From patchwork Tue Apr 28 05:01:04 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 87036 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BDB0FFF885A for ; Tue, 28 Apr 2026 05:01:24 +0000 (UTC) Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com [209.85.216.43]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.5613.1777352481280107492 for ; Mon, 27 Apr 2026 22:01:21 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=SXKfe+Pv; spf=pass (domain: gmail.com, ip: 209.85.216.43, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pj1-f43.google.com with SMTP id 98e67ed59e1d1-35fbca04006so5497374a91.1 for ; Mon, 27 Apr 2026 22:01:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777352480; x=1777957280; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=x42WgRVhc14RnVAORzOf5KwfCSZGMqkrELCivQIQBAI=; b=SXKfe+PvUlCErjVEkMAuucaAQKwFsIl26+Y371bw8oLiKj43fnj3+6/W4DZlLDQQR3 xE546STFy4UNelqtV1KoFkwdhnnEdbcMBU+YvSRqQTZFxh+hnPNuZ0RxQevZKRryUwfM FJyUyfOdVjVH1JbP9Tmv32PzjpMd1ngpLTV8fzDBoqTSpCYL4MheUm/vpEl9EBYhF5GY lcM18YYTsMm5NUhnDWcOJXhuE8Jgr41a4B2OQllFTfXSCZAFd/32E8DO+nE9xtrxpEPb 21FU/v4iJIG6j9fD19iIwGkzfhEHvlldDnFEqOTi2P8LuWxv3Mc+FC3wnbeTCBgjVqHo tgYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777352480; x=1777957280; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=x42WgRVhc14RnVAORzOf5KwfCSZGMqkrELCivQIQBAI=; b=iLgM8XawEXylCOMVBHkPOhXKC21g9k1RpXVNhiRuPoPtwdOI5/M4aeerwqAzn2nYTG 5pbf6vplXkkCYLPLx9O4BlPw6tAgqoV3LCZQlbBGURmgTrQXo2bCPC/l7QWEuw1L8MP5 HOGsESwwbOgB+5x8UX65wzipQcj/E/R1foXQy2J0nzRZUuHzQpZZCBxU5FSx67DgwE06 2NzS4O2yBm4jalo2sOByLu/s625dKdMHZ0zWgZ9ySE2BFg2z1HmeUdg0/Sa1Xm8zYd+z ecc07X66VIpWCjWy+ACXef3UHwpmyb8F9EYAPa/UEOyVHDbjSP3wRf51bwRORKXrhktx SkwQ== X-Gm-Message-State: AOJu0Yz6CaJ5UPGu9jpT9kZ4EaXvsQAyx1ws5k1mxe/gR232yhzTtaYA qgA2bjDOX8INByB1PFvf8yZM8m7NDK5ohLmo/QbG/sRLBip6csAr8k8/EzVkxrKT X-Gm-Gg: AeBDieueGL6H67QuT3Ns1HJhiQn+7pMLc3FAxomkPkzIFt3Amoy0OX9W8cCS5+hXasv r6nwOb5b8J9heUCKt/ifB6qsMiY+m9Xtr94dS21ozc05Zyv3b5eaFAVM3h3fmODh2yIPr5+HWqp GcEvMUkQ2gTc+do+lW+JLvnNr6DWFBz7Tx+UH6h/NKjDW5g9sOQhOUTL/MY24nDBvN/ACV5+431 Nrr0JE4cCYDwZslJ1BZcX/r57Aq9yd5K85lK4QnuC4o1EgbYWD4jdia4H/+b/VyP31b0rbCGIct YeuMgGeyHwOWiBwt0hX8+bGhKrvmZthvWhzZaAoUQ5OrClLH3jo2vwfkhVkTqqyKqH5s+au361W +hqw1cg/u0dESGijASzw+wrLeI9ywIMacy/8Y3yHTADD0S4kTLlZ93h6LVgkCHLQZKQlKFFBkVI e5ksQfRQ5eZVpNcUJevNoCFmuZkVVkbrGqb3mDSVPYBbbfnFc= X-Received: by 2002:a17:90b:3fc8:b0:35e:581c:6bca with SMTP id 98e67ed59e1d1-36491f89b6cmr1509244a91.3.1777352480370; Mon, 27 Apr 2026 22:01:20 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b97ac8d619sm11798385ad.70.2026.04.27.22.01.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Apr 2026 22:01:20 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-networking][scarthgap][PATCH 1/5] corosync: patch CVE-2026-35091 Date: Tue, 28 Apr 2026 17:01:04 +1200 Message-ID: <20260428050109.2099228-1-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 28 Apr 2026 05:01:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126641 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35091 Pick the patch that mentions the CVE ID explicitly (it was identified by Debian also as the fix[1]) [1]: https://security-tracker.debian.org/tracker/CVE-2026-35091 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 701b22fda35648efc333d6e6e7abd8e70aa49870) Signed-off-by: Ankur Tyagi --- .../corosync/corosync/CVE-2026-35091.patch | 47 +++++++++++++++++++ .../corosync/corosync_3.1.10.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta-networking/recipes-extended/corosync/corosync/CVE-2026-35091.patch diff --git a/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35091.patch b/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35091.patch new file mode 100644 index 0000000000..8afa5d6841 --- /dev/null +++ b/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35091.patch @@ -0,0 +1,47 @@ +From b9cb461121c8721c94a94309eb345a3c2f9ee9b4 Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Thu, 2 Apr 2026 09:00:39 +0200 +Subject: [PATCH] totemsrp: Return error if sanity check fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Previously, the check_memb_commit_token_sanity function correctly +checked the minimum message length. However, if the message was too +short, it incorrectly returned a success code (0) instead of the +expected failure code (-1). + +This commit ensures the appropriate error code is returned when the +message length sanity check fails. + +Fixes: CVE-2026-35091 + +Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) +Signed-off-by: Jan Friesse +Also-proposed-by: nicholasyang +Reviewed-by: Christine Caulfield + +CVE: CVE-2026-35091 +Upstream-Status: Backport [https://github.com/corosync/corosync/commit/a16614accfdb3481264d7281843fadf439d9ab1b] +Signed-off-by: Gyorgy Sarvari +--- + exec/totemsrp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/exec/totemsrp.c b/exec/totemsrp.c +index 35bf971..94d6c21 100644 +--- a/exec/totemsrp.c ++++ b/exec/totemsrp.c +@@ -3811,10 +3811,10 @@ static int check_memb_commit_token_sanity( + log_printf (instance->totemsrp_log_level_security, + "Received memb_commit_token message is too short... ignoring."); + +- return (0); ++ return (-1); + } + +- addr_entries= mct_msg->addr_entries; ++ addr_entries = mct_msg->addr_entries; + if (endian_conversion_needed) { + addr_entries = swab32(addr_entries); + } diff --git a/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb b/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb index 0cb475a4d4..0e7f48272f 100644 --- a/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb +++ b/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb @@ -9,6 +9,7 @@ inherit autotools pkgconfig systemd github-releases SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${BP}.tar.gz \ file://corosync.conf \ + file://CVE-2026-35091.patch \ " SRC_URI[sha256sum] = "be361c827f99b215b3bd3fa2fb071c03dac6831c2a351963d938caef62604bc8" UPSTREAM_CHECK_GITTAGREGEX = "v(?P\d+(\.