From patchwork Fri Mar 27 09:09:18 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 84643 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2411910BA457 for ; Fri, 27 Mar 2026 09:09:52 +0000 (UTC) Received: from mail-dy1-f178.google.com (mail-dy1-f178.google.com [74.125.82.178]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.67856.1774602588358389770 for ; Fri, 27 Mar 2026 02:09:48 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=TtwBqoMB; spf=pass (domain: mvista.com, ip: 74.125.82.178, mailfrom: vanusuri@mvista.com) Received: by mail-dy1-f178.google.com with SMTP id 5a478bee46e88-2c18771d837so159456eec.0 for ; Fri, 27 Mar 2026 02:09:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1774602587; x=1775207387; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=f4kkGJ36B3ixSn9PPGRDp9UkFT70O5K3aNTbLVP5p1Y=; b=TtwBqoMBugQewFPIRHVPfNQbCHTEx/ppPohO5wne4WnEsSIQdNXdV5IqvqZ0+TFe7N 8AKz5vM0j0NXBKX1QE/5zZLibXkUh8Fhg6pxo0PL8ju3VkV23lnI6uhhJF+tZ5Iy0SXg GrY1cG6t+0PL9a9h1QaBLsK6o//yapFHWhxTY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774602587; x=1775207387; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=f4kkGJ36B3ixSn9PPGRDp9UkFT70O5K3aNTbLVP5p1Y=; b=J/K/vCEcb/pLxy5rhyKvYZnsOk33iXvbnL+rnsOfw+8f2z1Sgxy9yXIbAX6sWbgF6x C7H7dpwEy6mPYAsbI3Q3n06HF1CcwjZ+ctib6Kmut51SeIelj1ei0GzrfJCMkH1s/fYI pzglMEHM+MftoTUwkIDmmlW23DwXsVKsXnSzUi6sOLiUj8aaQq67QRKGWYDyWWi1Zqel tyFhd2dURn4zq3gl1daJnqWFoRQ43iTZIY07QwGDObgnJbWT2/xTh+sPAWN6AoitFil3 UHvehYQt7plUQRmip/9sRXOSIPLaEg3vZugdS0WiNFKbQ+TJgJpgZAGOCTWaDqiyga6u P+jA== X-Gm-Message-State: AOJu0YxVE45vzwg5cR03ynsN24lsO7Zq1G3XgZgFlvkfMIyyYT6JWqXq M8YwWATCe7wzFN3xSTXAw6jBA00kk5vkBfy6koy8BQJ7h+1UgHFZDrGWfuEjmkRa9zvddQuxM1P amkdD0Xo= X-Gm-Gg: ATEYQzylpKb0oBKMF5Z/LKVW++XRfCVO0AE5l8XDWzOjEU5R4g01qOk97OFJXnhV6+X 8GzTxHsorLuk06u1KC+ol13BeXcRQe81EL5BbH1nCqgj/Nq8YFQcCXhvQkOVCt30U9ZFNyDZYbt 1Wi1A5KU/3eIFAAoaqcbWuGgztvk1nq5LATukEk9hXzOfsRb+4lGnxq4ovH5S5emZidQav9P235 /6G0j8q+pknJhEhOnS/oAeh9eUaGhqhoFWiaGn8Yphm/bcgZhtAhK7APBsQmZy4d71O021oUONX 7EBsgtx/i1bx3cwLRTP6NE4J8Ks3N3aPJKLD4Scd/NZSRpvqflWZ4XSOoMJgbh3hRiMF7uJewjL eI1WdLYV5a5tGwlmnKaRc04MG1J70nT1e3//7Tzg86VBUpXWzashg9uScRKamXCKDFKSM/yx3To Qh4zpp8Pb9soLabcw7xszghntFWgbDHkSy80Kh2McwUQ0MPzw= X-Received: by 2002:a05:7301:1010:b0:2ba:9cc4:aebb with SMTP id 5a478bee46e88-2c186eb44c9mr596450eec.10.1774602587117; Fri, 27 Mar 2026 02:09:47 -0700 (PDT) Received: from MVIN00352.mvista.com ([2406:7400:54:2bec:d873:3467:d1cb:22ab]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2c16ec258c6sm4906284eec.4.2026.03.27.02.09.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 27 Mar 2026 02:09:46 -0700 (PDT) From: Vijay Anusuri To: openembedded-devel@lists.openembedded.org Cc: Vijay Anusuri Subject: [oe][meta-oe][scarthgap][patch 1/3] libssh: Fix CVE-2026-0964 Date: Fri, 27 Mar 2026 14:39:18 +0530 Message-ID: <20260327090921.114180-1-vanusuri@mvista.