| Message ID | 20260325124141.142149-1-vanusuri@mvista.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-oe,kirkstone] libssh: Fix CVE-2026-0966 | expand |
Hi Team, Just checking in—do we have any updates on this? I wasn’t able to find it in meta-openembedded-contrib. Thanks & Regards, Vijay On Wed, Mar 25, 2026 at 6:11 PM <vanusuri@mvista.com> wrote: > From: Vijay Anusuri <vanusuri@mvista.com> > > Pick commits according to [1] > > [1] https://security-tracker.debian.org/tracker/CVE-2026-0966 > [2] https://www.libssh.org/security/advisories/CVE-2026-0966.txt > > Skip the test commit as it's not applicable in libssh-0.8.9 > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > --- > .../libssh/libssh/CVE-2026-0966-1.patch | 38 ++++++++++++ > .../libssh/libssh/CVE-2026-0966-2.patch | 62 +++++++++++++++++++ > .../recipes-support/libssh/libssh_0.8.9.bb | 2 + > 3 files changed, 102 insertions(+) > create mode 100644 > meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch > create mode 100644 > meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch > > diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch > b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch > new file mode 100644 > index 0000000000..a645282afd > --- /dev/null > +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch > @@ -0,0 +1,38 @@ > +From 6ba5ff1b7b1547a59f750fbc06b89737b7456117 Mon Sep 17 00:00:00 2001 > +From: Jakub Jelen <jjelen@redhat.com> > +Date: Thu, 8 Jan 2026 12:09:50 +0100 > +Subject: [PATCH] CVE-2026-0966 misc: Avoid heap buffer underflow in > ssh_get_hexa > + > +Signed-off-by: Jakub Jelen <jjelen@redhat.com> > +Reviewed-by: Pavol Žáčik <pzacik@redhat.com> > +(cherry picked from commit 417a095e6749a1f3635e02332061edad3c6a3401) > + > +ssh_get_hexa function not present in misc.c. It was in dh.c file in > +older libssh versions. > + > +ssh_get_hexa function moved from dh.c from misc.c by the below commit > + > https://git.libssh.org/projects/libssh.git/commit/?id=43a4f86b6e14a907b3a298d10d5cd7efb59f6a09 > + > +Upstream-Status: Backport [ > https://git.libssh.org/projects/libssh.git/commit/?id=6ba5ff1b7b1547a59f750fbc06b89737b7456117 > ] > +CVE: CVE-2026-0966 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + src/dh.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/src/dh.c b/src/dh.c > +index 7116d1dc..321aeba6 100644 > +--- a/src/dh.c > ++++ b/src/dh.c > +@@ -1486,7 +1486,7 @@ char *ssh_get_hexa(const unsigned char *what, > size_t len) { > + size_t i; > + size_t hlen = len * 3; > + > +- if (len > (UINT_MAX - 1) / 3) { > ++ if (what == NULL || len < 1 || len > (UINT_MAX - 1) / 3) { > + return NULL; > + } > + > +-- > +2.25.1 > + > diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch > b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch > new file mode 100644 > index 0000000000..9a035dbc1e > --- /dev/null > +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch > @@ -0,0 +1,62 @@ > +From 3e1d276a5a030938a8f144f46ff4f2a2efe31ced Mon Sep 17 00:00:00 2001 > +From: Jakub Jelen <jjelen@redhat.com> > +Date: Thu, 8 Jan 2026 12:10:44 +0100 > +Subject: [PATCH] CVE-2026-0966 doc: Update guided tour to use SHA256 > fingerprints > + > +Signed-off-by: Jakub Jelen <jjelen@redhat.com> > +Reviewed-by: Pavol Žáčik <pzacik@redhat.com> > +(cherry picked from commit 1b2a4f760bec35121c490f2294f915ebb9c992ae) > + > +Upstream-Status: Backport [ > https://git.libssh.org/projects/libssh.git/commit/?id=3e1d276a5a030938a8f144f46ff4f2a2efe31ced > ] > +CVE: CVE-2026-0966 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + doc/guided_tour.dox | 10 ++++------ > + 1 file changed, 4 insertions(+), 6 deletions(-) > + > +diff --git a/doc/guided_tour.dox b/doc/guided_tour.dox > +index 008ccb4e..bdd7489c 100644 > +--- a/doc/guided_tour.dox > ++++ b/doc/guided_tour.dox > +@@ -190,7 +190,6 @@ int verify_knownhost(ssh_session session) > + ssh_key srv_pubkey = NULL; > + size_t hlen; > + char buf[10]; > +- char *hexa = NULL; > + char *p = NULL; > + int cmp; > + int rc; > +@@ -201,7 +200,7 @@ int verify_knownhost(ssh_session session) > + } > + > + rc = ssh_get_publickey_hash(srv_pubkey, > +- SSH_PUBLICKEY_HASH_SHA1, > ++ SSH_PUBLICKEY_HASH_SHA256, > + &hash, > + &hlen); > + ssh_key_free(srv_pubkey); > +@@ -217,7 +216,7 @@ int verify_knownhost(ssh_session session) > + break; > + case SSH_KNOWN_HOSTS_CHANGED: > + fprintf(stderr, "Host key for server changed: it is now:\n"); > +- ssh_print_hexa("Public key hash", hash, hlen); > ++ ssh_print_hexa(SSH_PUBLICKEY_HASH_SHA256, hash, hlen); > + fprintf(stderr, "For security reasons, connection will be > stopped\n"); > + ssh_clean_pubkey_hash(&hash); > + > +@@ -238,10 +237,9 @@ int verify_knownhost(ssh_session session) > + /* FALL THROUGH to SSH_SERVER_NOT_KNOWN behavior */ > + > + case SSH_KNOWN_HOSTS_UNKNOWN: > +- hexa = ssh_get_hexa(hash, hlen); > + fprintf(stderr,"The server is unknown. Do you trust the host > key?\n"); > +- fprintf(stderr, "Public key hash: %s\n", hexa); > +- ssh_string_free_char(hexa); > ++ fprintf(stderr, "Public key hash: "); > ++ ssh_print_hash(SSH_PUBLICKEY_HASH_SHA256, hash, hlen); > + ssh_clean_pubkey_hash(&hash); > + p = fgets(buf, sizeof(buf), stdin); > + if (p == NULL) { > +-- > +2.25.1 > + > diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb > b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb > index a1fc64446c..8cc0883b2b 100644 > --- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb > +++ b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb > @@ -29,6 +29,8 @@ SRC_URI = "git:// > git.libssh.org/projects/libssh.git;protocol=https;branch=stable > file://CVE-2025-8277-3.patch \ > file://CVE-2025-8114.patch \ > file://CVE-2026-3731.patch \ > + file://CVE-2026-0966-1.patch \ > + file://CVE-2026-0966-2.patch \ > " > SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8" > > -- > 2.25.1 > >
On 3/26/26 12:28, Vijay Anusuri wrote: > Hi Team, > > Just checking in—do we have any updates on this? > > I wasn’t able to find it in meta-openembedded-contrib. > It is queued up now in the repo, thanks. > Thanks & Regards, > > Vijay > > > > > On Wed, Mar 25, 2026 at 6:11 PM <vanusuri@mvista.com > <mailto:vanusuri@mvista.com>> wrote: > > From: Vijay Anusuri <vanusuri@mvista.com <mailto:vanusuri@mvista.com>> > > Pick commits according to [1] > > [1] https://security-tracker.debian.org/tracker/CVE-2026-0966 > <https://security-tracker.debian.org/tracker/CVE-2026-0966> > [2] https://www.libssh.org/security/advisories/CVE-2026-0966.txt > <https://www.libssh.org/security/advisories/CVE-2026-0966.txt> > > Skip the test commit as it's not applicable in libssh-0.8.9 > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com > <mailto:vanusuri@mvista.com>> > --- > .../libssh/libssh/CVE-2026-0966-1.patch | 38 ++++++++++++ > .../libssh/libssh/CVE-2026-0966-2.patch | 62 +++++++++++++++++++ > .../recipes-support/libssh/libssh_0.8.9.bb <http:// > libssh_0.8.9.bb> | 2 + > 3 files changed, 