\d+)+)" From patchwork Tue Apr 28 05:01:05 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 87037 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BECC8FF8870 for ; Tue, 28 Apr 2026 05:01:24 +0000 (UTC) Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5409.1777352484056242869 for ; Mon, 27 Apr 2026 22:01:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=L+qGHS7r; spf=pass (domain: gmail.com, ip: 209.85.214.171, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-2a871daa98fso71956775ad.1 for ; Mon, 27 Apr 2026 22:01:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777352483; x=1777957283; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=CXuDSZMWxl1kvsOS+7cH2Rc/a6AWarCEjguJ6faffUw=; b=L+qGHS7ryWn74Eu0pyQqgkNCzoSQZdVtT3tjPUct9wffwMHs0vL96w3U1sQjpuWa+P H7G4DnjjNTyUoJlUh4Xvr1h5NrwjGZwqvPXoFLLIhn9LVnvFnok3pTnzhkAIPdgnOo3r 0xc4ZFlBB664Nvf0QmXqhE5oIFjxcvNwrwKPxlIYHwFnFdWCOFENC0GIldvYcxD+Qgqv 9ipuJuZnV6aB00sIWvY2sAPZFEnDsleK+mZbYk22sxXQFH7s0rFu8HyirRNd4TkbMQZN xbECrnG/+dLkqD19AZCTsQeeWjmQE5NDPORjA0tI4JqsgVN9RIAnUaBwxGEdEg2k/5jD uL1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777352483; x=1777957283; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=CXuDSZMWxl1kvsOS+7cH2Rc/a6AWarCEjguJ6faffUw=; b=hXWBCI0fHgtGA7aho5wXZhuFFtBeWwc7K7bH+du4ujiEpQN5iPQWda0RWUxf5igzo6 XQ/3cSfuQPCAQ/cHDuSKJwndajnIPwqlkZSHj8cHHAnntpEhmKESmB62baQS3ikvn3e0 seZdhGeP983sIi1Mrdva5uNY/9O49c43gBokLE7o1TAXRJXtehRx5um9khzs2BJ4Rxg/ PLZzPAqVOoOl89zUGIVRl67+JoVQDFVCF+oPvCOXgS3SRcinz1sJnJLvJC8DvKQeLJG5 I3bDizMvr+Mh78hu+RZ8QGL+ttpTMXy67SV9DOy+sTen3LqBLEScIF0mSXIJqojMBDFi BqYw== X-Gm-Message-State: AOJu0YxwyZhdAr+vWrIofBJC85OwOsQpc70fJ/p0ecRFyQi+UAIZ8Cl6 QkSfYj9e6sns2bBC8omggJ1Akm1bLQsQTu+Z2vzaCkuJMuw02pLp2gMqhnYkBPnx X-Gm-Gg: AeBDievsC8fHPmgJKVMQYHdVmDh30RPTAiWsCMjChnEG99utaPr88tCaiDVI4NOP3g6 nZ2TpDvYxK8qfx/V0fpa8wQTA6hMApFTPbXuw0KHWJrGiDoYywWFJhmOwORmGR+LTxAJxfcfT1P NyxO7tYt8mh2IPWDx6+d0Wya+64PdzYx2WXidtFZKQctVyuqpnHC0D1TBMJFC8FVpPFCoFvrMeP GMqfovdn1A0W+pE34KDxfoEscENP4jSrrNqlYa+iVAErMlMMAEKnG92/lPlD5zoQ6AGFwTTmDy+ no16SenvFGYyzdYTYS9cma42v2B8cQZ6GaS1xEfRIQ+1a8e+qMpawIPLhRtpvsi/A4yesfMjVaT A2bQfQnovOv5cAYFR4gquAd+Cc+usr0CvMVue2ZhBBzuMMdj0PTbAu6rDyTnQw9Ne7q6s/X1BX5 ftqXbsCwnx4MOvn+w7/lm3yocpMFnsBrF8jXoqVsIkxHGyWpY= X-Received: by 2002:a17:903:1206:b0:2ae:8272:deb0 with SMTP id d9443c01a7336-2b97c40c783mr14917775ad.15.1777352483309; Mon, 27 Apr 2026 22:01:23 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b97ac8d619sm11798385ad.70.2026.04.27.22.01.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Apr 2026 22:01:23 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-networking][scarthgap][PATCH 2/5] corosync: patch CVE-2026-35092 Date: Tue, 28 Apr 2026 17:01:05 +1200 Message-ID: <20260428050109.2099228-2-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260428050109.2099228-1-ankur.tyagi85@gmail.com> References: <20260428050109.2099228-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 28 Apr 2026 05:01:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126642 From: Gyorgy Sarvari Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35092 Pick the patch that mentions the CVE ID explicitly (the same commit was identified by Debian also[1]) [1]: https://security-tracker.debian.org/tracker/CVE-2026-35092 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit af73e716bc7150ae8d912d8af00f6995e25f2031) Signed-off-by: Ankur Tyagi --- .../corosync/corosync/CVE-2026-35092.patch | 57 +++++++++++++++++++ .../corosync/corosync_3.1.10.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta-networking/recipes-extended/corosync/corosync/CVE-2026-35092.patch diff --git a/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35092.patch b/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35092.patch new file mode 100644 index 0000000000..8182647840 --- /dev/null +++ b/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35092.patch @@ -0,0 +1,57 @@ +From 8f8a4747a0223b8897deda9a40a8a099c61fa80f Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Thu, 2 Apr 2026 09:44:06 +0200 +Subject: [PATCH] totemsrp: Fix integer overflow in memb_join_sanity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This commit addresses an integer overflow (wraparound) vulnerability +in the check_memb_join_sanity function. + +Previously, the 32-bit unsigned network values proc_list_entries and +failed_list_entries were added together before being promoted to +size_t. This allowed the addition to wrap around in 32-bit arithmetic +(e.g., 0x80000000 + 0x80000000 = 0), resulting in a required_len +calculation that was incorrectly small. + +The solution is to cast the list entries to size_t and verify that +neither exceeds the maximum allowed value before the addition occurs. + +Fixes: CVE-2026-35092 + +Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) +Signed-off-by: Jan Friesse +Also-proposed-by: nicholasyang +Reviewed-by: Christine Caulfield + +CVE: CVE-2026-35092 +Upstream-Status: Backport [https://github.com/corosync/corosync/commit/4082294f5094a7591e4e00658c5a605f05d644f1] +Signed-off-by: Gyorgy Sarvari +--- + exec/totemsrp.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/exec/totemsrp.c b/exec/totemsrp.c +index 94d6c21..6845cec 100644 +--- a/exec/totemsrp.c ++++ b/exec/totemsrp.c +@@ -3786,7 +3786,17 @@ static int check_memb_join_sanity( + failed_list_entries = swab32(failed_list_entries); + } + +- required_len = sizeof(struct memb_join) + ((proc_list_entries + failed_list_entries) * sizeof(struct srp_addr)); ++ if (proc_list_entries > PROCESSOR_COUNT_MAX || ++ failed_list_entries > PROCESSOR_COUNT_MAX) { ++ log_printf (instance->totemsrp_log_level_security, ++ "Received memb_join message list_entries exceeds the maximum " ++ "allowed value... ignoring."); ++ ++ return (-1); ++ } ++ ++ required_len = sizeof(struct memb_join) + ++ (((size_t)proc_list_entries + (size_t)failed_list_entries) * sizeof(struct srp_addr)); + if (msg_len < required_len) { + log_printf (instance->totemsrp_log_level_security, + "Received memb_join message is too short... ignoring."); diff --git a/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb b/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb index 0e7f48272f..722dbcbbbc 100644 --- a/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb +++ b/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb @@ -10,6 +10,7 @@ inherit autotools pkgconfig systemd github-releases SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${BP}.tar.gz \ file://corosync.conf \ file://CVE-2026-35091.patch \ + file://CVE-2026-35092.patch \ " SRC_URI[sha256sum] = "be361c827f99b215b3bd3fa2fb071c03dac6831c2a351963d938caef62604bc8" UPSTREAM_CHECK_GITTAGREGEX = "v(?P\d+(\.