public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/libssh2] epel10: Address CVE-2025-15661
@ 2026-06-25 14:26 Paul Howarth
0 siblings, 0 replies; only message in thread
From: Paul Howarth @ 2026-06-25 14:26 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/libssh2
Branch : epel10
Commit : 13fb9aee68b781a29ad5ae4e7a825a0eab20c355
Author : Paul Howarth <paul@city-fan.org>
Date : 2026-06-25T13:09:50+01:00
Stats : +151/-1 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/libssh2/c/13fb9aee68b781a29ad5ae4e7a825a0eab20c355?branch=epel10
Log:
Address CVE-2025-15661
Information disclosure and denial of service via crafted SFTP response
- https://github.com/libssh2/libssh2/pull/1705
- https://github.com/libssh2/libssh2/pull/1717
---
diff --git a/2dae302-libssh2-1.11.1.patch b/2dae302-libssh2-1.11.1.patch
new file mode 100644
index 0000000..7ba0774
--- /dev/null
+++ b/2dae302-libssh2-1.11.1.patch
@@ -0,0 +1,138 @@
+From 2dae3024897e1898d389835151f4e9606227721d Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Fri, 10 Oct 2025 08:26:20 -0700
+Subject: [PATCH] Update sftp_symlink to avoid out of bounds read on malformed
+ packet #1705 (#1717)
+
+Use buffer struct to guard against out of bounds reads and invalid packets.
+
+Discovery Credit:
+Joshua Rogers
+---
+ src/sftp.c | 66 ++++++++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 47 insertions(+), 19 deletions(-)
+
+diff --git a/src/sftp.c b/src/sftp.c
+index 72b007f6eb..70d7686daf 100644
+--- a/src/sftp.c
++++ b/src/sftp.c
+@@ -3795,15 +3795,19 @@ static int sftp_symlink(LIBSSH2_SFTP *sftp, const char *path,
+ {
+ LIBSSH2_CHANNEL *channel = sftp->channel;
+ LIBSSH2_SESSION *session = channel->session;
+- size_t data_len = 0, link_len;
++ size_t data_len = 0, lk_len;
+ /* 13 = packet_len(4) + packet_type(1) + request_id(4) + path_len(4) */
+ ssize_t packet_len =
+ path_len + 13 +
+ ((link_type == LIBSSH2_SFTP_SYMLINK) ? (4 + target_len) : 0);
+ unsigned char *s, *data = NULL;
++ struct string_buf buf;
+ static const unsigned char link_responses[2] =
+ { SSH_FXP_NAME, SSH_FXP_STATUS };
+ int retcode;
++ unsigned char packet_type;
++ uint32_t tmp_u32;
++ unsigned char *lk_target;
+
+ if(sftp->symlink_state == libssh2_NB_state_idle) {
+ sftp->last_errno = LIBSSH2_FX_OK;
+@@ -3891,8 +3895,25 @@ static int sftp_symlink(LIBSSH2_SFTP *sftp, const char *path,
+
+ sftp->symlink_state = libssh2_NB_state_idle;
+
+- if(data[0] == SSH_FXP_STATUS) {
+- retcode = _libssh2_ntohu32(data + 5);
++ buf.data = (unsigned char *)SSH2_UNCONST(data);
++ buf.dataptr = buf.data;
++ buf.len = data_len;
++
++ if(_libssh2_get_byte(&buf, &packet_type)) {
++ LIBSSH2_FREE(session, data);
++ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
++ "SFTP Protocol Error (type)");
++ }
++
++ if(packet_type == SSH_FXP_STATUS) {
++ if(_libssh2_get_u32(&buf, &tmp_u32)) {
++ LIBSSH2_FREE(session, data);
++ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
++ "SFTP Protocol Error (code)");
++ }
++
++ retcode = (int)tmp_u32;
++
+ LIBSSH2_FREE(session, data);
+ if(retcode == LIBSSH2_FX_OK)
+ return LIBSSH2_ERROR_NONE;
+@@ -3903,30 +3924,37 @@ static int sftp_symlink(LIBSSH2_SFTP *sftp, const char *path,
+ }
+ }
+
+- if(_libssh2_ntohu32(data + 5) < 1) {
++ /* advance past id */
++ if(_libssh2_get_u32(&buf, &tmp_u32)) {
+ LIBSSH2_FREE(session, data);
+ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
+- "Invalid READLINK/REALPATH response, "
+- "no name entries");
++ "SFTP Protocol Error (id)");
+ }
+
+- if(data_len < 13) {
+- if(data_len > 0) {
+- LIBSSH2_FREE(session, data);
+- }
++ /* look for at least one link */
++ if(_libssh2_get_u32(&buf, &tmp_u32) || tmp_u32 < 1) {