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 27 Mar 2026 09:09:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/125781 Pick commits according to [1] [1] https://security-tracker.debian.org/tracker/CVE-2026-0964 [2] https://www.libssh.org/security/advisories/CVE-2026-0964.txt Signed-off-by: Vijay Anusuri --- .../libssh/libssh/CVE-2026-0964.patch | 46 +++++++++++++++++++ .../recipes-support/libssh/libssh_0.10.6.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2026-0964.patch diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0964.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0964.patch new file mode 100644 index 0000000000..947c73451f --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0964.patch @@ -0,0 +1,46 @@ +From a5e4b12090b0c939d85af4f29280e40c5b6600aa Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 22 Dec 2025 19:16:44 +0100 +Subject: [PATCH] CVE-2026-0964 scp: Reject invalid paths received through scp + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider +(cherry picked from commit daa80818f89347b4d80b0c5b80659f9a9e55e8cc) + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=a5e4b12090b0c939d85af4f29280e40c5b6600aa] +CVE: CVE-2026-0964 +Signed-off-by: Vijay Anusuri +--- + src/scp.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/src/scp.c b/src/scp.c +index 103822ce..09dc1a1b 100644 +--- a/src/scp.c ++++ b/src/scp.c +@@ -848,6 +848,22 @@ int ssh_scp_pull_request(ssh_scp scp) + size = strtoull(tmp, NULL, 10); + p++; + name = strdup(p); ++ /* Catch invalid name: ++ * - empty ones ++ * - containing any forward slash -- directory traversal handled ++ * differently ++ * - special names "." and ".." referring to the current and parent ++ * directories -- they are not expected either ++ */ ++ if (name == NULL || name[0] == '\0' || strchr(name, '/') || ++ strcmp(name, ".") == 0 || strcmp(name, "..") == 0) { ++ ssh_set_error(scp->session, ++ SSH_FATAL, ++ "Received invalid filename: %s", ++ name == NULL ? "" : name); ++ SAFE_FREE(name); ++ goto error; ++ } + SAFE_FREE(scp->request_name); + scp->request_name = name; + if (buffer[0] == 'C') { +-- +2.43.0 + diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb index 614b656216..d37fccf26c 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb @@ -24,6 +24,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable file://CVE-2025-8277-4.patch \ file://CVE-2026-3731-1.patch \ file://CVE-2026-3731-2.patch \ + file://CVE-2026-0964.patch \ " SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6" From patchwork Fri Mar 27 09:09:19 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 84645 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0DCAD10BA458 for ; Fri, 27 Mar 2026 09:10:02 +0000 (UTC) Received: from mail-dy1-f181.google.com (mail-dy1-f181.google.com [74.125.82.181]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.68840.1774602592995117837 for ; Fri, 27 Mar 2026 02:09:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=X6CV+zRo; spf=pass (domain: mvista.com, ip: 