Skip to content

Commit c68dea1

Browse files
omkharOmkhar Arasaratnamclaude
authored
libssh2: patch CVE-2026-55200 (OOB write in transport read) (microsoft#17803)
Signed-off-by: Omkhar Arasaratnam <omkhar@linkedin.com> Co-authored-by: Omkhar Arasaratnam <omkhar@linkedin.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 8dcc2af commit c68dea1

6 files changed

Lines changed: 57 additions & 11 deletions

File tree

SPECS/libssh2/CVE-2026-55200.patch

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
From 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8 Mon Sep 17 00:00:00 2001
2+
From: Will Cosgrove <will@panic.com>
3+
Date: Fri, 12 Jun 2026 15:57:44 -0700
4+
Subject: [PATCH] transport.c: Additional boundary checks for packet length (#2052)
5+
6+
Add additional bounds checking on packet length to prevent OOB write.
7+
8+
The chacha20-poly1305 (REQUIRES_FULL_PACKET) read path parses packet_length
9+
without an upper bound. A crafted length near UINT32_MAX wraps the 32-bit
10+
total_num computation past the existing total_num > LIBSSH2_PACKET_MAXPAYLOAD
11+
guard, under-allocating the payload buffer that a later copy overflows
12+
(CWE-680). Bound packet_length directly, mirroring the guarded first-read
13+
branch.
14+
15+
Note: upstream 97acf3df targets the post-1.11.1 tree (function renamed to
16+
ssh2_transport_read, nested conditionals merged); this is the equivalent
17+
guard adapted to the 1.11.1 _libssh2_transport_read() else branch.
18+
19+
Credit:
20+
[TristanInSec](https://github.com/TristanInSec)
21+
22+
Signed-off-by: Omkhar Arasaratnam <omkhar@linkedin.com>
23+
Upstream-reference: https://github.com/libssh2/libssh2/commit/97acf3dfda80c91c3a8c9f2372546301d4a1a7a8.patch
24+
---
25+
src/transport.c | 2 ++
26+
1 file changed, 2 insertions(+)
27+
28+
diff --git a/src/transport.c b/src/transport.c
29+
index e1120656..5180741f 100644
30+
--- a/src/transport.c
31+
+++ b/src/transport.c
32+
@@ -641,6 +641,8 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session)
33+
p->packet_length = _libssh2_ntohu32(block);
34+
if(p->packet_length < 1)
35+
return LIBSSH2_ERROR_DECRYPT;
36+
+ else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD)
37+
+ return LIBSSH2_ERROR_OUT_OF_BOUNDARY;
38+
39+
/* total_num may include size field, however due to existing
40+
* logic it needs to be removed after the entire packet is read
41+
--
42+
2.34.1

SPECS/libssh2/libssh2.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,14 +3,15 @@
33
Summary: libssh2 is a library implementing the SSH2 protocol.
44
Name: libssh2
55
Version: 1.11.1
6-
Release: 2%{?dist}
6+
Release: 3%{?dist}
77
License: BSD
88
URL: https://www.libssh2.org/
99
Group: System Environment/NetworkingLibraries
1010
Vendor: Microsoft Corporation
1111
Distribution: Azure Linux
1212
Source0: https://www.libssh2.org/download/libssh2-%{version}.tar.gz
1313
Patch0: CVE-2026-7598.patch
14+
Patch1: CVE-2026-55200.patch
1415
BuildRequires: openssl-devel
1516
BuildRequires: zlib-devel
1617

@@ -58,6 +59,9 @@ find %{buildroot} -name '*.la' -exec rm -f {} ';'
5859
%{_mandir}/man3/*
5960

6061
%changelog
62+
* Thu Jun 25 2026 Omkhar Arasaratnam <omkhar@linkedin.com> - 1.11.1-3
63+
- Patch for CVE-2026-55200
64+
6165
* Mon May 04 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.11.1-2
6266
- Patch for CVE-2026-7598
6367

