From: Vijay Anusuri <[email protected]> Pick commit according to [1]
[1] https://security-tracker.debian.org/tracker/CVE-2026-3731 [2] https://www.libssh.org/security/advisories/libssh-2026-sftp-extensions.txt Skip the test file change as it's not available in libssh-0.8.9 Signed-off-by: Vijay Anusuri <[email protected]> --- .../libssh/libssh/CVE-2026-3731.patch | 44 +++++++++++++++++++ .../recipes-support/libssh/libssh_0.8.9.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2026-3731.patch diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731.patch new file mode 100644 index 0000000000..2ed2d4472f --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731.patch @@ -0,0 +1,44 @@ +From f80670a7aba86cbb442c9b115c9eaf4ca04601b8 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen <[email protected]> +Date: Thu, 11 Dec 2025 13:22:44 +0100 +Subject: [PATCH] sftp: Fix out-of-bound read from sftp extensions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Jakub Jelen <[email protected]> +Reviewed-by: Pavol Žáčik <[email protected]> +(cherry picked from commit 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60) + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=f80670a7aba86cbb442c9b115c9eaf4ca04601b8] +CVE: CVE-2026-3731 +Signed-off-by: Vijay Anusuri <[email protected]> +--- + src/sftp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/sftp.c b/src/sftp.c +index 43eb1ad6..be473793 100644 +--- a/src/sftp.c ++++ b/src/sftp.c +@@ -686,7 +686,7 @@ const char *sftp_extensions_get_name(sftp_session sftp, unsigned int idx) { + return NULL; + } + +- if (idx > sftp->ext->count) { ++ if (idx >= sftp->ext->count) { + ssh_set_error_invalid(sftp->session); + return NULL; + } +@@ -702,7 +702,7 @@ const char *sftp_extensions_get_data(sftp_session sftp, unsigned int idx) { + return NULL; + } + +- if (idx > sftp->ext->count) { ++ if (idx >= sftp->ext->count) { + ssh_set_error_invalid(sftp->session); + return NULL; + } +-- +2.25.1 + diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb index 3781b501cd..a1fc64446c 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb @@ -28,6 +28,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable file://CVE-2025-8277-2.patch \ file://CVE-2025-8277-3.patch \ file://CVE-2025-8114.patch \ + file://CVE-2026-3731.patch \ " SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8" -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#125099): https://lists.openembedded.org/g/openembedded-devel/message/125099 Mute This Topic: https://lists.openembedded.org/mt/118274030/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