74.125.82.181, mailfrom: vanusuri@mvista.com) Received: by mail-dy1-f181.google.com with SMTP id 5a478bee46e88-2c160308a54so908164eec.0 for ; Fri, 27 Mar 2026 02:09:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1774602592; x=1775207392; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0JOKr7b1gI9nBnhB+zRY5zp2slD9qGzjQSp017rLGAk=; b=X6CV+zRoRmPIxiC07zu+FaNKzj3P1x4GBGe/MKFdqTHqTLDa+ZJ4CsvUdA8CXDrmjP /Zc5oN4IQiL9eH4EUi6CppKOZkuLc+vxtA7z0IwegmtDxV6i6mPAr3nypGNFAJHAEWc+ xrFDaJH1kpOZEIL5OB41A4OWkpMPOJfxEpKc8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774602592; x=1775207392; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=0JOKr7b1gI9nBnhB+zRY5zp2slD9qGzjQSp017rLGAk=; b=RoJrv8NegljgvEUXVv5IYW/yNB5yTxVSNDqd4j+anu+pxR0qxU0YtuBCn/uoHEfL5E E9c06L/YaZoi7t8cAWjz6I86gfupNClrlxe64G5qo0jV9p7WupnTfnLjXi3Mlnn0YoGM qcSb5VlAKl/cFABIoNXYwlvv2yyLgWSyIrFNojfOpfhjEfFqmBQCld1c9bRrrESkvLHn z789pGBOFZ85Vcx6SRzdeBLAf++v1SaxxxUS3sF5Kg0U8UZYul4MXRfw1OOnPMXND+Yf 5GequW/vZrCR61poCYJv6SCHHoMMEGv0XAYK6c+O+S7l/Qudco6h4f6XS4/ZmbYM0jK1 x+Ng== X-Gm-Message-State: AOJu0YwgFnXG3D2PsOwgIMqti5Ptfojo6N8gygT7UyLV0AUHi5iIF0kO q+Sh1g0JOQqu7MJycs6C75ffTRc8W0+yqIBhXEob4WBtycdbOsZ70R0d38HjPMbO5x4ctWcVSCM +5riG X-Gm-Gg: ATEYQzz43fjq030k1jhmmii5dgczn6MnQGmbCqROtzd2QF2xyJdEpZSli7yN+DrmhVa t/YX6RRfxyLb/WdiUBuM9rhjCnnZ7mDklxuym3IJcbAtKK8aS/gsb2WjUgr0FflPpSVs9vUCZ01 OPvWPnusqPDz6TAM5AVrecKm4cb3nVwpjgDIeofxtNpSg+oCOM6xMP1KtBeprg8cy+wEXgyn/Vp RCIDp7k6hTSXNA5yspt00TDqiTnz6AAJuJqHGsnekKbpgaX633h9fGdrWvAxzvkZGCLb+uV5tIq qrSXCsGyQsSpfI4yafO0xRdsdzfpp9ruRcr0wDUVWDOV9MwmNwK/oXADDcHh+zJbAe2XvHPJH+h OVQBK33c9e9bfOkojPyz72VWESs+3nuIwgxhUYe6CfZLvpzyOF/Dy/VqOY3HK9JGo7/Vz2ivmyF zE/xGD63NoRwCN7vou0m3R3AXPq78sOzaa1Jx0HX0jm9wx20M= X-Received: by 2002:a05:7301:1006:b0:2be:a041:5d75 with SMTP id 5a478bee46e88-2c185e94a09mr817160eec.33.1774602591780; Fri, 27 Mar 2026 02:09:51 -0700 (PDT) Received: from MVIN00352.mvista.com ([2406:7400:54:2bec:d873:3467:d1cb:22ab]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2c16ec258c6sm4906284eec.4.2026.03.27.02.09.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 27 Mar 2026 02:09:51 -0700 (PDT) From: Vijay Anusuri To: openembedded-devel@lists.openembedded.org Cc: Vijay Anusuri Subject: [oe][meta-oe][scarthgap][patch 2/3] libssh: Fix CVE-2026-0966 Date: Fri, 27 Mar 2026 14:39:19 +0530 Message-ID: <20260327090921.114180-2-vanusuri@mvista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260327090921.114180-1-vanusuri@mvista.com> References: <20260327090921.114180-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 27 Mar 2026 09:10:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/125782 Pick commits according to [1] [1] https://security-tracker.debian.org/tracker/CVE-2026-0966 [2] https://www.libssh.org/security/advisories/CVE-2026-0966.txt Signed-off-by: Vijay Anusuri --- .../libssh/libssh/CVE-2026-0966-1.patch | 35 +++++++++ .../libssh/libssh/CVE-2026-0966-2.patch | 71 +++++++++++++++++++ .../libssh/libssh/CVE-2026-0966-3.patch | 65 +++++++++++++++++ .../recipes-support/libssh/libssh_0.10.6.bb | 3 + 4 files changed, 174 insertions(+) create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-3.patch diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch new file mode 100644 index 0000000000..346e3e36ce --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-1.patch @@ -0,0 +1,35 @@ +From 6ba5ff1b7b1547a59f750fbc06b89737b7456117 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 8 Jan 2026 12:09:50 +0100 +Subject: [PATCH] CVE-2026-0966 misc: Avoid heap buffer underflow in ssh_get_hexa +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Jakub Jelen +Reviewed-by: Pavol Žáčik +(cherry picked from commit 417a095e6749a1f3635e02332061edad3c6a3401) + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=6ba5ff1b7b1547a59f750fbc06b89737b7456117] +CVE: CVE-2026-0966 +Signed-off-by: Vijay Anusuri +--- + src/misc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/misc.c b/src/misc.c +index f371f332..565abcfc 100644 +--- a/src/misc.c ++++ b/src/misc.c +@@ -451,7 +451,7 @@ char *ssh_get_hexa(const unsigned char *what, size_t len) + size_t i; + size_t hlen = len * 3; + +- if (len > (UINT_MAX - 1) / 3) { ++ if (what == NULL || len < 1 || len > (UINT_MAX - 1) / 3) { + return NULL; + } + +-- +2.43.0 + diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch new file mode 100644 index 0000000000..efe90942d2 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-2.patch @@ -0,0 +1,71 @@ +From b156391833c66322436cf177d57e10b0325fbcc8 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 8 Jan 2026 12:10:16 +0100 +Subject: [PATCH] CVE-2026-0966 tests: Test coverage for ssh_get_hexa +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Jakub Jelen +Reviewed-by: Pavol Žáčik +(cherry picked from commit 9be83584a56580da5a2f41e47137056dc0249b52) + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=b156391833c66322436cf177d57e10b0325fbcc8] +CVE: CVE-2026-0966 +Signed-off-by: Vijay Anusuri +--- + tests/unittests/torture_misc.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/tests/unittests/torture_misc.c b/tests/unittests/torture_misc.c +index 77166759..82d6cf16 100644 +--- a/tests/unittests/torture_misc.c ++++ b/tests/unittests/torture_misc.c +@@ -877,6 +877,36 @@ static void torture_ssh_is_ipaddr(void **state) { + assert_int_equal(rc, 0); + } + ++static void torture_ssh_get_hexa(void **state) ++{ ++ const unsigned char *bin = NULL; ++ char *hex = NULL; ++ ++ (void)state; ++ ++ /* Null pointer should not crash */ ++ bin = NULL; ++ hex = ssh_get_hexa(bin, 0); ++ assert_null(hex); ++ ++ /* Null pointer should not crash regardless the length */ ++ bin = NULL; ++ hex = ssh_get_hexa(bin, 99); ++ assert_null(hex); ++ ++ /* Zero length input is not much useful. Just expect NULL too */ ++ bin = (const unsigned char *)""; ++ hex = ssh_get_hexa(bin, 0); ++ assert_null(hex); ++ ++ /* Valid inputs */ ++ bin = (const