[rpms/libssh2] rawhide: Fix CVE-2026-55200 & CVE-2026-55199

[Mikel Olasagasti Uranga <mikel@olasagasti.info>]

A new commit has been pushed.

Repo   : rpms/libssh2
Branch : rawhide
Commit : f3f46cd0ce4519b6f464431480a1764a63d12fa9
Author : Mikel Olasagasti Uranga <mikel@olasagasti.info>
Date   : 2026-06-23T18:10:29+02:00
Stats  : +83/-1 in 3 file(s)
URL    : https://src.fedoraproject.org/rpms/libssh2/c/f3f46cd0ce4519b6f464431480a1764a63d12fa9?branch=rawhide

Log:
Fix CVE-2026-55200 & CVE-2026-55199

---
diff --git a/17626857d20b3c9a1addfa45979dadcee1cd84a4.patch b/17626857d20b3c9a1addfa45979dadcee1cd84a4.patch
new file mode 100644
index 0000000..06527d8
--- /dev/null
+++ b/17626857d20b3c9a1addfa45979dadcee1cd84a4.patch
@@ -0,0 +1,39 @@
+From 17626857d20b3c9a1addfa45979dadcee1cd84a4 Mon Sep 17 00:00:00 2001
+From: TristanInSec <tristan.mtn@gmail.com>
+Date: Wed, 15 Apr 2026 14:51:08 -0400
+Subject: [PATCH] packet: check `_libssh2_get_string()` return in `EXT_INFO`
+ handler
+
+The `SSH_MSG_EXT_INFO` handler discards the return values from
+`_libssh2_get_string()` when parsing extension name/value pairs. When
+the buffer is exhausted before all claimed extensions are parsed,
+the loop continues with no-op iterations until `nr_extensions` reaches
+zero.
+
+The `nr_extensions >= 1024` cap limits the worst case, but the loop
+should still break on parse failure for correctness and consistency
+with other parsers in this file (e.g. `SSH_MSG_CHANNEL_OPEN`,
+`SSH_MSG_KEXINIT`) that check `_libssh2_get_string()` return values.
+
+Closes #1864
+---
+ src/packet.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index ae86365d2a..8a7a0d2690 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -890,8 +890,10 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ 
+                     nr_extensions -= 1;
+ 
+-                    _libssh2_get_string(&buf, &name, &name_len);
+-                    _libssh2_get_string(&buf, &value, &value_len);
++                    if(_libssh2_get_string(&buf, &name, &name_len))
++                        break;
++                    if(_libssh2_get_string(&buf, &value, &value_len))
++                        break;
+ 
+                     if(name && value) {
+                         _libssh2_debug((session,

diff --git a/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8-libssh2-1.11.1.patch b/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8-libssh2-1.11.1.patch
new file mode 100644
index 0000000..dffc38a
--- /dev/null
+++ b/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8-libssh2-1.11.1.patch
@@ -0,0 +1,31 @@
+From 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Fri, 12 Jun 2026 15:57:44 -0700
+Subject: [PATCH] transport.c: Additional boundary checks for packet length
+ (#2052)
+
+Add additional bounds checking on packet length to prevent OOB write.
+
+Credit: [TristanInSec](https://github.com/TristanInSec)
+---
+ src/transport.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/transport.c b/src/transport.c
+index 869fc5a4fa..7925ad33d1 100644
+--- a/src/transport.c
++++ b/src/transport.c
+@@ -641,8 +641,12 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session)
+ 
+                 p->packet_length = _libssh2_ntohu32(block);
+-                if(p->packet_length < 1)
++                if(p->packet_length < 1) {
+                     return LIBSSH2_ERROR_DECRYPT;
++                }
++                else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) {
++                    return LIBSSH2_ERROR_OUT_OF_BOUNDARY;
++                }
+ 
+                 /* total_num may include size field, however due to existing
+                  * logic it needs to be removed after the entire packet is read
+                  */

diff --git a/libssh2.spec b/libssh2.spec
index 238855c..dc2fcf6 100644
--- a/libssh2.spec
+++ b/libssh2.spec
@@ -6,7 +6,7 @@
 
 Name:		libssh2
 Version:	1.11.1
-Release:	7%{?dist}
+Release:	8%{?dist}
 Summary:	A library implementing the SSH2 protocol
 License:	BSD-3-Clause
 URL:		https://www.libssh2.org/
@@ -15,6 +15,8 @@ Source1:	https://libssh2.org/download/libssh2-%{version}.tar.gz.asc
 # Daniel Stenberg's GPG keys; linked from https://daniel.haxx.se/address.html
 Source2:	https://daniel.haxx.se/mykey.asc
 Patch0:		libssh2-1.11.1-CVE-2026-7598.patch
+Patch1:		97acf3dfda80c91c3a8c9f2372546301d4a1a7a8-libssh2-1.11.1.patch
+Patch2:		17626857d20b3c9a1addfa45979dadcee1cd84a4.patch
 
 BuildRequires:	coreutils
 BuildRequires:	findutils
@@ -66,6 +68,13 @@ developing applications that use libssh2.
 # CVE-2026-7598 libssh2: integer overflow via large username or password arguments
 # https://github.com/libssh2/libssh2/pull/1858
 %patch -P0
+# CVE-2026-55200 transport.c: Additional boundary checks for packet length
+# Patch modified for downstream
+# https://github.com/libssh2/libssh2/pull/2052
+%patch -p1 -P1
+# CVE-2026-55199 packet.c: check _libssh2_get_string() return in EXT_INFO handler
+# https://github.com/libssh2/libssh2/pull/1864
+%patch -p1 -P2
 
 # Replace hard wired port number in the test suite to avoid collisions
 # between 32-bit and 64-bit builds running on a single build-host
@@ -121,6 +130,9 @@ LC_ALL=en_US.UTF-8 make -C tests check
 %{_libdir}/pkgconfig/libssh2.pc
 
 %changelog
+* Tue Jun 23 2026 Mikel Olasagasti Uranga <mikel@olasagasti.info> - 1.11.1-8
+- Fix CVE-2026-55200 & CVE-2026-55199
+
 * Fri Jun 12 2026 Yaakov Selkowitz <yselkowi@redhat.com> - 1.11.1-7
 - Rebuilt for openssl 4.0