell the helper calls back to the names used in 1.11.1:
+
+ ssh2_err() -> _libssh2_error()
+ ssh2_ntohu32() -> _libssh2_ntohu32()
+
+The added "> LIBSSH2_PACKET_MAXPAYLOAD" cap checks were kept as-is,
+written against this tree's existing bounds-check style
+(s + len <= data + data_len).
+
+CVE: CVE-2026-58050
+Upstream-Status: Backport [https://github.com/libssh2/libssh2/commit/7c8a170c6dca3cd4cf24de836f43ba1a20e662d5]
+
+Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
+---
+ src/publickey.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 61 insertions(+)
+
+diff --git a/src/publickey.c b/src/publickey.c
+index 9c9fa618..583935fe 100644
+--- a/src/publickey.c
++++ b/src/publickey.c
+@@ -472,6 +472,11 @@ static LIBSSH2_PUBLICKEY *publickey_init(LIBSSH2_SESSION *session)
+ goto err_exit;
+ }
+
++ if(descr_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++ _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++ "Public key description too large");
++ goto err_exit;
++ }
+ if(s + descr_len + 4 <=
+ session->pkeyInit_data + session->pkeyInit_data_len) {
+ /* description starts here */
+@@ -485,6 +490,11 @@ static LIBSSH2_PUBLICKEY *publickey_init(LIBSSH2_SESSION *session)
+ goto err_exit;
+ }
+
++ if(lang_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++ _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++ "Public key language too large");
++ goto err_exit;
++ }
+ if(s + lang_len <=
+ session->pkeyInit_data + session->pkeyInit_data_len) {
+ /* lang starts here */
+@@ -912,6 +922,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+ goto err_exit;
+ }
+
++ if(descr_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++ _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++ "Public key description too large");
++ goto err_exit;
++ }
+ if(pkey->listFetch_s + descr_len + 4 <=
+ pkey->listFetch_data + pkey->listFetch_data_len) {
+ /* description starts at pkey->listFetch_s */
+@@ -925,6 +940,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+ goto err_exit;
+ }
+
++ if(lang_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++ _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++ "Public key language too large");
++ goto err_exit;
++ }
+ if(pkey->listFetch_s + lang_len <=
+ pkey->listFetch_data + pkey->listFetch_data_len) {
+ /* lang starts at pkey->listFetch_s */
+@@ -988,6 +1008,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+ }
+
+ if(comment_len) {
++ if(comment_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++ _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++ "Public key comment too large");
++ goto err_exit;
++ }
+ list[keys].num_attrs = 1;
+ list[keys].attrs =
+ LIBSSH2_ALLOC(session,
+@@ -1022,6 +1047,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+ goto err_exit;
+ }
+
++ if(list[keys].name_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++ _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++ "Public key name too large");
++ goto err_exit;
++ }
+ if(pkey->listFetch_s + list[keys].name_len <=
+ pkey->listFetch_data + pkey->listFetch_data_len) {
+ list[keys].name = pkey->listFetch_s;
+@@ -1044,6 +1069,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+ goto err_exit;
+ }
+
++ if(list[keys].blob_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++ _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++ "Public key blob too large");
++ goto err_exit;
++ }
+ if(pkey->listFetch_s + list[keys].blob_len <=
+ pkey->listFetch_data + pkey->listFetch_data_len) {
+ list[keys].blob = pkey->listFetch_s;
+@@ -1069,6 +1094,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+ goto err_exit;
+ }
+
++ if(list[keys].name_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++ _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++ "Public key name too large");
++ goto err_exit;
++ }
+ if(pkey->listFetch_s + list[keys].name_len <=
+ pkey->listFetch_data + pkey->listFetch_data_len) {
+ list[keys].name = pkey->listFetch_s;
+@@ -1091,6 +1116,11 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+ goto err_exit;
+ }
+
++ if(list[keys].blob_len > LIBSSH2_PACKET_MAXPAYLOAD) {
++ _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++ "Public key blob too large");
++ goto err_exit;
++ }
+ if(pkey->listFetch_s + list[keys].blob_len <=
+ pkey->listFetch_data + pkey->listFetch_data_len) {
+ list[keys].blob = pkey->listFetch_s;
+@@ -1138,6 +1163,14 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+ goto err_exit;
+ }
+
++ if(list[keys].attrs[i].name_len >
++ LIBSSH2_PACKET_MAXPAYLOAD) {
++ _libssh2_error(session,
++ LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++ "Public key attribute name "
++ "too large");
++ goto err_exit;
++ }
+ if(pkey->listFetch_s + list[keys].attrs[i].name_len <=
+ pkey->listFetch_data + pkey->listFetch_data_len) {
+ list[keys].attrs[i].name =
+@@ -1164,6 +1197,14 @@ libssh2_publickey_list_fetch(LIBSSH2_PUBLICKEY * pkey, unsigned long *num_keys,
+ goto err_exit;
+ }
+
++ if(list[keys].attrs[i].value_len >
++ LIBSSH2_PACKET_MAXPAYLOAD) {
++ _libssh2_error(session,
++ LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++ "Public key attribute value "
++ "too large");
++ goto err_exit;
++ }
+ if(pkey->listFetch_s +
+ list[keys].attrs[i].value_len <=
+ pkey->listFetch_data + pkey->listFetch_data_len) {
@@ -13,6 +13,7 @@ SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \
file://CVE-2026-7598.patch \
file://CVE-2026-55200.patch \
file://CVE-2026-55199.patch \
+ file://CVE-2026-58050.patch \
"
SRC_URI[sha256sum] = "d9ec76cbe34db98eec3539fe2c899d26b0c837cb3eb466a56b0f109cabf658f7"