++ LIBSSH2_FREE(session, data);
+ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
+- "SFTP stat packet too short");
++ "Invalid READLINK/REALPATH response, "
++ "no name entries");
+ }
+
+- /* this reads a u32 and stores it into a signed 32bit value */
+- link_len = _libssh2_ntohu32(data + 9);
+- if(link_len < target_len) {
+- memcpy(target, data + 13, link_len);
+- target[link_len] = 0;
+- retcode = (int)link_len;
++ if(_libssh2_get_string(&buf, &lk_target, &lk_len) == LIBSSH2_ERROR_NONE) {
++ if(lk_len < target_len) {
++ memcpy(target, lk_target, lk_len);
++ target[lk_len] = '\0';
++ retcode = (int)lk_len;
++ }
++ else {
++ retcode = LIBSSH2_ERROR_BUFFER_TOO_SMALL;
++ }
+ }
+- else
+- retcode = LIBSSH2_ERROR_BUFFER_TOO_SMALL;
++ else {
++ LIBSSH2_FREE(session, data);
++ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
++ "SFTP Protocol Error (filename)");
++ }
++
+ LIBSSH2_FREE(session, data);
+
+ return retcode;
+--- a/src/libssh2_priv.h
++++ b/src/libssh2_priv.h
+@@ -117,6 +117,14 @@
+ #define UINT32_MAX 0xffffffffU
+ #endif
+
++#ifdef _WIN64
++#define SSH2_UNCONST(p) ((void *)(libssh2_uint64_t)(const void *)(p))
++#elif defined(_MSC_VER)
++#define SSH2_UNCONST(p) ((void *)(unsigned int)(const void *)(p))
++#else
++#define SSH2_UNCONST(p) ((void *)(uintptr_t)(const void *)(p))
++#endif
++
+ #if (defined(__GNUC__) || defined(__clang__)) && \
+ defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) && \
+ !defined(LIBSSH2_NO_FMT_CHECKS)
diff --git a/libssh2.spec b/libssh2.spec
index dc2fcf6..70ab697 100644
--- a/libssh2.spec
+++ b/libssh2.spec
@@ -6,7 +6,7 @@
Name: libssh2
Version: 1.11.1
-Release: 8%{?dist}
+Release: 9%{?dist}
Summary: A library implementing the SSH2 protocol
License: BSD-3-Clause
URL: https://www.libssh2.org/
@@ -17,6 +17,7 @@ Source2: https://daniel.haxx.se/mykey.asc
Patch0: libssh2-1.11.1-CVE-2026-7598.patch
Patch1: 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8-libssh2-1.11.1.patch
Patch2: 17626857d20b3c9a1addfa45979dadcee1cd84a4.patch
+Patch3: 2dae302-libssh2-1.11.1.patch
BuildRequires: coreutils
BuildRequires: findutils
@@ -68,14 +69,21 @@ developing applications that use libssh2.
# CVE-2026-7598 libssh2: integer overflow via large username or password arguments
# https://github.com/libssh2/libssh2/pull/1858
%patch -P0
+
# CVE-2026-55200 transport.c: Additional boundary checks for packet length
# Patch modified for downstream
# https://github.com/libssh2/libssh2/pull/2052
%patch -p1 -P1
+
# CVE-2026-55199 packet.c: check _libssh2_get_string() return in EXT_INFO handler
# https://github.com/libssh2/libssh2/pull/1864
%patch -p1 -P2
+# CVE-2025-15661: Information disclosure and denial of service via crafted SFTP response
+# https://github.com/libssh2/libssh2/pull/1705
+# https://github.com/libssh2/libssh2/pull/1717
+%patch -p1 -P3
+
# Replace hard wired port number in the test suite to avoid collisions
# between 32-bit and 64-bit builds running on a single build-host
sed -i s/4711/47%{?__isa_bits}/ tests/{openssh_fixture.c,test_ssh{2.c,d.test}}
@@ -130,6 +138,10 @@ LC_ALL=en_US.UTF-8 make -C tests check
%{_libdir}/pkgconfig/libssh2.pc
%changelog
+* Thu Jun 25 2026 Paul Howarth <paul@city-fan.org> - 1.11.1-9
+- Fix CVE-2025-15661: Information disclosure and denial of service via crafted
+ SFTP response
+
* Tue Jun 23 2026 Mikel Olasagasti Uranga <mikel@olasagasti.info> - 1.11.1-8
- Fix CVE-2026-55200 & CVE-2026-55199
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-25 14:26 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-25 14:26 [rpms/libssh2] epel10: Address CVE-2025-15661 Paul Howarth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox