[meta-oe,scarthgap,2/3] libssh: Fix CVE-2026-0966

Message ID	20260327090921.114180-2-vanusuri@mvista.com
State	New
Headers	show Return-Path: <vanusuri@mvista.com> ip: 74.125.82.181, mailfrom: vanusuri@mvista.com) From: Vijay Anusuri <vanusuri@mvista.com> To: openembedded-devel@lists.openembedded.org Cc: Vijay Anusuri <vanusuri@mvista.com> Subject: [oe][meta-oe][scarthgap][patch 2/3] libssh: Fix CVE-2026-0966 Date: Fri, 27 Mar 2026 14:39:19 +0530 Message-ID: <20260327090921.114180-2-vanusuri@mvista.com> In-Reply-To: <20260327090921.114180-1-vanusuri@mvista.com> References: <20260327090921.114180-1-vanusuri@mvista.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
Series	[meta-oe,scarthgap,1/3] libssh: Fix CVE-2026-0964 \| expand [meta-oe,scarthgap,1/3] libssh: Fix CVE-2026-0964 [meta-oe,scarthgap,2/3] libssh: Fix CVE-2026-0966 [meta-oe,scarthgap,3/3] giflib: Fix CVE-2026-23868

diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch new file mode 100644 index 0000000000..346e3e36ce --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch @@ -0,0 +1,35 @@ +From 6ba5ff1b7b1547a59f750fbc06b89737b7456117 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen <jjelen@redhat.com> +Date: Thu, 8 Jan 2026 12:09:50 +0100 +Subject: [PATCH] CVE-2026-0966 misc: Avoid heap buffer underflow in ssh_get_hexa +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Jakub Jelen <jjelen@redhat.com> +Reviewed-by: Pavol Žáčik <pzacik@redhat.com> +(cherry picked from commit 417a095e6749a1f3635e02332061edad3c6a3401) + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=6ba5ff1b7b1547a59f750fbc06b89737b7456117] +CVE: CVE-2026-0966 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/misc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/misc.c b/src/misc.c +index f371f332..565abcfc 100644 +--- a/src/misc.c ++++ b/src/misc.c +@@ -451,7 +451,7 @@ char *ssh_get_hexa(const unsigned char *what, size_t len) + size_t i; + size_t hlen = len * 3; + +- if (len > (UINT_MAX - 1) / 3) { ++ if (what == NULL || len < 1 || len > (UINT_MAX - 1) / 3) { + return NULL; + } + +-- +2.43.0 + diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch new file mode 100644 index 0000000000..efe90942d2 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch @@ -0,0 +1,71 @@ +From b156391833c66322436cf177d57e10b0325fbcc8 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen <jjelen@redhat.com> +Date: Thu, 8 Jan 2026 12:10:16 +0100 +Subject: [PATCH] CVE-2026-0966 tests: Test coverage for ssh_get_hexa +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Jakub Jelen <jjelen@redhat.com> +Reviewed-by: Pavol Žáčik <pzacik@redhat.com> +(cherry picked from commit 9be83584a56580da5a2f41e47137056dc0249b52) + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=b156391833c66322436cf177d57e10b0325fbcc8] +CVE: CVE-2026-0966 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + tests/unittests/torture_misc.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/tests/unittests/torture_misc.c b/tests/unittests/torture_misc.c +index 77166759..82d6cf16 100644 +--- a/tests/unittests/torture_misc.c ++++ b/tests/unittests/torture_misc.c +@@ -877,6 +877,36 @@ static void torture_ssh_is_ipaddr(void **state) { + assert_int_equal(rc, 0); + } + ++static void torture_ssh_get_hexa(void **state) ++{ ++ const unsigned char *bin = NULL; ++ char *hex = NULL; ++ ++ (void)state; ++ ++ /* Null pointer should not crash */ ++ bin = NULL; ++ hex = ssh_get_hexa(bin, 0); ++ assert_null(hex); ++ ++ /* Null pointer should not crash regardless the length */ ++ bin = NULL; ++ hex = ssh_get_hexa(bin, 99); ++ assert_null(hex); ++ ++ /* Zero length input is not much useful. Just expect NULL too */ ++ bin = (const unsigned char *)""; ++ hex = ssh_get_hexa(bin, 0); ++ assert_null(hex); ++ ++ /* Valid inputs */ ++ bin = (const unsigned char *)"\x00\xFF"; ++ hex = ssh_get_hexa(bin, 2); ++ assert_non_null(hex); ++ assert_string_equal(hex, "00:ff"); ++ ssh_string_free_char(hex); ++} ++ + int torture_run_tests(void) { + int rc; + struct CMUnitTest tests[] = { +@@ -903,6 +933,7 @@ int torture_run_tests(void) { + cmocka_unit_test(torture_ssh_strerror), + cmocka_unit_test(torture_ssh_check_hostname_syntax), + cmocka_unit_test(torture_ssh_is_ipaddr), ++ cmocka_unit_test(torture_ssh_get_hexa), + }; + + ssh_init(); +-- +2.43.0 + diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-3.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-3.patch new file mode 100644 index 0000000000..853ab15c5a --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-3.patch @@ -0,0 +1,65 @@ +From 3e1d276a5a030938a8f144f46ff4f2a2efe31ced Mon Sep 17 00:00:00 2001 +From: Jakub Jelen <jjelen@redhat.com> +Date: Thu, 8 Jan 2026 12:10:44 +0100 +Subject: [PATCH] CVE-2026-0966 doc: Update guided tour to use SHA256 fingerprints +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Jakub Jelen <jjelen@redhat.com> +Reviewed-by: Pavol Žáčik <pzacik@redhat.com> +(cherry picked from commit 1b2a4f760bec35121c490f2294f915ebb9c992ae) + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=3e1d276a5a030938a8f144f46ff4f2a2efe31ced] +CVE: CVE-2026-0966 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + doc/guided_tour.dox | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/doc/guided_tour.dox b/doc/guided_tour.dox +index 60f4087e..331c4b0a 100644 +--- a/doc/guided_tour.dox ++++ b/doc/guided_tour.dox +@@ -190,7 +190,6 @@ int verify_knownhost(ssh_session session) + ssh_key srv_pubkey = NULL; + size_t hlen; + char buf[10]; +- char *hexa = NULL; + char *p = NULL; + int cmp; + int rc; +@@ -201,7 +200,7 @@ int verify_knownhost(ssh_session session) + } + + rc = ssh_get_publickey_hash(srv_pubkey, +- SSH_PUBLICKEY_HASH_SHA1, ++ SSH_PUBLICKEY_HASH_SHA256, + &hash, + &hlen); + ssh_key_free(srv_pubkey); +@@ -217,7 +216,7 @@ int verify_knownhost(ssh_session session) + break; + case SSH_KNOWN_HOSTS_CHANGED: + fprintf(stderr, "Host key for server changed: it is now:\n"); +- ssh_print_hexa("Public key hash", hash, hlen); ++ ssh_print_hash(SSH_PUBLICKEY_HASH_SHA256, hash, hlen); + fprintf(stderr, "For security reasons, connection will be stopped\n"); + ssh_clean_pubkey_hash(&hash); + +@@ -238,10 +237,9 @@ int verify_knownhost(ssh_session session) + /* FALL THROUGH to SSH_SERVER_NOT_KNOWN behavior */ + + case SSH_KNOWN_HOSTS_UNKNOWN: +- hexa = ssh_get_hexa(hash, hlen); + fprintf(stderr,"The server is unknown. Do you trust the host key?\n"); +- fprintf(stderr, "Public key hash: %s\n", hexa); +- ssh_string_free_char(hexa); ++ fprintf(stderr, "Public key hash: "); ++ ssh_print_hash(SSH_PUBLICKEY_HASH_SHA256, hash, hlen); + ssh_clean_pubkey_hash(&hash); + p = fgets(buf, sizeof(buf), stdin); + if (p == NULL) { +-- +2.43.0 + diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb index d37fccf26c..30f68f87ce 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb @@ -25,6 +25,9 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable file://CVE-2026-3731-1.patch \ file://CVE-2026-3731-2.patch \ file://CVE-2026-0964.patch \ + file://CVE-2026-0966-1.patch \ + file://CVE-2026-0966-2.patch \ + file://CVE-2026-0966-3.patch \ " SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"

[meta-oe,scarthgap,2/3] libssh: Fix CVE-2026-0966

Commit Message

Patch