Re: [oe] [meta-openembedded][whinlatter][PATCH v2] libssh: Fix CVE-2026-3731

Anuj Mittal via lists.openembedded.org Thu, 26 Mar 2026 00:49:37 -0700

On Wed, Mar 11, 2026 at 6:25 PM Deepak Rathore via
lists.openembedded.org <[email protected]>
wrote:
>
> From: Deepak Rathore <[email protected]>
>
> Pick the patch [1] and [2] as mentioned in [3]
>
> [1] 
> https://git.libssh.org/projects/libssh.git/commit/?id=f80670a7aba86cbb442c9b115c9eaf4ca04601b8
> [2] 
> https://git.libssh.org/projects/libssh.git/commit/?id=02c6f5f7ec8629a7cff6a28cde9701ab10304540
> [3] https://security-tracker.debian.org/tracker/CVE-2026-3731
>
> Signed-off-by: Deepak Rathore <[email protected]>
> ---
> Changes from v1 to v2:
> - Update the commit message.
> - Cherry pick it from libssh-0.11.4 release tag and add the second patch
>   to add the reproducer for the CVE.
>
> diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p1.patch 
> b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p1.patch
> new file mode 100644
> index 0000000000..bf1fbcc027
> --- /dev/null
> +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p1.patch
> @@ -0,0 +1,35 @@
> +From 04d2f831fa8da74c973538cd3f621061a7656771 Mon Sep 17 00:00:00 2001
> +From: Jakub Jelen <[email protected]>
> +Date: Thu, 11 Dec 2025 13:22:44 +0100
> +Subject: [PATCH 1/2] sftp: Fix out-of-bound read from sftp extensions
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +CVE: CVE-2026-3731
> +Upstream-Status: Backport 
> [https://git.libssh.org/projects/libssh.git/commit/?id=f80670a7aba86cbb442c9b115c9eaf4ca04601b8]


We are missing a hunk from this commit. Was it dropped on purpose?