\d+)+)" From patchwork Tue Apr 28 05:01:06 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 87040 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A29D6FF8870 for ; Tue, 28 Apr 2026 05:01:34 +0000 (UTC) Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com [209.85.216.43]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.5617.1777352486853560894 for ; Mon, 27 Apr 2026 22:01:26 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=n5/fMMpq; spf=pass (domain: gmail.com, ip: 209.85.216.43, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pj1-f43.google.com with SMTP id 98e67ed59e1d1-35dac556bb2so6418269a91.1 for ; Mon, 27 Apr 2026 22:01:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777352486; x=1777957286; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=d+eYkv5dzZz3kt8eqixM+1vKGBSXnEQeFxZQYRIg5v8=; b=n5/fMMpqLeNemOvjFNsi0ktqVyzuq7HbYERhVyWoEGzuHj2JLhRL6AFol3wXoVEKAF VdBgZ0wPrAcanAT0rYnAtbERUajVynTJSceGpnLYWwt0hsInhs9kOM9fiLbEtb/nXdPS 6vy5F+LOZueFn+I0M/qGKh5X0t7rrLv19ILpBRMmmxJUbEVOnReawx6o3xVDgm6rljOg NgAEQ6G8xOeno7Y2PBwHSlT7jccwNSIAW+vE1kPKg2NdCBg/ZcxS+AHsK5/g14HbLQbm 1BjW0vn9x7MDefwN+6uLAzgHbWI6lLGQfIq54Q/QRBxcLFtUbYCwKg8eWgaL94/BpzN0 mShQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777352486; x=1777957286; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=d+eYkv5dzZz3kt8eqixM+1vKGBSXnEQeFxZQYRIg5v8=; b=ZVkE8wPCldSjrgEmmyy7+VLF2+W/l3rUg9+7fCR5kBMYVWI78OhVZxcmMg7LVcJxWM llmZysQu6b1nKet9Jf64QeZq0YlcBNCx8YlfUBWMAiCWTXkCSPNnBFW3iVkgPIfNWOtW f0/Qb5JO45/nk/gOqog/VwVDCpWO5xeVdOfkA4i49Pk7tBMlE9WOd3mbOzh4yMFJCbA4 TYocoEN/B9AohwK5zNKejLUbBpg5Crtzdl0xRlasB6f7kNkqPzOoR6wXcJtHkc/2VFRa hZ+hGNzGhInoA0iIeYkdcsmvtUHrVLLPmCi48lc3Eo6gRHw8a6htA3H++L34GqNI1Bun LnTA== X-Gm-Message-State: AOJu0YwrKvV3xk7SATCjldiLcYtzQLH/BsDddZUDMIrMRuhzIeCP7L7h w96rElCOBNSXFBz+qeJlD5aRCPZG4O8VB4GnI5YJAd6etGjciZVMPLnIxsUERPrf X-Gm-Gg: AeBDievB+ZsCmAcB9MfKH3q39tiy+CSsfYwxJ9ELfoc0WsqSefb7KENQeOYOFNALJPb NSOtX8KW/XVkT8yim2R5Q9/oajbk/A+m5QRRCkF6mJB1V8aqVvHx8BCPFS1Z+hHfSImJGGk6TsX PCkbJnHCPgPQG1uUYcXVbzSFH4f1M7pK0MDqrgB9bL7GK/Gss3pWgAXFo8+fBIoL4wpEjzZnDI6 HwBRj9YALeiEYksDPLIDltwQ33q9/2M6aFHL5kKtw9+xhQOnW04FA6y4YZ6qnKhmVhyQF1CNfrm cXqR+u0V+iXAWlwmQm1azRgmGxEuHTofuY/6UYsITWRaX+CYItks1qRxrVpnGwGWP5LAGHCvRNm cLW4c1VW3FvBRsBtU/E2KXCRxlf6v94RTWD1BKM5Z2f501oVMXlvQw7NZe8yndctc0+lyVFuce3 kWKAdKU4V+o9qbwPHRENTEVzWzi4F8cO+vFKv4sAh4cWHQYJu6otLofnXyVA== X-Received: by 2002:a17:90b:57cb:b0:35f:c5cd:cc5 with SMTP id 98e67ed59e1d1-3649207ddc9mr1620101a91.24.1777352485631; Mon, 27 Apr 2026 22:01:25 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b97ac8d619sm11798385ad.70.2026.04.27.22.01.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Apr 2026 22:01:25 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 3/5] libssh: patch CVE-2026-0968 Date: Tue, 28 Apr 2026 17:01:06 +1200 Message-ID: <20260428050109.2099228-3-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260428050109.2099228-1-ankur.tyagi85@gmail.com> References: <20260428050109.2099228-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 28 Apr 2026 05:01:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126643 From: Ankur Tyagi Backport patches [1] and [2] as mentioned in [3] [1] https://git.libssh.org/projects/libssh.git/commit/?id=796d85f786dff62bd4bcc4408d9b7bbc855841e9 [2] https://git.libssh.org/projects/libssh.git/commit/?id=212121971fb26e1e00b72bd5402c0454a4d84c03 [3] https://security-tracker.debian.org/tracker/CVE-2026-0968 Certain functions from sftp.c were moved to a new file sftp_common.c in version 0.11.0 by following commit: https://git.libssh.org/projects/libssh.git/commit/src/sftp_common.c?id=c3e03ab4651e4f3382e3a51c0273ade894f0c48a This is the backport of the changes using the original file sftp.c Signed-off-by: Ankur Tyagi --- .../libssh/libssh/CVE-2026-0968-1.patch | 64 +++++++++ .../libssh/libssh/CVE-2026-0968-2.patch | 136 ++++++++++++++++++ .../recipes-support/libssh/libssh_0.10.6.bb | 2 + 3 files changed, 202 insertions(+) create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-1.patch create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-2.patch diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-1.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-1.patch new file mode 100644 index 0000000000..5ed1a4e940 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-1.patch @@ -0,0 +1,64 @@ +From 9fd388141c973ba6fb7d45966c25d1fad9e1d419 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 22 Dec 2025 20:59:11 +0100 +Subject: [PATCH] CVE-2026-0968: sftp: Sanitize input handling in + sftp_parse_longname() + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +CVE: CVE-2026-0968 +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=796d85f786dff62bd4bcc4408d9b7bbc855841e9] + +Certain functions from sftp.c were moved to a new file sftp_common.c +in version 0.11.0 by following commit: +https://git.libssh.org/projects/libssh.git/commit/src/sftp_common.c?id=c3e03ab4651e4f3382e3a51c0273ade894f0c48a + +This is the backport of the changes which fixes the CVE in the original file +sftp.c + +Signed-off-by: Ankur Tyagi +--- + src/sftp.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/src/sftp.c b/src/sftp.c +index 4a77141b..2194a9ef 100644 +--- a/src/sftp.c ++++ b/src/sftp.c +@@ -1289,13 +1289,18 @@ static char *sftp_parse_longname(const char *longname, + const char *p, *q; + size_t len, field = 0; + ++ if (longname == NULL || longname_field < SFTP_LONGNAME_PERM || ++ longname_field > SFTP_LONGNAME_NAME) { ++ return NULL; ++ } ++ + p = longname; + /* Find the beginning of the field which is specified by sftp_longname_field_e. */ +- while(field != longname_field) { ++ while (*p != '\0' && field != longname_field) { + if(isspace(*p)) { + field++; + p++; +- while(*p && isspace(*p)) { ++ while (*p != '\0' && isspace(*p)) { + p++; + } + } else { +@@ -1303,8 +1308,13 @@ static char *sftp_parse_longname(const char *longname, + } + } + ++ /* If we reached NULL before we got our field fail */ ++ if (field != longname_field) { ++ return NULL; ++ } ++ + q = p; +- while (! isspace(*q)) { ++ while (*q != '\0' && !isspace(*q)) { + q++; + } + diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-2.