unsigned char *)"\x00\xFF"; ++ hex = ssh_get_hexa(bin, 2); ++ assert_non_null(hex); ++ assert_string_equal(hex, "00:ff"); ++ ssh_string_free_char(hex); ++} ++ + int torture_run_tests(void) { + int rc; + struct CMUnitTest tests[] = { +@@ -903,6 +933,7 @@ int torture_run_tests(void) { + cmocka_unit_test(torture_ssh_strerror), + cmocka_unit_test(torture_ssh_check_hostname_syntax), + cmocka_unit_test(torture_ssh_is_ipaddr), ++ cmocka_unit_test(torture_ssh_get_hexa), + }; + + ssh_init(); +-- +2.43.0 + diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-3.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-3.patch new file mode 100644 index 0000000000..853ab15c5a --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0966-3.patch @@ -0,0 +1,65 @@ +From 3e1d276a5a030938a8f144f46ff4f2a2efe31ced Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 8 Jan 2026 12:10:44 +0100 +Subject: [PATCH] CVE-2026-0966 doc: Update guided tour to use SHA256 fingerprints +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Jakub Jelen +Reviewed-by: Pavol Žáčik +(cherry picked from commit 1b2a4f760bec35121c490f2294f915ebb9c992ae) + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=3e1d276a5a030938a8f144f46ff4f2a2efe31ced] +CVE: CVE-2026-0966 +Signed-off-by: Vijay Anusuri +--- + doc/guided_tour.dox | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/doc/guided_tour.dox b/doc/guided_tour.dox +index 60f4087e..331c4b0a 100644 +--- a/doc/guided_tour.dox ++++ b/doc/guided_tour.dox +@@ -190,7 +190,6 @@ int verify_knownhost(ssh_session session) + ssh_key srv_pubkey = NULL; + size_t hlen; + char buf[10]; +- char *hexa = NULL; + char *p = NULL; + int cmp; + int rc; +@@ -201,7 +200,7 @@ int verify_knownhost(ssh_session session) + } + + rc = ssh_get_publickey_hash(srv_pubkey, +- SSH_PUBLICKEY_HASH_SHA1, ++ SSH_PUBLICKEY_HASH_SHA256, + &hash, + &hlen); + ssh_key_free(srv_pubkey); +@@ -217,7 +216,7 @@ int verify_knownhost(ssh_session session) + break; + case SSH_KNOWN_HOSTS_CHANGED: + fprintf(stderr, "Host key for server changed: it is now:\n"); +- ssh_print_hexa("Public key hash", hash, hlen); ++ ssh_print_hash(SSH_PUBLICKEY_HASH_SHA256, hash, hlen); + fprintf(stderr, "For security reasons, connection will be stopped\n"); + ssh_clean_pubkey_hash(&hash); + +@@ -238,10 +237,9 @@ int verify_knownhost(ssh_session session) + /* FALL THROUGH to SSH_SERVER_NOT_KNOWN behavior */ + + case SSH_KNOWN_HOSTS_UNKNOWN: +- hexa = ssh_get_hexa(hash, hlen); + fprintf(stderr,"The server is unknown. Do you trust the host key?