102 insertions(+) > create mode 100644 meta-oe/recipes-support/libssh/libssh/ > CVE-2026-0966-1.patch > create mode 100644 meta-oe/recipes-support/libssh/libssh/ > CVE-2026-0966-2.patch > > diff --git a/meta-oe/recipes-support/libssh/libssh/ > CVE-2026-0966-1.patch b/meta-oe/recipes-support/libssh/libssh/ > CVE-2026-0966-1.patch > new file mode 100644 > index 0000000000..a645282afd > --- /dev/null > +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch > @@ -0,0 +1,38 @@ > +From 6ba5ff1b7b1547a59f750fbc06b89737b7456117 Mon Sep 17 00:00:00 2001 > +From: Jakub Jelen <jjelen@redhat.com <mailto:jjelen@redhat.com>> > +Date: Thu, 8 Jan 2026 12:09:50 +0100 > +Subject: [PATCH] CVE-2026-0966 misc: Avoid heap buffer underflow in > ssh_get_hexa > + > +Signed-off-by: Jakub Jelen <jjelen@redhat.com > <mailto:jjelen@redhat.com>> > +Reviewed-by: Pavol Žáčik <pzacik@redhat.com <mailto:pzacik@redhat.com>> > +(cherry picked from commit 417a095e6749a1f3635e02332061edad3c6a3401) > + > +ssh_get_hexa function not present in misc.c. It was in dh.c file in > +older libssh versions. > + > +ssh_get_hexa function moved from dh.c from misc.c by the below commit > +https://git.libssh.org/projects/libssh.git/commit/? > id=43a4f86b6e14a907b3a298d10d5cd7efb59f6a09 <https://git.libssh.org/ > projects/libssh.git/commit/?id=43a4f86b6e14a907b3a298d10d5cd7efb59f6a09> > + > +Upstream-Status: Backport [https://git.libssh.org/projects/ > libssh.git/commit/?id=6ba5ff1b7b1547a59f750fbc06b89737b7456117 > <https://git.libssh.org/projects/libssh.git/commit/? > id=6ba5ff1b7b1547a59f750fbc06b89737b7456117>] > +CVE: CVE-2026-0966 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com > <mailto:vanusuri@mvista.com>> > +--- > + src/dh.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/src/dh.c b/src/dh.c > +index 7116d1dc..321aeba6 100644 > +--- a/src/dh.c > ++++ b/src/dh.c > +@@ -1486,7 +1486,7 @@ char *ssh_get_hexa(const unsigned char *what, > size_t len) { > + size_t i; > + size_t hlen = len * 3; > + > +- if (len > (UINT_MAX - 1) / 3) { > ++ if (what == NULL || len < 1 || len > (UINT_MAX - 1) / 3) { > + return NULL; > + } > + > +-- > +2.25.1 > + > diff --git a/meta-oe/recipes-support/libssh/libssh/ > CVE-2026-0966-2.patch b/meta-oe/recipes-support/libssh/libssh/ > CVE-2026-0966-2.patch > new file mode 100644 > index 0000000000..9a035dbc1e > --- /dev/null > +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch > @@ -0,0 +1,62 @@ > +From 3e1d276a5a030938a8f144f46ff4f2a2efe31ced Mon Sep 17 00:00:00 2001 > +From: Jakub Jelen <jjelen@redhat.com <mailto:jjelen@redhat.com>> > +Date: Thu, 8 Jan 2026 12:10:44 +0100 > +Subject: [PATCH] CVE-2026-0966 doc: Update guided tour to use > SHA256 fingerprints > + > +Signed-off-by: Jakub Jelen <jjelen@redhat.com > <mailto:jjelen@redhat.com>> > +Reviewed-by: Pavol Žáčik <pzacik@redhat.com <mailto:pzacik@redhat.com>> > +(cherry picked from commit 1b2a4f760bec35121c490f2294f915ebb9c992ae) > + > +Upstream-Status: Backport [https://git.libssh.org/projects/ > libssh.git/commit/?id=3e1d276a5a030938a8f144f46ff4f2a2efe31ced > <https://git.libssh.org/projects/libssh.git/commit/? > id=3e1d276a5a030938a8f144f46ff4f2a2efe31ced>] > +CVE: CVE-2026-0966 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com > <mailto:vanusuri@mvista.com>> > +--- > + doc/guided_tour.dox | 10 ++++------ > + 1 file changed, 4 insertions(+), 6 deletions(-) > + > +diff --git a/doc/guided_tour.dox b/doc/guided_tour.dox > +index 008ccb4e..bdd7489c 100644 > +--- a/doc/guided_tour.dox > ++++ b/doc/guided_tour.dox > +@@ -190,7 +190,6 @@ int verify_knownhost(ssh_session session) > + ssh_key srv_pubkey = NULL; > + size_t hlen; > + char buf[10]; > +- char *hexa = NULL; > + char *p = NULL; > + int cmp; > + int rc; > +@@ -201,7 +200,7 @@ int verify_knownhost(ssh_session session) > + } > + > + rc = ssh_get_publickey_hash(srv_pubkey, > +- SSH_PUBLICKEY_HASH_SHA1, > ++ SSH_PUBLICKEY_HASH_SHA256, > + &hash, > + &hlen); > + ssh_key_free(srv_pubkey); > +@@ -217,7 +216,7 @@ int verify_knownhost(ssh_session session) > + break; > + case SSH_KNOWN_HOSTS_CHANGED: > + fprintf(stderr, "Host key for server changed: it is > now:\n"); > +- ssh_print_hexa("Public key hash", hash, hlen); > ++ ssh_print_hexa(SSH_PUBLICKEY_HASH_SHA256, hash, hlen); > + fprintf(stderr, "For security reasons, connection will > be stopped\n"); > + ssh_clean_pubkey_hash(&hash); > + > +@@ -238,10 +237,9 @@ int verify_knownhost(ssh_session session) > + /* FALL THROUGH to SSH_SERVER_NOT_KNOWN behavior */ > + > + case SSH_KNOWN_HOSTS_UNKNOWN: > +- hexa = ssh_get_hexa(hash, hlen); > + fprintf(stderr,"The server is unknown. Do you trust > the host key?\n"); > +- fprintf(stderr, "Public key hash: %s\n", hexa); > +- ssh_string_free_char(hexa); > ++ fprintf(stderr, "Public key hash: "); > ++ ssh_print_hash(SSH_PUBLICKEY_HASH_SHA256, hash, hlen); > + ssh_clean_pubkey_hash(&hash); > + p = fgets(buf, sizeof(buf), stdin); > + if (p == NULL) { > +-- > +2.25.1 > + > diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb <http:// > libssh_0.8.9.bb> b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb > <http://libssh_0.8.9.bb> > index a1fc64446c..8cc0883b2b 100644 > --- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb <http:// > libssh_0.8.9.bb> > +++ b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb <http:// > libssh_0.8.9.bb> > @@ -29,6 +29,8 @@ SRC_URI = "git://git.libssh.org/projects/ > libssh.git;protocol=https;branch=stable <http://git.libssh.org/ > projects/libssh.git;protocol=https;branch=stable> > file://CVE-2025-8277-3.patch \ > file://CVE-2025-8114.patch \ > file://CVE-2026-3731.patch \ > + file://CVE-2026-0966-1.patch \ > + file://CVE-2026-0966-2.patch \ > " > SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8" > > -- > 2.25.1 >
Hi Gyorgy, Thank you for the quick response and for queuing it up in the repo. Thanks & Regards, Vijay On Thu, Mar 26, 2026 at 6:28 PM Gyorgy Sarvari <skandigraun@gmail.com> wrote: > On 3/26/26 12:28, Vijay Anusuri wrote: > > Hi Team, > > > > Just checking in—do we have any updates on this? > > > > I wasn’t able to find it in meta-openembedded-contrib. > > > > It is queued up now in the repo, thanks. > > > > Thanks & Regards, > > > > Vijay > > > > > > > > > > On Wed, Mar 25, 2026 at 6:11 PM <vanusuri@mvista.com > > <mailto:vanusuri@mvista.com>> wrote: > > > > From: Vijay Anusuri <vanusuri@mvista.com <mailto:vanusuri@mvista.com > >> > > > > Pick commits according to [1] > > > > [1] https://security-tracker.debian.org/tracker/CVE-2026-0966 > > <https://security-tracker.debian.org/tracker/CVE-2026-0966> > > [2] https://www.libssh.org/security/advisories/CVE-2026-0966.txt > > <https://www.libssh.org/security/advisories/CVE-2026-0966.txt> > > > > Skip the test commit as it's not applicable in libssh-0.8.9 > > > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com > > <mailto:vanusuri@mvista.com>> > > --- > > .../libssh/libssh/CVE-2026-0966-1.patch | 38 ++++++++++++ > > .../libssh/libssh/CVE-2026-0966-2.patch | 62 > +++++++++++++++++++ > > .../recipes-support/libssh/libssh_0.8.9.bb <http:// > > libssh_0.8.9.bb> | 2 + > > 3 files changed, 102 insertions(+) > > create mode 100644 meta-oe/recipes-support/libssh/libssh/ > > CVE-2026-0966-1.patch > > create mode 100644 meta-oe/recipes-support/libssh/libssh/ > > CVE-2026-0966-2.patch > > > > diff --git a/meta-oe/recipes-support/libssh/libssh/ > > CVE-2026-0966-1.patch b/meta-oe/recipes-support/libssh/libssh/ > > CVE-2026-0966-1.patch > > new file mode 100644 > > index 0000000000..a645282afd > > --- /dev/null > > +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch > > @@ -0,0 +1,38 @@ > > +From 6ba5ff1b7b1547a59f750fbc06b89737b7456117 Mon Sep 17 00:00:00 > 2001 > > +From: Jakub Jelen <jjelen@redhat.com <mailto:jjelen@redhat.com>> > > +Date: Thu, 8 Jan 2026 12:09:50 +0100 > > +Subject: [PATCH] CVE-2026-0966 misc: Avoid heap buffer underflow in > > ssh_get_hexa > > + > > +Signed-off-by: Jakub Jelen <jjelen@redhat.com > > <mailto:jjelen@redhat.com>> > > +Reviewed-by: Pavol Žáčik <pzacik@redhat.com <mailto: > pzacik@redhat.com>> > > +(cherry picked from commit 417a095e6749a1f3635e02332061edad3c6a3401) > > + > > +ssh_get_hexa function not present in misc.c. It was in dh.c file in > > +older libssh versions. > > + > > +ssh_get_hexa function moved from dh.c from misc.c by the below > commit > > +https://git.libssh.org/projects/libssh.git/commit/? > > id=43a4f86b6e14a907b3a298d10d5cd7efb59f6a09 <https://git.libssh.org/ > > > projects/libssh.git/commit/?id=43a4f86b6e14a907b3a298d10d5cd7efb59f6a09> > > + > > +Upstream-Status: Backport [https://git.libssh.org/projects/ > > libssh.git/commit/?id=6ba5ff1b7b1547a59f750fbc06b89737b7456117 > > <https://git.libssh.org/projects/libssh.git/commit/? > > id=6ba5ff1b7b1547a59f750fbc06b89737b7456117>] > > +CVE: CVE-2026-0966 > > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com > > <mailto:vanusuri@mvista.com>> > > +--- > > + src/dh.c | 2 +- > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > + > > +diff --git a/src/dh.c b/src/dh.c > > +index 7116d1dc..321aeba6 100644 > > +--- a/src/dh.c > > ++++ b/src/dh.c > > +@@ -1486,7 +1486,7 @@ char *ssh_get_hexa(const unsigned char *what, > > size_t len) { > > + size_t i; > > + size_t hlen = len * 3; > > + > > +- if (len > (UINT_MAX - 1) / 3) { > > ++ if (what == NULL || len < 1 || len > (UINT_MAX - 1) / 3) { > > + return NULL; > > + } > > + > > +-- > > +2.25.1 > > + > > diff --git a/meta-oe/recipes-support/libssh/libssh/ > > CVE-2026-0966-2.patch b/meta-oe/recipes-support/libssh/libssh/ > > CVE-2026-0966-2.patch > > new file mode 100644 > > index 0000000000..9a035dbc1e > > --- /dev/null > > +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch > > @@ -0,0 +1,62 @@ > > +From 3e1d276a5a030938a8f144f46ff4f2a2efe31ced Mon Sep 17 00:00:00 > 2001 > > +From: Jakub Jelen <jjelen@redhat.com <mailto:jjelen@redhat.com>> > > +Date: Thu, 8 Jan 2026 12:10:44 +0100 > > +Subject: [PATCH] CVE-2026-0966 doc: Update guided tour to use > > SHA256 fingerprints > > + > > +Signed-off-by: Jakub Jelen <jjelen@redhat.com > > <mailto:jjelen@redhat.com>> > > +Reviewed-by: Pavol Žáčik <pzacik@redhat.com <mailto: > pzacik@redhat.com>> > > +(cherry picked from commit 1b2a4f760bec35121c490f2294f915ebb9c992ae) > > + > > +Upstream-Status: Backport [https://git.libssh.org/projects/ > > libssh.git/commit/?id=3e1d276a5a030938a8f144f46ff4f2a2efe31ced > > <https://git.libssh.org/projects/libssh.git/commit/? > > id=3e1d276a5a030938a8f144f46ff4f2a2efe31ced>] > > +CVE: CVE-2026-0966 > > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com > > <mailto:vanusuri@mvista.com>> > > +--- > > + doc/guided_tour.dox | 10 ++++------ > > + 1 file changed, 4 insertions(+), 6 deletions(-) > > + > > +diff --git a/doc/guided_tour.dox b/doc/guided_tour.dox > > +index 008ccb4e..bdd7489c 100644 > > +--- a/doc/guided_tour.dox > > ++++ b/doc/guided_tour.dox > > +@@ -190,7 +190,6 @@ int verify_knownhost(ssh_session session) > > + ssh_key srv_pubkey = NULL; > > + size_t hlen; > > + char buf[10]; > > +- char *hexa = NULL; > > + char *p = NULL; > > + int cmp; > > + int rc; > > +@@ -201,7 +200,7 @@ int verify_knownhost(ssh_session session) > > + } > > + > > + rc = ssh_get_publickey_hash(srv_pubkey, > > +- SSH_PUBLICKEY_HASH_SHA1, > > ++ SSH_PUBLICKEY_HASH_SHA256, > > + &hash, > > + &hlen); > > + ssh_key_free(srv_pubkey); > > +@@ -217,7 +216,7 @@ int verify_knownhost(ssh_session session) > > + break; > > + case SSH_KNOWN_HOSTS_CHANGED: > > + fprintf(stderr, "Host key for server changed: it is > > now:\n"); > > +- ssh_print_hexa("Public key hash", hash, hlen); > > ++ ssh_print_hexa(SSH_PUBLICKEY_HASH_SHA256, hash, hlen); > > + fprintf(stderr, "For security reasons, connection will > > be stopped\n"); > > + ssh_clean_pubkey_hash(&hash); > > + > > +@@ -238,10 +237,9 @@ int verify_knownhost(ssh_session session) > > + /* FALL THROUGH to SSH_SERVER_NOT_KNOWN behavior */ > > + > > + case SSH_KNOWN_HOSTS_UNKNOWN: > > +- hexa = ssh_get_hexa(hash, hlen); > > + fprintf(stderr,"The server is unknown. Do you trust > > the host key?\n"); > > +- fprintf(stderr, "Public key hash: %s\n", hexa); > > +- ssh_string_free_char(hexa); > > ++ fprintf(stderr, "Public key hash: "); > > ++ ssh_print_hash(SSH_PUBLICKEY_HASH_SHA256, hash, hlen); > > + ssh_clean_pubkey_hash(&hash); > > + p = fgets(buf, sizeof(buf), stdin); > > + if (p == NULL) { > > +-- > > +2.25.1 > > + > > diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb <http:// > > libssh_0.8.9.bb> b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb > > <http://libssh_0.8.9.bb> > > index a1fc64446c..8cc0883b2b 100644 > > --- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb <http:// > > libssh_0.8.9.bb> > > +++ b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb <http:// > > libssh_0.8.9.bb> > > @@ -29,6 +29,8 @@ SRC_URI = "git://git.libssh.org/projects/ > > libssh.git;protocol=https;branch=stable <http://git.libssh.org/ > > projects/libssh.git;protocol=https;branch=stable> > > file://CVE-2025-8277-3.patch \ > > file://CVE-2025-8114.patch \ > > file://CVE-2026-3731.patch \ > > + file://CVE-2026-0966-1.patch \ > > + file://CVE-2026-0966-2.patch \ > > " > > SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8" > > > > -- > > 2.25.1 > > > >
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch new file mode 100644 index 0000000000..a645282afd --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch @@ -0,0 +1,38 @@ +From 6ba5ff1b7b1547a59f750fbc06b89737b7456117 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen <jjelen@redhat.com> +Date: Thu, 8 Jan 2026 12:09:50 +0100 +Subject: [PATCH] CVE-2026-0966 misc: Avoid heap buffer underflow in ssh_get_hexa + +Signed-off-by: Jakub Jelen <jjelen@redhat.com> +Reviewed-by: Pavol Žáčik <pzacik@redhat.com> +(cherry picked from commit 417a095e6749a1f3635e02332061edad3c6a3401) + +ssh_get_hexa function not present in misc.c. It was in dh.c file in +older libssh versions. + +ssh_get_hexa function moved from dh.c from misc.c by the below commit +https://git.libssh.org/projects/libssh.git/commit/?id=43a4f86b6e14a907b3a298d10d5cd7efb59f6a09 + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=6ba5ff1b7b1547a59f750fbc06b89737b7456117] +CVE: CVE-2026-0966 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/dh.