> +
> +Signed-off-by: Jakub Jelen <[email protected]>
> +Reviewed-by: Pavol Žáčik <[email protected]>
> +(cherry picked from commit 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60)
> +(cherry picked from commit f80670a7aba86cbb442c9b115c9eaf4ca04601b8)
> +Signed-off-by: Deepak Rathore <[email protected]>
> +---
> + src/sftp.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/src/sftp.c b/src/sftp.c
> +index 37b4133b..05e05019 100644
> +--- a/src/sftp.c
> ++++ b/src/sftp.c
> +@@ -583,7 +583,7 @@ const char *sftp_extensions_get_name(sftp_session sftp, 
> unsigned int idx) {
> +     return NULL;
> +   }
> +
> +-  if (idx > sftp->ext->count) {
> ++  if (idx >= sftp->ext->count) {
> +     ssh_set_error_invalid(sftp->session);
> +     return NULL;
> +   }
> +--
> +2.35.6
> diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p2.patch 
> b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p2.patch
> new file mode 100644
> index 0000000000..b5a267b808
> --- /dev/null
> +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p2.patch
> @@ -0,0 +1,102 @@
> +From df01168bb3863306ba0f35b50e5b2e5dd00ba9f6 Mon Sep 17 00:00:00 2001
> +From: Jakub Jelen <[email protected]>
> +Date: Thu, 11 Dec 2025 13:21:23 +0100
> +Subject: [PATCH 2/2] Reproducer for out of bounds read of SFTP extensions
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +CVE: CVE-2026-3731
> +Upstream-Status: Backport 
> [https://git.libssh.org/projects/libssh.git/commit/?id=02c6f5f7ec8629a7cff6a28cde9701ab10304540]
> +
> +Signed-off-by: Jakub Jelen <[email protected]>
> +Reviewed-by: Pavol Žáčik <[email protected]>
> +(cherry picked from commit b90b7f24517efa7ab21506db9379aa3dce9fee7d)
> +(cherry picked from commit 02c6f5f7ec8629a7cff6a28cde9701ab10304540)
> +Signed-off-by: Deepak Rathore <[email protected]>
> +---
> + tests/client/torture_sftp_init.c | 62 +++++++++++++++++++++++++++++++-
> + 1 file changed, 61 insertions(+), 1 deletion(-)
> +
> +diff --git a/tests/client/torture_sftp_init.c 
> b/tests/client/torture_sftp_init.c
> +index a17f01fe..cdc24426 100644
> +--- a/tests/client/torture_sftp_init.c
> ++++ b/tests/client/torture_sftp_init.c
> +@@ -72,6 +72,63 @@ static void session_setup_channel(void **state)
> +     assert_non_null(s->ssh.tsftp);
> + }
> +
> ++static void session_setup_extensions(void **state)
> ++{
> ++    struct torture_state *s = *state;
> ++    struct passwd *pwd = NULL;
> ++    int rc, count;
> ++    const char *name = NULL, *data = NULL;
> ++    sftp_session sftp = NULL;
> ++
> ++    pwd = getpwnam("bob");
> ++    assert_non_null(pwd);
> ++
> ++    rc = setuid(pwd->pw_uid);
> ++    assert_return_code(rc, errno);
> ++
> ++    s->ssh.session = torture_ssh_session(s,
> ++                                         TORTURE_SSH_SERVER,
> ++                                         NULL,
> ++                                         TORTURE_SSH_USER_ALICE,
> ++                                         NULL);
> ++    assert_non_null(s->ssh.session);
> ++
> ++    s->ssh.tsftp = torture_sftp_session(s->ssh.session);
> ++    assert_non_null(s->ssh.tsftp);
> ++    sftp = s->ssh.tsftp->sftp;
> ++
> ++    /* null parameter */
> ++    count = sftp_extensions_get_count(NULL);
> ++    assert_int_equal(count, 0);
> ++
> ++    count = sftp_extensions_get_count(sftp);
> ++    assert_int_not_equal(count, 0);
> ++
> ++    /* first null parameter */
> ++    name = sftp_extensions_get_name(NULL, 0);
> ++    assert_null(name);
> ++    data = sftp_extensions_get_data(NULL, 0);
> ++    assert_null(data);
> ++
> ++    /* First extension */
> ++    name = sftp_extensions_get_name(sftp, 0);
> ++    assert_non_null(name);
> ++    data = sftp_extensions_get_data(sftp, 0);
> ++    assert_non_null(data);
> ++
> ++    /* Last extension */
> ++    name = sftp_extensions_get_name(sftp, count - 1);
> ++    assert_non_null(name);
> ++    data = sftp_extensions_get_data(sftp, count - 1);
> ++    assert_non_null(data);
> ++
> ++    /* Overrun */
> ++    name = sftp_extensions_get_name(sftp, count);
> ++    assert_null(name);
> ++    data = sftp_extensions_get_data(sftp, count);
> ++    assert_null(data);
> ++}
> ++
> + static int session_teardown(void **state)
> + {
> +     struct torture_state *s = *state;
> +@@ -92,7 +149,10 @@ int torture_run_tests(void) {
> +                                         session_teardown),
> +         cmocka_unit_test_setup_teardown(session_setup_channel,
> +                                         NULL,
> +-                                        session_teardown)
> ++                                        session_teardown),
> ++        cmocka_unit_test_setup_teardown(session_setup_extensions,
> ++                                        NULL,
> ++                                        session_teardown),
> +     };
> +
> +     ssh_init();
> +--
> +2.35.6
> diff --git a/meta-oe/recipes-support/libssh/libssh_0.11.3.bb 
> b/meta-oe/recipes-support/libssh/libssh_0.11.3.bb
> index 5928581312..ab47931fa3 100644
> --- a/meta-oe/recipes-support/libssh/libssh_0.11.3.bb
> +++ b/meta-oe/recipes-support/libssh/libssh_0.11.3.bb
> @@ -9,6 +9,8 @@ DEPENDS = "zlib openssl"
>  SRC_URI = 
> "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable-0.11;tag=${BPN}-${PV}
>  \
>             
> file://0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch \
>             file://run-ptest \
> +           file://CVE-2026-3731_p1.patch \
> +           file://CVE-2026-3731_p2.patch \
>            "
>
>  SRC_URI:append:toolchain-clang = " 
> file://0001-CompilerChecks.cmake-drop-Wunused-variable-flag.patch"
> --
> 2.35.6
>
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#125636): 
https://lists.openembedded.org/g/openembedded-devel/message/125636
Mute This Topic: https://lists.openembedded.org/mt/118257651/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [oe] [meta-openembedded][whinlatter][PATCH v2] libssh: Fix CVE-2026-3731

Reply via email to