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-2.patch new file mode 100644 index 0000000000..42642ee1ed --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0968-2.patch @@ -0,0 +1,136 @@ +From 04cd54c7302195055d208e0ca00d6e519d674bb2 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 22 Dec 2025 21:00:03 +0100 +Subject: [PATCH] CVE-2026-0968 tests: Reproducer for invalid longname data + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider +(cherry picked from commit 90a5d8f47399e8db61b56793cd21476ff6a528e0) +(cherry picked from commit 212121971fb26e1e00b72bd5402c0454a4d84c03) + +CVE: CVE-2026-0968 +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=212121971fb26e1e00b72bd5402c0454a4d84c03] + +Certain functions from sftp.c were moved to a new file sftp_common.c +in version 0.11.0 by following commit: +https://git.libssh.org/projects/libssh.git/commit/src/sftp_common.c?id=c3e03ab4651e4f3382e3a51c0273ade894f0c48a + +Updated unit test to include sftp.c during the backport. + +Signed-off-by: Ankur Tyagi +--- + tests/unittests/CMakeLists.txt | 7 +++ + tests/unittests/torture_unit_sftp.c | 86 +++++++++++++++++++++++++++++ + 2 files changed, 93 insertions(+) + create mode 100644 tests/unittests/torture_unit_sftp.c + +diff --git a/tests/unittests/CMakeLists.txt b/tests/unittests/CMakeLists.txt +index f85da72b..41f25830 100644 +--- a/tests/unittests/CMakeLists.txt ++++ b/tests/unittests/CMakeLists.txt +@@ -101,6 +101,13 @@ if (UNIX AND NOT WIN32) + endif (WITH_SERVER) + endif (UNIX AND NOT WIN32) + ++if (WITH_SFTP) ++ set(LIBSSH_UNIT_TESTS ++ ${LIBSSH_UNIT_TESTS} ++ torture_unit_sftp ++ ) ++endif (WITH_SFTP) ++ + foreach(_UNIT_TEST ${LIBSSH_UNIT_TESTS}) + add_cmocka_test(${_UNIT_TEST} + SOURCES ${_UNIT_TEST}.c +diff --git a/tests/unittests/torture_unit_sftp.c b/tests/unittests/torture_unit_sftp.c +new file mode 100644 +index 00000000..8cdaba8e +--- /dev/null ++++ b/tests/unittests/torture_unit_sftp.c +@@ -0,0 +1,86 @@ ++#include "config.h" ++ ++#include "sftp.c" ++#include "torture.h" ++ ++#define LIBSSH_STATIC ++ ++static void test_sftp_parse_longname(void **state) ++{ ++ const char *lname = NULL; ++ char *value = NULL; ++ ++ /* state not used */ ++ (void)state; ++ ++ /* Valid example from SFTP draft, page 18: ++ * https://datatracker.ietf.org/doc/draft-spaghetti-sshm-filexfer/ ++ */ ++ lname = "-rwxr-xr-x 1 mjos staff 348911 Mar 25 14:29 t-filexfer"; ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_PERM); ++ assert_string_equal(value, "-rwxr-xr-x"); ++ free(value); ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_OWNER); ++ assert_string_equal(value, "mjos"); ++ free(value); ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_GROUP); ++ assert_string_equal(value, "staff"); ++ free(value); ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_SIZE); ++ assert_string_equal(value, "348911"); ++ free(value); ++ /* This function is broken further as the date contains space which breaks ++ * the parsing altogether */ ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_DATE); ++ assert_string_equal(value, "Mar"); ++ free(value); ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_TIME); ++ assert_string_equal(value, "25"); ++ free(value); ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_NAME); ++ assert_string_equal(value, "14:29"); ++ free(value); ++} ++ ++static void test_sftp_parse_longname_invalid(void **state) ++{ ++ const char *lname = NULL; ++ char *value = NULL; ++ ++ /* state not used */ ++ (void)state; ++ ++ /* Invalid inputs should not crash ++ */ ++ lname = NULL; ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_PERM); ++ assert_null(value); ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_NAME); ++ assert_null(value); ++ ++ lname = ""; ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_PERM); ++ assert_string_equal(value, ""); ++ free(value); ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_NAME); ++ assert_null(value); ++ ++ lname = "-rwxr-xr-x 1"; ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_PERM); ++ assert_string_equal(value, "-rwxr-xr-x"); ++ free(value); ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_NAME); ++ assert_null(value); ++} ++ ++int torture_run_tests(void) ++{ ++ int rc; ++ const struct CMUnitTest tests[] = { ++ cmocka_unit_test(test_sftp_parse_longname), ++ cmocka_unit_test(test_sftp_parse_longname_invalid), ++ }; ++ ++ rc = cmocka_run_group_tests(tests, NULL, NULL); ++ return rc; ++} diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb index 30f68f87ce..e0ade7f67c 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb @@ -28,6 +28,8 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable file://CVE-2026-0966-1.patch \ file://CVE-2026-0966-2.patch \ file://CVE-2026-0966-3.patch \ + file://CVE-2026-0968-1.patch \ + file://CVE-2026-0968-2.patch \ " SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6" From patchwork Tue Apr 28 05:01:07 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 87039 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91917FF886F for ; Tue, 28 Apr 2026 05:01:34 +0000 (UTC) Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.5618.1777352489031877551 for ; Mon, 27 Apr 2026 22:01:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=ByIh+mo5; spf=pass (domain: gmail.com, ip: 209.85.216.45, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pj1-f45.google.com with SMTP id 98e67ed59e1d1-362bb3260f1so5232130a91.2 for ; Mon, 27 Apr 2026 22:01:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777352488; x=1777957288; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0FSdqdHyGR/XEzwmqk5eaeslqyWSMaPKdWu09Z+79ao=; b=ByIh+mo5Tonin2R9WGDEvfvXjQL5VJk7k6lOicUwW0+mMaNySRHEdwuHtDYz2Z/LE2 xcCploDjh0HN+5oDPb295zoJzBapJxBOCtD1XGiqy5M+Z1ASEDnUG5lBPoPqUj4WgZ9k u9EvKOiO0G0Bp+gwEMnCgDchA17LksYn0UfRKq4w2gwdpTWSwaa95oZGmly/RTnO0++3 96CYLiO587h9dDTxcKFaigwJcnHu92Ln4y5ii5nbhYV26D5LQhSJlyjUyHs7Yyd5yPaA t9Vrd4zWxFfiREtxT9pfKy3NoODhLjVIyupl0VySr1+emQDDtx+a//4kPkUUWz+UdHm9 TJZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777352488; x=1777957288; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=0FSdqdHyGR/XEzwmqk5eaeslqyWSMaPKdWu09Z+79ao=; b=p9112nGskKfyET58TzrgozLP3boH8vuXxdL8J7O9dlxPQR9QGBp3dJCxal3yG9eJwj POet2GZcrwWCujNtPrNvbMJ00xiXOHlGqAkTuuyWwuvDlnBa9zjQlYZFAqTp6Pl5/NIE AB1MbJqJHPv+5WDHwuiaLai2AV+pB7dthXaX6TuL12XVlEn86jmZWZF4qSUjaaJI4Myw LV4EdoylkbmMMPQS2aZUCtsmieeHq/jqNhOyiXHHUVFhXcxNApV+9y7OSh4sADXGXh9s gPFvWcMNqBDFajh1a9UjqDGAXcuNvewfd11ZN5afeLRgTy+4MgXv7WzR0HtnabCHXiOF 8CwQ== X-Gm-Message-State: AOJu0YxIIXfhCZrN6utiRvaLpgxly4cYS/NQxNofH2IPvre00QwhFSto ECt8yTEN/WYPT7five1iKCAMMvoiQGD9rYgfcZwgBSMBkXqHNQTKBVBJQYcHQPag X-Gm-Gg: AeBDietTFUudyNSGo051aWkDNMm/NL7PMiUR1driODTfNLGLQTsMgu0iArdl/qvRoZm P/en7fyI071U/085oldyof1sLXhq8E7u9GqwyunebU0IhrNgTW8rGpft36Wp+bvw6HJSa935Wxn irvOE+vNkoE5tScLkG4HFNkroCExF3Phb3jHO0rBzgWYvLGS/uVXLLJhaxaAKVjsT2Nt2pr7R5V 80BWj1bYbDGp20v6a+e6ginCqYnzpiw86WpptEP9KO/u0Einq1FHgaN2i9BExXJgpF/LL/4V754 v/XH/yxIFE89sdC42/qTwlP5qKhGOQa8dUqLAMCfMXi3TmOSSg2wRbqSAB04EyoghsNMQUcz+HW e9BrfKddyoidtKdzhUrkD7kIcbtWtNswM7U07eSL/rNmpvBj56/rZ7QNE+d6nGn0/gJGsOsCJfj 8tr7/jM3lAWZNDcLIW7io+el6i56DKwzUB38CGzWnBKY1LWtgueFRpapYvHA== X-Received: by 2002:a17:90b:48:b0:35b:9ab6:1d4a with SMTP id 98e67ed59e1d1-36492030caemr1653275a91.18.1777352488040; Mon, 27 Apr 2026 22:01:28 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b97ac8d619sm11798385ad.70.2026.04.27.22.01.