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/dh.c b/src/dh.c +index 7116d1dc..321aeba6 100644 +--- a/src/dh.c ++++ b/src/dh.c +@@ -1486,7 +1486,7 @@ char *ssh_get_hexa(const unsigned char *what, size_t len) { + size_t i; + size_t hlen = len * 3; + +- if (len > (UINT_MAX - 1) / 3) { ++ if (what == NULL || len < 1 || len > (UINT_MAX - 1) / 3) { + return NULL; + } + +-- +2.25.1 + diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch new file mode 100644 index 0000000000..9a035dbc1e --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch @@ -0,0 +1,62 @@ +From 3e1d276a5a030938a8f144f46ff4f2a2efe31ced Mon Sep 17 00:00:00 2001 +From: Jakub Jelen <jjelen@redhat.com> +Date: Thu, 8 Jan 2026 12:10:44 +0100 +Subject: [PATCH] CVE-2026-0966 doc: Update guided tour to use SHA256 fingerprints + +Signed-off-by: Jakub Jelen <jjelen@redhat.com> +Reviewed-by: Pavol Žáčik <pzacik@redhat.com> +(cherry picked from commit 1b2a4f760bec35121c490f2294f915ebb9c992ae) + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=3e1d276a5a030938a8f144f46ff4f2a2efe31ced] +CVE: CVE-2026-0966 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + doc/guided_tour.dox | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/doc/guided_tour.dox b/doc/guided_tour.dox +index 008ccb4e..bdd7489c 100644 +--- a/doc/guided_tour.dox ++++ b/doc/guided_tour.dox +@@ -190,7 +190,6 @@ int verify_knownhost(ssh_session session) + ssh_key srv_pubkey = NULL; + size_t hlen; + char buf[10]; +- char *hexa = NULL; + char *p = NULL; + int cmp; + int rc; +@@ -201,7 +200,7 @@ int verify_knownhost(ssh_session session) + } + + rc = ssh_get_publickey_hash(srv_pubkey, +- SSH_PUBLICKEY_HASH_SHA1, ++ SSH_PUBLICKEY_HASH_SHA256, + &hash, + &hlen); + ssh_key_free(srv_pubkey); +@@ -217,7 +216,7 @@ int verify_knownhost(ssh_session session) + break; + case SSH_KNOWN_HOSTS_CHANGED: + fprintf(stderr, "Host key for server changed: it is now:\n"); +- ssh_print_hexa("Public key hash", hash, hlen); ++ ssh_print_hexa(SSH_PUBLICKEY_HASH_SHA256, hash, hlen); + fprintf(stderr, "For security reasons, connection will be stopped\n"); + ssh_clean_pubkey_hash(&hash); + +@@ -238,10 +237,9 @@ int verify_knownhost(ssh_session session) + /* FALL THROUGH to SSH_SERVER_NOT_KNOWN behavior */ + + case SSH_KNOWN_HOSTS_UNKNOWN: +- hexa = ssh_get_hexa(hash, hlen); + fprintf(stderr,"The server is unknown. Do you trust the host key?\n"); +- fprintf(stderr, "Public key hash: %s\n", hexa); +- ssh_string_free_char(hexa); ++ fprintf(stderr, "Public key hash: "); ++ ssh_print_hash(SSH_PUBLICKEY_HASH_SHA256, hash, hlen); + ssh_clean_pubkey_hash(&hash); + p = fgets(buf, sizeof(buf), stdin); + if (p == NULL) { +-- +2.25.1 + diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb index a1fc64446c..8cc0883b2b 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb @@ -29,6 +29,8 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable file://CVE-2025-8277-3.patch \ file://CVE-2025-8114.patch \ file://CVE-2026-3731.patch \ + file://CVE-2026-0966-1.patch \ + file://CVE-2026-0966-2.patch \ " SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8"