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -193,8 +193,8 @@ e2fsprogs-1.47.0-2.azl3.aarch64.rpm
193193
e2fsprogs-devel-1.47.0-2.azl3.aarch64.rpm
194194
libsolv-0.7.28-3.azl3.aarch64.rpm
195195
libsolv-devel-0.7.28-3.azl3.aarch64.rpm
196-
libssh2-1.11.1-2.azl3.aarch64.rpm
197-
libssh2-devel-1.11.1-2.azl3.aarch64.rpm
196+
libssh2-1.11.1-3.azl3.aarch64.rpm
197+
libssh2-devel-1.11.1-3.azl3.aarch64.rpm
198198
krb5-1.21.3-5.azl3.aarch64.rpm
199199
krb5-devel-1.21.3-5.azl3.aarch64.rpm
200200
nghttp2-1.61.0-3.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -193,8 +193,8 @@ e2fsprogs-1.47.0-2.azl3.x86_64.rpm
193193
e2fsprogs-devel-1.47.0-2.azl3.x86_64.rpm
194194
libsolv-0.7.28-3.azl3.x86_64.rpm
195195
libsolv-devel-0.7.28-3.azl3.x86_64.rpm
196-
libssh2-1.11.1-2.azl3.x86_64.rpm
197-
libssh2-devel-1.11.1-2.azl3.x86_64.rpm
196+
libssh2-1.11.1-3.azl3.x86_64.rpm
197+
libssh2-devel-1.11.1-3.azl3.x86_64.rpm
198198
krb5-1.21.3-5.azl3.x86_64.rpm
199199
krb5-devel-1.21.3-5.azl3.x86_64.rpm
200200
nghttp2-1.61.0-3.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -229,9 +229,9 @@ libsolv-0.7.28-3.azl3.aarch64.rpm
229229
libsolv-debuginfo-0.7.28-3.azl3.aarch64.rpm
230230
libsolv-devel-0.7.28-3.azl3.aarch64.rpm
231231
libsolv-tools-0.7.28-3.azl3.aarch64.rpm
232-
libssh2-1.11.1-2.azl3.aarch64.rpm
233-
libssh2-debuginfo-1.11.1-2.azl3.aarch64.rpm
234-
libssh2-devel-1.11.1-2.azl3.aarch64.rpm
232+
libssh2-1.11.1-3.azl3.aarch64.rpm
233+
libssh2-debuginfo-1.11.1-3.azl3.aarch64.rpm
234+
libssh2-devel-1.11.1-3.azl3.aarch64.rpm
235235
libstdc++-13.2.0-7.azl3.aarch64.rpm
236236
libstdc++-devel-13.2.0-7.azl3.aarch64.rpm
237237
libtasn1-4.19.0-3.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -237,9 +237,9 @@ libsolv-0.7.28-3.azl3.x86_64.rpm
237237
libsolv-debuginfo-0.7.28-3.azl3.x86_64.rpm
238238
libsolv-devel-0.7.28-3.azl3.x86_64.rpm
239239
libsolv-tools-0.7.28-3.azl3.x86_64.rpm
240-
libssh2-1.11.1-2.azl3.x86_64.rpm
241-
libssh2-debuginfo-1.11.1-2.azl3.x86_64.rpm
242-
libssh2-devel-1.11.1-2.azl3.x86_64.rpm
240+
libssh2-1.11.1-3.azl3.x86_64.rpm
241+
libssh2-debuginfo-1.11.1-3.azl3.x86_64.rpm
242+
libssh2-devel-1.11.1-3.azl3.x86_64.rpm
243243
libstdc++-13.2.0-7.azl3.x86_64.rpm
244244
libstdc++-devel-13.2.0-7.azl3.x86_64.rpm
245245
libtasn1-4.19.0-3.azl3.x86_64.rpm

0 commit comments

Comments
 (0)