\n"); +- fprintf(stderr, "Public key hash: %s\n", hexa); +- ssh_string_free_char(hexa); ++ fprintf(stderr, "Public key hash: "); ++ ssh_print_hash(SSH_PUBLICKEY_HASH_SHA256, hash, hlen); + ssh_clean_pubkey_hash(&hash); + p = fgets(buf, sizeof(buf), stdin); + if (p == NULL) { +-- +2.43.0 + diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb index d37fccf26c..30f68f87ce 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb @@ -25,6 +25,9 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable file://CVE-2026-3731-1.patch \ file://CVE-2026-3731-2.patch \ file://CVE-2026-0964.patch \ + file://CVE-2026-0966-1.patch \ + file://CVE-2026-0966-2.patch \ + file://CVE-2026-0966-3.patch \ " SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6" From patchwork Fri Mar 27 09:09:20 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 84644 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 32F5210BA45A for ; Fri, 27 Mar 2026 09:10:02 +0000 (UTC) Received: from mail-dy1-f178.google.com (mail-dy1-f178.google.com [74.125.82.178]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.67858.1774602598332213975 for ; Fri, 27 Mar 2026 02:09:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=XUys/3pp; spf=pass (domain: mvista.com, ip: 74.125.82.178, mailfrom: vanusuri@mvista.com) Received: by mail-dy1-f178.google.com with SMTP id 5a478bee46e88-2c15849aa2cso2102803eec.0 for ; Fri, 27 Mar 2026 02:09:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1774602597; x=1775207397; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Fvr8JWt6skGvZV6xDClojNRvJOfpy99sDCP+rUrL3Fo=; b=XUys/3pplJpIhOP/LRQJ9ScBEc+zuSWir/c/IZs4pGDUz66YBxMYKr6ybE1sdY9B/9 /nujxshRC6vBx1hLO6fP5453TQ9Y1E7689tYXa0Ysu9FklmZb8ZpNSEOXSue/dtN1h9S U0mjQhVu8YLNDSWWozAO49Bn/vFg92IeGGpvA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774602597; x=1775207397; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Fvr8JWt6skGvZV6xDClojNRvJOfpy99sDCP+rUrL3Fo=; b=RcZmyX+dcwJvNt7SJFkEDUHcu4h1tHey58Q2LMjAbSlXWGDNTnicmnl1BYwFqpTfXB 6dXpMIgkIpzDThB5Wq0iefOjB4dxWE3Tr/2aJ/JVas3zMWJ36NztV+yVJLtr2zt6lKQx DT8kwlc/2dG0wzmkCt0t4JB9C9sz0UOLc66wV5iJ7/mH9OKmyjTCLFP4cZRx4P1sr2bD 91OAT7gXvzwex4ky5i2PuR81od2PZQRDCzWdSti3K8NnWRyzqEP5pBO+tjFznS9YVif+ EfYQT8OcGlPYJ0X6g20Wfy4UiJL6d/fCAoMS6DWJn96fRWXSeVapvKoIezvye2qZmri4 z1gw== X-Gm-Message-State: AOJu0Yy9RZGc49SxxY3DHOsezFv4jPiO7d8y5So4s06t+x5WYu26bQQn RQ2ReS3JvWAXruaoX1NmX8RRf5Ug9ccoy9D7n2DFvyqPIui3WReHFViCiWcNZHgT4RDE5VXaUjy L252w X-Gm-Gg: ATEYQzwKR8vaAbHwvdMvKTGfI9i6ijCN5p595t4FndNXgvipJBLMyJaBlx4NKFnDyzd UClZyFam8OlxTOttodBlTDIyhKwv5+FTYXdoSq1zs+epuqtBoaoc/e/xFjh5qrQ0vHp5SC7SPPO 98V9NvoF/vSTinbWeO3DKHEq1zkfnpBmWZ1LQyBUDWz4VmW47FmJRUaG36lYOhUHzZKMKAL+5fN 8NROyVB/6XP2mRJiQkn/pzw/WBGiBXPf2v/z6+vjBb+CAB00lDjtn9eGrazzCBHhmgzepoED8Zy /KpG78xNxuejobAFDA3w9lN6rfWxekRiuRwhAgiwWAsFyHGhZbaiYfi05I3yWDnByVx7bXtsIxC 4PdU7zPyFCe4iZHSZrZix/NMKhTN6h4Nsfbqv/5uP+/7wMyQeeDRmd/XLB6VnM+euT90a32tHfL A1RYdBKapVWY4jZPXUFvLAA+cdeBLKEjJElCUA X-Received: by 2002:a05:7301:6706:b0:2be:2f62:8bb6 with SMTP id 5a478bee46e88-2c185e813c2mr785937eec.30.1774602597181; Fri, 27 Mar 2026 02:09:57 -0700 (PDT) Received: from MVIN00352.mvista.com ([2406:7400:54:2bec:d873:3467:d1cb:22ab]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2c16ec258c6sm4906284eec.4.2026.03.27.02.09.