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Apr 2026 22:01:27 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 4/5] libssh: patch CVE-2026-0967 Date: Tue, 28 Apr 2026 17:01:07 +1200 Message-ID: <20260428050109.2099228-4-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260428050109.2099228-1-ankur.tyagi85@gmail.com> References: <20260428050109.2099228-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 28 Apr 2026 05:01:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126644 From: Ankur Tyagi Backport patch [1] as mentioned in [2] [1] https://git.libssh.org/projects/libssh.git/commit/?id=6d74aa6138895b3662bade9bd578338b0c4f8a15 [2] https://security-tracker.debian.org/tracker/CVE-2026-0967 Signed-off-by: Ankur Tyagi --- .../libssh/libssh/CVE-2026-0967.patch | 360 ++++++++++++++++++ .../recipes-support/libssh/libssh_0.10.6.bb | 1 + 2 files changed, 361 insertions(+) create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2026-0967.patch diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0967.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0967.patch new file mode 100644 index 0000000000..c34bced2a8 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0967.patch @@ -0,0 +1,360 @@ +From bd18dd3a2e1fc1f76a65fbdcc4d88b8d77ff7cab Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 17 Dec 2025 18:48:34 +0100 +Subject: [PATCH] CVE-2026-0967 match: Avoid recursive matching (ReDoS) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The specially crafted patterns (from configuration files) could cause +exhaustive search or timeouts. + +Previous attempts to fix this by limiting recursion to depth 16 avoided +stack overflow, but not timeouts. This is due to the backtracking, +which caused the exponential time complexity O(N^16) of existing algorithm. + +This is code comes from the same function from OpenSSH, where this code +originates from, which is not having this issue (due to not limiting the number +of recursion), but will also easily exhaust stack due to unbound recursion: + +https://github.com/openssh/openssh-portable/commit/05bcd0cadf160fd4826a2284afa7cba6ec432633 + +This is an attempt to simplify the algorithm by preventing the backtracking +to previous wildcard, which should keep the same behavior for existing inputs +while reducing the complexity to linear O(N*M). + +This fixes the long-term issue we had with fuzzing as well as recently reported +security issue by Kang Yang. + +Signed-off-by: Jakub Jelen +Reviewed-by: Pavol Žáčik +(cherry picked from commit a411de5ce806e3ea24d088774b2f7584d6590b5f) +(cherry picked from commit 6d74aa6138895b3662bade9bd578338b0c4f8a15) + +CVE: CVE-2026-0967 +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=6d74aa6138895b3662bade9bd578338b0c4f8a15] + +Signed-off-by: Ankur Tyagi +--- + src/match.c | 111 +++++++++++++---------------- + tests/unittests/torture_config.c | 116 +++++++++++++++++++++++-------- + 2 files changed, 135 insertions(+), 92 deletions(-) + +diff --git a/src/match.c b/src/match.c +index 3e58f733..896d87cb 100644 +--- a/src/match.c ++++ b/src/match.c +@@ -43,85 +43,70 @@ + + #include "libssh/priv.h" + +-#define MAX_MATCH_RECURSION 16 +- +-/* +- * Returns true if the given string matches the pattern (which may contain ? +- * and * as wildcards), and zero if it does not match. ++/** ++ * @brief Compare a string with a pattern containing wildcards `*` and `?` ++ * ++ * This function is an iterative replacement for the previously recursive ++ * implementation to avoid exponential complexity (DoS) with specific patterns. ++ * ++ * @param[in] s The string to match. ++ * @param[in] pattern The pattern to match against. ++ * ++ * @return 1 if the pattern matches, 0 otherwise. + */ +-static int match_pattern(const char *s, const char *pattern, size_t limit) ++static int match_pattern(const char *s, const char *pattern) + { +- bool had_asterisk = false; ++ const char *s_star = NULL; /* Position in s when last `*` was met */ ++ const char *p_star = NULL; /* Position in pattern after last `*` */ + +- if (s == NULL || pattern == NULL || limit <= 0) { ++ if (s == NULL || pattern == NULL) { + return 0; + } + +- for (;;) { +- /* If at end of pattern, accept if also at end of string. */ +- if (*pattern == '\0') { +- return (*s == '\0'); +- } +- +- /* Skip all the asterisks and adjacent question marks */ +- while (*pattern == '*' || (had_asterisk && *pattern == '?')) { +- if (*pattern == '*') { +- had_asterisk = true; +- } ++ while (*s) { ++ /* Case 1: Exact match or '?' wildcard */ ++ if (*pattern == *s || *pattern == '?') { ++ s++; + pattern++; ++ continue; + } + +- if (had_asterisk) { +- /* If at end of pattern, accept immediately. */ +- if (!*pattern) +- return 1; +- +- /* If next character in pattern is known, optimize. */ +- if (*pattern != '?') { +- /* +- * Look instances of the next character in +- * pattern, and try to match starting from +- * those. +- */ +- for (; *s; s++) +- if (*s == *pattern && match_pattern(s + 1, pattern + 1, limit - 1)) { +- return 1; +- } +- /* Failed. */ +- return 0; +- } +- /* +- * Move ahead one character at a time and try to +- * match at each position. ++ /* Case 2: '*' wildcard */ ++ if (*pattern == '*') { ++ /* Record the position of the star and the current string position. ++ * We optimistically assume * matches 0 characters first. + */ +- for (; *s; s++) { +- if (match_pattern(s, pattern, limit - 1)) { +- return 1; +- } +- } +- /* Failed. */ +- return 0; +- } +- /* +- * There must be at least one more character in the string. +- * If we are at the end, fail. +- */ +- if (!*s) { +- return 0; ++ p_star = ++pattern; ++ s_star = s; ++ continue; + } + +- /* Check if the next character of the string is acceptable. */ +- if (*pattern != '?' && *pattern != *s) { +- return 0; ++ /* Case 3: Mismatch */ ++ if (p_star) { ++ /* If we have seen a star previously, backtrack. ++ * We restore the pattern to just after the star, ++ * but advance the string position (consume one more char for the ++ * star). ++ * No need to backtrack to previous stars as any match of the last ++ * star could be eaten the same way by the previous star. ++ */ ++ pattern = p_star; ++ s = ++s_star; ++ continue; + } + +- /* Move to the next character, both in string and in pattern. */ +- s++; ++ /* Case 4: Mismatch and no star to backtrack to */ ++ return 0; ++ } ++ ++ /* Handle trailing stars in the pattern ++ * (e.g., pattern "abc*" matching "abc") */ ++ while (*pattern == '*') { + pattern++; + } + +- /* NOTREACHED */ +- return 0; ++ /* If we reached the end of the pattern, it's a match */ ++ return (*pattern == '\0'); + } + + /* +@@ -172,7 +157,7 @@ int match_pattern_list(const char *string, const char *pattern, + sub[subi] = '\0'; + + /* Try to match the subpattern against the string. */ +- if (match_pattern(string, sub, MAX_MATCH_RECURSION)) { ++ if (match_pattern(string, sub)) { + if (negated) { + return -1; /* Negative */ + } else { +diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c +index b7c763af..3569b51a 100644 +--- a/tests/unittests/torture_config.c ++++ b/tests/unittests/torture_config.c +@@ -1656,80 +1656,138 @@ static void torture_config_match_pattern(void **state) + (void) state; + + /* Simple test "a" matches "a" */ +- rv = match_pattern("a", "a", MAX_MATCH_RECURSION); ++ rv = match_pattern("a", "a"); + assert_int_equal(rv, 1); + + /* Simple test "a" does not match "b" */ +- rv = match_pattern("a", "b", MAX_MATCH_RECURSION); ++ rv = match_pattern("a", "b"); + assert_int_equal(rv, 0); + + /* NULL arguments are correctly handled */ +- rv = match_pattern("a", NULL, MAX_MATCH_RECURSION); ++ rv = match_pattern("a", NULL); + assert_int_equal(rv, 0); +- rv = match_pattern(NULL, "a", MAX_MATCH_RECURSION); ++ rv = match_pattern(NULL, "a"); + assert_int_equal(rv, 0); + + /* Simple wildcard ? is handled in pattern */ +- rv = match_pattern("a", "?", MAX_MATCH_RECURSION); ++ rv = match_pattern("a", "?"); + assert_int_equal(rv, 1); +- rv = match_pattern("aa", "?", MAX_MATCH_RECURSION); ++ rv = match_pattern("aa", "?"); + assert_int_equal(rv, 0); + /* Wildcard in search string */ +- rv = match_pattern("?", "a", MAX_MATCH_RECURSION); ++ rv = match_pattern("?", "a"); + assert_int_equal(rv, 0); +- rv = match_pattern("?", "?", MAX_MATCH_RECURSION); ++ rv = match_pattern("?", "?"); + assert_int_equal(rv, 1); + + /* Simple wildcard * is handled in pattern */ +- rv = match_pattern("a", "*", MAX_MATCH_RECURSION); ++ rv = match_pattern("a", "*"); + assert_int_equal(rv, 1); +- rv = match_pattern("aa", "*", MAX_MATCH_RECURSION); ++ rv = match_pattern("aa", "*"); + assert_int_equal(rv, 1); + /* Wildcard in search string */ +- rv = match_pattern("*", "a", MAX_MATCH_RECURSION); ++ rv = match_pattern("*", "a"); + assert_int_equal(rv, 0); +- rv = match_pattern("*", "*", MAX_MATCH_RECURSION); ++ rv = match_pattern("*", "*"); + assert_int_equal(rv, 1); + + /* More complicated patterns */ +- rv = match_pattern("a", "*a", MAX_MATCH_RECURSION); ++ rv = match_pattern("a", "*a"); + assert_int_equal(rv, 1); +- rv = match_pattern("a", "a*", MAX_MATCH_RECURSION); ++ rv = match_pattern("a", "a*"); + assert_int_equal(rv, 1); +- rv = match_pattern("abababc", "*abc", MAX_MATCH_RECURSION); ++ rv = match_pattern("abababc", "*abc"); + assert_int_equal(rv, 1); +- rv = match_pattern("ababababca", "*abc", MAX_MATCH_RECURSION); ++ rv = match_pattern("ababababca", "*abc"); + assert_int_equal(rv, 0); +- rv = match_pattern("ababababca", "*abc*", MAX_MATCH_RECURSION); ++ rv = match_pattern("ababababca", "*abc*"); + assert_int_equal(rv, 1); + + /* Multiple wildcards in row */ +- rv = match_pattern("aa", "??", MAX_MATCH_RECURSION); ++ rv = match_pattern("aa", "??"); + assert_int_equal(rv, 1); +- rv = match_pattern("bba", "??a", MAX_MATCH_RECURSION); ++ rv = match_pattern("bba", "??a"); + assert_int_equal(rv, 1); +- rv = match_pattern("aaa", "**a", MAX_MATCH_RECURSION); ++ rv = match_pattern("aaa", "**a"); + assert_int_equal(rv, 1); +- rv = match_pattern("bbb", "**a", MAX_MATCH_RECURSION); ++ rv = match_pattern("bbb", "**a"); + assert_int_equal(rv, 0); + + /* Consecutive asterisks do not make sense and do not need to recurse */ +- rv = match_pattern("hostname", "**********pattern", 5); ++ rv = match_pattern("hostname", "**********pattern"); + assert_int_equal(rv, 0); +- rv = match_pattern("hostname", "pattern**********", 5); ++ rv = match_pattern("hostname", "pattern**********"); + assert_int_equal(rv, 0); +- rv = match_pattern("pattern", "***********pattern", 5); ++ rv = match_pattern("pattern", "***********pattern"); + assert_int_equal(rv, 1); +- rv = match_pattern("pattern", "pattern***********", 5); ++ rv = match_pattern("pattern", "pattern***********"); + assert_int_equal(rv, 1); + +- /* Limit the maximum recursion */ +- rv = match_pattern("hostname", "*p*a*t*t*e*r*n*", 5); ++ rv = match_pattern("hostname", "*p*a*t*t*e*r*n*"); + assert_int_equal(rv, 0); +- /* Too much recursion */ +- rv = match_pattern("pattern", "*p*a*t*t*e*r*n*", 5); ++ rv = match_pattern("pattern", "*p*a*t*t*e*r*n*"); ++ assert_int_equal(rv, 1); ++ ++ /* Regular Expression Denial of Service */ ++ rv = match_pattern("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", ++ "*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a"); ++ assert_int_equal(rv, 1); ++ rv = match_pattern("ababababababababababababababababababababab", ++ "*a*b*a*b*a*b*a*b*a*b*a*b*a*b*a*b"); ++ assert_int_equal(rv, 1); ++ ++ /* A lot of backtracking */ ++ rv = match_pattern("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaax", ++ "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*ax"); ++ assert_int_equal(rv, 1); ++ ++ /* Test backtracking: *a matches first 'a', fails on 'b', must backtrack */ ++ rv = match_pattern("axaxaxb", "*a*b"); ++ assert_int_equal(rv, 1); ++ ++ /* Test greedy consumption with suffix */ ++ rv = match_pattern("foo_bar_baz_bar", "*bar"); ++ assert_int_equal(rv, 1); ++ ++ /* Test exact suffix requirement (ensure no partial match acceptance) */ ++ rv = match_pattern("foobar_extra", "*bar"); ++ assert_int_equal(rv, 0); ++ ++ /* Test multiple distinct wildcards */ ++ rv = match_pattern("a_very_long_string_with_a_pattern", "*long*pattern"); ++ assert_int_equal(rv, 1); ++ ++ /* ? inside a * sequence */ ++ rv = match_pattern("abcdefg", "a*c?e*g"); ++ assert_int_equal(rv, 1); ++ ++ /* Consecutive mixed wildcards */ ++ rv = match_pattern("abc", "*?c"); ++ assert_int_equal(rv, 1); ++ ++ /* ? at the very end after * */ ++ rv = match_pattern("abc", "ab?"); ++ assert_int_equal(rv, 1); ++ rv = match_pattern("abc", "ab*?"); ++ assert_int_equal(rv, 1); ++ ++ /* Consecutive stars should be collapsed or handled gracefully */ ++ rv = match_pattern("abc", "a**c"); ++ assert_int_equal(rv, 1); ++ rv = match_pattern("abc", "***"); ++ assert_int_equal(rv, 1); ++ ++ /* Empty string handling */ ++ rv = match_pattern("", "*"); ++ assert_int_equal(rv, 1); ++ rv = match_pattern("", "?"); + assert_int_equal(rv, 0); ++ rv = match_pattern("", ""); ++ assert_int_equal(rv, 1); + ++ /* Pattern longer than string */ ++ rv = match_pattern("short", "short_but_longer"); ++ assert_int_equal(rv, 0); + } + + /* Identity file can be specified multiple times in the configuration diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb index e0ade7f67c..e4a28af7a6 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb @@ -30,6 +30,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable file://CVE-2026-0966-3.patch \ file://CVE-2026-0968-1.patch \ file://CVE-2026-0968-2.patch \ + file://CVE-2026-0967.patch \ " SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6" From patchwork Tue Apr 28 05:01:08 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 87038 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 847D7FF885A for ; Tue, 28 Apr 2026 05:01:34 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.5412.1777352491443121431 for ; Mon, 27 Apr 2026 22:01:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=pk7WpZhW; spf=pass (domain: gmail.com, ip: 209.85.214.174, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-2aae146b604so73767125ad.3 for ; Mon, 27 Apr 2026 22:01:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777352491; x=1777957291; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ZcJRZdYJEMiMQ6hiF4tMJIhiL1q4NBq7vkY6GCODzgc=; b=pk7WpZhWwA6iresJS+9p5XoL1ujii94sSG0FrGB0kYngTA1UjCZ7CDVv23tq/s5RKe yyw0nu51bta7oKM36M9CQNSAehf0HQNl/7ZXu5tmknGu8+Sdoom06WirHyxzN+cmrnF9 BvQQ9eHhnGOcgqxOogmBANCUbKCPWvSOeXBpw89HBRLe266nZGE7scCeIue1LgXcerAh e4AkebAHY1oGgD9EEUWVPt3x6Od9mil1pvgE48c6vkmCK4bBGuNm6b5MeRP2H6QE4a9A C5LSEAXO3Dly/9WORogIHax11BIpPsnsdPuUjbs4YvmjiDNLePqJTqERpfdtW9rqr//w QH7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777352491; x=1777957291; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ZcJRZdYJEMiMQ6hiF4tMJIhiL1q4NBq7vkY6GCODzgc=; b=C7jGLdUt0eoKXKvz7H/v2sLDNTiY/IlD+wHTkDeB61xBEsbIWLlfHGVxfAFnzuxtHB TrrEqqMcoyjKSs3lGqYcgXs+Vo5t8GtNXIQWgMSWztsHCajw7MfK4WP93VKwgVP4kzSz b0mK2Jc4/V8mezn3jmE3t04dZVk1Trp4UaIDP/Tq/o8P0jT4aFcr1a8VpmEqRLWp7GCa DH+mAzFN2B3Icd2TLb25qqJC0Wy2gq9g4esjkhVfRMbC6zdjsUvzCB5ubY2Kl7l6SDLc qNq+Ce7fhlU2/CSIkGSPmLAhu9CJhbWkm3RIPC9n0Wm9mXNtWaBZZw/yTHkx3C3/qng1 +17w== X-Gm-Message-State: AOJu0Yw2Ci9TPSrx2HmJG1Hco120f8M8cJwm9ZAMiJzUhDC82p0qLxVZ Symaossq8Dc8erlDDATV/rCRFMJ2sPTh1ei41vXiBVUnSWUq82qLqMkktRxp5nzv X-Gm-Gg: AeBDietGlHYnhmY+KE2uJCHLLVeifkZiQxZkAJ7X4OSBPEWe+CnUqzCs3tIR2NfzKWH G17bGMcc7ipK+F0OGavVW7yFxfDv6Fol4BskZ5FIQdbwE+tFO/33extmJL0vZvbOH/nIGGj+fm9 5lgOv4NeKUyfN2uRW6tY4eReliskAypkwlJgsgaiucsd50YICarD0IQZqFN8VkbOtGx49tUkDkJ szhFFjio5KruXPYxli97xZ/ijXjiOCEyHh9fUlgldx5HHDT+Eqz7x9qDGww4eXX2T794+EvstrW GS9/LYiQ+kM2o9r97AUSfrKmklC/bm3r3NG137f2E5mNagYZY+3MntkIUxinTRfIg4/fmrw5a27 f/cNDViiBN05iMvOPBdW0Ey0uKuP62Z1nKISBPBvVd5gRFdWUX8zb3bt0VdFJuLft64wjs9DqCw Ivw9FFFQme/AF7QO5jner9K0s+HgDGSTXDzoUKGeMOXLvxoZE= X-Received: by 2002:a17:903:2403:b0:2b0:54dc:63e with SMTP id d9443c01a7336-2b97c4d8b01mr11197935ad.33.1777352490485; Mon, 27 Apr 2026 22:01:30 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b97ac8d619sm11798385ad.70.2026.04.27.22.01.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Apr 2026 22:01:30 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-oe][scarthgap][PATCH 5/5] libssh: Fix CVE-2026-0965 Date: Tue, 28 Apr 2026 17:01:08 +1200 Message-ID: <20260428050109.2099228-5-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260428050109.2099228-1-ankur.tyagi85@gmail.com> References: <20260428050109.2099228-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 28 Apr 2026 05:01:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126645 From: Ankur Tyagi Backport the patch [1] as mentioned in [2] [1] https://git.libssh.org/projects/libssh.git/commit/?id=bf390a042623e02abc8f421c4c5fadc0429a8a76 [2] https://security-tracker.debian.org/tracker/CVE-2026-0965 Ptests passed: root@qemux86:~# ptest-runner libssh START: ptest-runner 2026-04-28T04:44 BEGIN: /usr/lib/libssh/ptest ... ... DURATION: 269 END: /usr/lib/libssh/ptest 2026-04-28T04:49 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Ankur Tyagi --- .../libssh/libssh/CVE-2026-0965.patch | 284 ++++++++++++++++++ .../recipes-support/libssh/libssh_0.10.6.bb | 1 + 2 files changed, 285 insertions(+) create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2026-0965.patch diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-0965.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0965.patch new file mode 100644 index 0000000000..c30310bc70 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-0965.patch @@ -0,0 +1,284 @@ +From cc84dbc554e4e3d760234ea0e24284ef09fd3428 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 11 Dec 2025 17:33:19 +0100 +Subject: [PATCH] CVE-2026-0965 config: Do not attempt to read non-regular and + too large configuration files + +Changes also the reading of known_hosts to use the new helper function + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider +(cherry picked from commit a5eb30dbfd8f3526b2d04bd9f0a3803b665f5798) + +CVE: CVE-2026-0965 +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=bf390a042623e02abc8f421c4c5fadc0429a8a76] + +Signed-off-by: Ankur Tyagi +--- + include/libssh/misc.h | 4 +- + include/libssh/priv.h | 3 ++ + src/bind_config.c | 4 +- + src/config.c | 8 ++-- + src/dh-gex.c | 4 +- + src/known_hosts.c | 2 +- + src/knownhosts.c | 2 +- + src/misc.c | 74 ++++++++++++++++++++++++++++++++ + tests/unittests/torture_config.c | 20 +++++++++ + 9 files changed, 110 insertions(+), 11 deletions(-) + +diff --git a/include/libssh/misc.h b/include/libssh/misc.h +index 0924ba7f..5591c925 100644 +--- a/include/libssh/misc.h ++++ b/include/libssh/misc.h +@@ -20,7 +20,7 @@ + + #ifndef MISC_H_ + #define MISC_H_ +- ++#include + #ifdef __cplusplus + extern "C" { + #endif +@@ -106,6 +106,8 @@ char *ssh_strreplace(const char *src, const char *pattern, const char *repl); + + int ssh_check_hostname_syntax(const char *hostname); + ++FILE *ssh_strict_fopen(const char *filename, size_t max_file_size); ++ + #ifdef __cplusplus + } + #endif +diff --git a/include/libssh/priv.h b/include/libssh/priv.h +index 47af57f4..b55df501 100644 +--- a/include/libssh/priv.h ++++ b/include/libssh/priv.h +@@ -438,6 +438,9 @@ bool is_ssh_initialized(void); + #define SSH_ERRNO_MSG_MAX 1024 + char *ssh_strerror(int err_num, char *buf, size_t buflen); + ++/** The default maximum file size for a configuration file */ ++#define SSH_MAX_CONFIG_FILE_SIZE 16 * 1024 * 1024 ++ + #ifdef __cplusplus + } + #endif +diff --git a/src/bind_config.c b/src/bind_config.c +index ed42cbe3..c429bce2 100644 +--- a/src/bind_config.c ++++ b/src/bind_config.c +@@ -212,7 +212,7 @@ local_parse_file(ssh_bind bind, + return; + } + +- f = fopen(filename, "r"); ++ f = ssh_strict_fopen(filename, SSH_MAX_CONFIG_FILE_SIZE); + if (f == NULL) { + SSH_LOG(SSH_LOG_RARE, "Cannot find file %s to load", + filename); +@@ -636,7 +636,7 @@ int ssh_bind_config_parse_file(ssh_bind bind, const char *filename) + * option to be redefined later by another file. */ + uint8_t seen[BIND_CFG_MAX] = {0}; + +- f = fopen(filename, "r"); ++ f = ssh_strict_fopen(filename, SSH_MAX_CONFIG_FILE_SIZE); + if (f == NULL) { + return 0; + } +diff --git a/src/config.c b/src/config.c +index d4d8d419..87cdaaaf 100644 +--- a/src/config.c ++++ b/src/config.c +@@ -215,10 +215,9 @@ local_parse_file(ssh_session session, + return; + } + +- f = fopen(filename, "r"); ++ f = ssh_strict_fopen(filename, SSH_MAX_CONFIG_FILE_SIZE); + if (f == NULL) { +- SSH_LOG(SSH_LOG_RARE, "Cannot find file %s to load", +- filename); ++ /* The underlying function logs the reasons */ + return; + } + +@@ -1205,8 +1204,9 @@ int ssh_config_parse_file(ssh_session session, const char *filename) + int parsing, rv; + bool global = 0; + +- f = fopen(filename, "r"); ++ f = ssh_strict_fopen(filename, SSH_MAX_CONFIG_FILE_SIZE); + if (f == NULL) { ++ /* The underlying function logs the reasons */ + return 0; + } + +diff --git a/src/dh-gex.c b/src/dh-gex.c +index 642a88ae..aadc7c09 100644 +--- a/src/dh-gex.c ++++ b/src/dh-gex.c +@@ -520,9 +520,9 @@ static int ssh_retrieve_dhgroup(char *moduli_file, + } + + if (moduli_file != NULL) +- moduli = fopen(moduli_file, "r"); ++ moduli = ssh_strict_fopen(moduli_file, SSH_MAX_CONFIG_FILE_SIZE); + else +- moduli = fopen(MODULI_FILE, "r"); ++ moduli = ssh_strict_fopen(MODULI_FILE, SSH_MAX_CONFIG_FILE_SIZE); + + if (moduli == NULL) { + char err_msg[SSH_ERRNO_MSG_MAX] = {0}; +diff --git a/src/known_hosts.c b/src/known_hosts.c +index f660a6f3..ba2ae4d5 100644 +--- a/src/known_hosts.c ++++ b/src/known_hosts.c +@@ -83,7 +83,7 @@ static struct ssh_tokens_st *ssh_get_knownhost_line(FILE **file, + struct ssh_tokens_st *tokens = NULL; + + if (*file == NULL) { +- *file = fopen(filename,"r"); ++ *file = ssh_strict_fopen(filename, SSH_MAX_CONFIG_FILE_SIZE); + if (*file == NULL) { + return NULL; + } +diff --git a/src/knownhosts.c b/src/knownhosts.c +index 109b4f06..f0fde696 100644 +--- a/src/knownhosts.c ++++ b/src/knownhosts.c +@@ -232,7 +232,7 @@ static int ssh_known_hosts_read_entries(const char *match, + FILE *fp = NULL; + int rc; + +- fp = fopen(filename, "r"); ++ fp = ssh_strict_fopen(filename, SSH_MAX_CONFIG_FILE_SIZE); + if (fp == NULL) { + char err_msg[SSH_ERRNO_MSG_MAX] = {0}; + SSH_LOG(SSH_LOG_WARN, "Failed to open the known_hosts file '%s': %s", +diff --git a/src/misc.c b/src/misc.c +index 565abcfc..e78c92ba 100644 +--- a/src/misc.c ++++ b/src/misc.c +@@ -37,6 +37,7 @@ + #endif /* _WIN32 */ + + #include ++#include + #include + #include + #include +@@ -2074,4 +2075,77 @@ int ssh_check_hostname_syntax(const char *hostname) + return SSH_OK; + } + ++/** ++ * @internal ++ * ++ * @brief Safely open a file containing some configuration. ++ * ++ * Runs checks if the file can be used as some configuration file (is regular ++ * file and is not too large). If so, returns the opened file (for reading). ++ * Otherwise logs error and returns `NULL`. ++ * ++ * @param filename The path to the file to open. ++ * @param max_file_size Maximum file size that is accepted. ++ * ++ * @returns the opened file or `NULL` on error. ++ */ ++FILE *ssh_strict_fopen(const char *filename, size_t max_file_size) ++{ ++ FILE *f = NULL; ++ struct stat sb; ++ char err_msg[SSH_ERRNO_MSG_MAX] = {0}; ++ int r, fd; ++ ++ /* open first to avoid TOCTOU */ ++ fd = open(filename, O_RDONLY); ++ if (fd == -1) { ++ SSH_LOG(SSH_LOG_RARE, ++ "Failed to open a file %s for reading: %s", ++ filename, ++ ssh_strerror(errno, err_msg, SSH_ERRNO_MSG_MAX)); ++ return NULL; ++ } ++ ++ /* Check the file is sensible for a configuration file */ ++ r = fstat(fd, &sb); ++ if (r != 0) { ++ SSH_LOG(SSH_LOG_RARE, ++ "Failed to stat %s: %s", ++ filename, ++ ssh_strerror(errno, err_msg, SSH_ERRNO_MSG_MAX)); ++ close(fd); ++ return NULL; ++ } ++ if ((sb.st_mode & S_IFMT) != S_IFREG) { ++ SSH_LOG(SSH_LOG_RARE, ++ "The file %s is not a regular file: skipping", ++ filename); ++ close(fd); ++ return NULL; ++ } ++ ++ if ((size_t)sb.st_size > max_file_size) { ++ SSH_LOG(SSH_LOG_RARE, ++ "The file %s is too large (%jd MB > %zu MB): skipping", ++ filename, ++ (intmax_t)sb.st_size / 1024 / 1024, ++ max_file_size / 1024 / 1024); ++ close(fd); ++ return NULL; ++ } ++ ++ f = fdopen(fd, "r"); ++ if (f == NULL) { ++ SSH_LOG(SSH_LOG_RARE, ++ "Failed to open a file %s for reading: %s", ++ filename, ++ ssh_strerror(r, err_msg, SSH_ERRNO_MSG_MAX)); ++ close(fd); ++ return NULL; ++ } ++ ++ /* the flcose() will close also the underlying fd */ ++ return f; ++} ++ + /** @} */ +diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c +index 3569b51a..b4c7b0a7 100644 +--- a/tests/unittests/torture_config.c ++++ b/tests/unittests/torture_config.c +@@ -1908,6 +1908,23 @@ static void torture_config_make_absolute_no_sshdir(void **state) + torture_config_make_absolute_int(state, 1); + } + ++/* Invalid configuration files ++ */ ++static void torture_config_invalid(void **state) ++{ ++ ssh_session session = *state; ++ ++ ssh_options_set(session, SSH_OPTIONS_HOST, "Bar"); ++ ++ /* non-regular file -- ignored (or missing on non-unix) so OK */ ++ _parse_config(session, "/dev/random", NULL, SSH_OK); ++ ++#ifndef _WIN32 ++ /* huge file -- ignored (or missing on non-unix) so OK */ ++ _parse_config(session, "/proc/kcore", NULL, SSH_OK); ++#endif ++} ++ + int torture_run_tests(void) + { + int rc; +@@ -1980,6 +1997,9 @@ int torture_run_tests(void) + setup, teardown), + cmocka_unit_test_setup_teardown(torture_config_make_absolute_no_sshdir, + setup_no_sshdir, teardown), ++ cmocka_unit_test_setup_teardown(torture_config_invalid, ++ setup, ++ teardown), + }; + + diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb index e4a28af7a6..189305fd2e 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb @@ -31,6 +31,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable file://CVE-2026-0968-1.patch \ file://CVE-2026-0968-2.patch \ file://CVE-2026-0967.patch \ + file://CVE-2026-0965.patch \ " SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6"