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 27 Mar 2026 02:09:56 -0700 (PDT) From: Vijay Anusuri To: openembedded-devel@lists.openembedded.org Cc: Vijay Anusuri Subject: [oe][meta-oe][scarthgap][patch 3/3] giflib: Fix CVE-2026-23868 Date: Fri, 27 Mar 2026 14:39:20 +0530 Message-ID: <20260327090921.114180-3-vanusuri@mvista.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260327090921.114180-1-vanusuri@mvista.com> References: <20260327090921.114180-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 27 Mar 2026 09:10:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/125783 Pick patch according to [1] [1] https://www.facebook.com/security/advisories/cve-2026-23868 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-23868 Signed-off-by: Vijay Anusuri --- .../giflib/giflib/CVE-2026-23868.patch | 34 +++++++++++++++++++ .../recipes-devtools/giflib/giflib_5.2.2.bb | 1 + 2 files changed, 35 insertions(+) create mode 100644 meta-oe/recipes-devtools/giflib/giflib/CVE-2026-23868.patch diff --git a/meta-oe/recipes-devtools/giflib/giflib/CVE-2026-23868.patch b/meta-oe/recipes-devtools/giflib/giflib/CVE-2026-23868.patch new file mode 100644 index 0000000000..4243344d9e --- /dev/null +++ b/meta-oe/recipes-devtools/giflib/giflib/CVE-2026-23868.patch @@ -0,0 +1,34 @@ +From f5b7267aed3665ef025c13823e454170d031c106 Mon Sep 17 00:00:00 2001 +From: Eric S. Raymond +Date: Wed Mar 4 18:49:49 2026 -0500 +Subject: [PATCH] Avoid potentuial double-free on weird images. + +Upstream-Status: Backport [https://sourceforge.net/p/giflib/code/ci/f5b7267aed3665ef025c13823e454170d031c106] +CVE: CVE-2026-23868 +Signed-off-by: Vijay Anusuri +--- + gifalloc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/gifalloc.c b/gifalloc.c +index 47c6539..cfb6e33 100644 +--- a/gifalloc.c ++++ b/gifalloc.c +@@ -349,6 +349,14 @@ SavedImage *GifMakeSavedImage(GifFileType *GifFile, + * aliasing problems. + */ + ++ /* Null out aliased pointers before any allocations ++ * so that FreeLastSavedImage won't free CopyFrom's ++ * data if an allocation fails partway through. */ ++ sp->ImageDesc.ColorMap = NULL; ++ sp->RasterBits = NULL; ++ sp->ExtensionBlocks = NULL; ++ sp->ExtensionBlockCount = 0; ++ + /* first, the local color map */ + if (CopyFrom->ImageDesc.ColorMap != NULL) { + sp->ImageDesc.ColorMap = GifMakeMapObject( +-- +2.25.1 + diff --git a/meta-oe/recipes-devtools/giflib/giflib_5.2.2.bb b/meta-oe/recipes-devtools/giflib/giflib_5.2.2.bb index aa47f93095..8226e9b6c7 100644 --- a/meta-oe/recipes-devtools/giflib/giflib_5.2.2.bb +++ b/meta-oe/recipes-devtools/giflib/giflib_5.2.2.bb @@ -10,6 +10,7 @@ DEPENDS = "xmlto-native" SRC_URI = "${SOURCEFORGE_MIRROR}/giflib/${BP}.tar.gz \ https://sourceforge.net/p/giflib/code/ci/d54b45b0240d455bbaedee4be5203d2703e59967/tree/doc/giflib-logo.gif?format=raw;subdir=${BP}/doc;name=logo;downloadfilename=giflib-logo.gif \ file://0001-Makefile-fix-typo-in-soname-argument.patch \ + file://CVE-2026-23868.patch \ " SRC_URI[logo.sha256sum] = "1a54383986adad1521d00e003b4c482c27e8bc60690be944a1f3319c75abc2c9"