[meta-openembedded][master][PATCH] libssh 0.11.3: Fix CVE-2026-3731

[meta-openembedded][master][PATCH] libssh 0.11.3: Fix CVE-2026-3731

[Deepak Rathore -X (deeratho - E INFOCHIPS PRIVATE LIMITED at Cisco)]

From: Deepak Rathore <deeratho@cisco.com>

Upstream Repository: https://git.libssh.org/projects/libssh.git

Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3731
Type: Security Fix
CVE: CVE-2026-3731
Score: 9.8
Patch: https://git.libssh.org/projects/libssh.git/commit/?id=855a0853ad3a

Signed-off-by: Deepak Rathore <deeratho@cisco.com>

diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731.patch
new file mode 100644
index 0000000000..88e6ff1c48
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731.patch
@@ -0,0 +1,43 @@
+From e46f096ad5294428509077c887233554d62ead0e Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 11 Dec 2025 13:22:44 +0100
+Subject: [PATCH] sftp: Fix out-of-bound read from sftp extensions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE: CVE-2026-3731
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=855a0853ad3a]
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
+(cherry picked from commit 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ src/sftp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/sftp.c b/src/sftp.c
+index 37b4133b..cbcdb066 100644
+--- a/src/sftp.c
++++ b/src/sftp.c
+@@ -583,7 +583,7 @@ const char *sftp_extensions_get_name(sftp_session sftp, unsigned int idx) {
+     return NULL;
+   }
+
+-  if (idx > sftp->ext->count) {
++  if (idx >= sftp->ext->count) {
+     ssh_set_error_invalid(sftp->session);
+     return NULL;
+   }
+@@ -599,7 +599,7 @@ const char *sftp_extensions_get_data(sftp_session sftp, unsigned int idx) {
+     return NULL;
+   }
+
+-  if (idx > sftp->ext->count) {
++  if (idx >= sftp->ext->count) {
+     ssh_set_error_invalid(sftp->session);
+     return NULL;
+   }
+--
+2.51.0
diff --git a/meta-oe/recipes-support/libssh/libssh_0.11.3.bb b/meta-oe/recipes-support/libssh/libssh_0.11.3.bb
index 5928581312..9f66736b29 100644
--- a/meta-oe/recipes-support/libssh/libssh_0.11.3.bb
+++ b/meta-oe/recipes-support/libssh/libssh_0.11.3.bb
@@ -9,6 +9,7 @@ DEPENDS = "zlib openssl"
 SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable-0.11;tag=${BPN}-${PV} \
            file://0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch \
            file://run-ptest \
+           file://CVE-2026-3731.patch \
           "
 
 SRC_URI:append:toolchain-clang = " file://0001-CompilerChecks.cmake-drop-Wunused-variable-flag.patch"
-- 
2.35.6

Re: [oe] [meta-openembedded][master][PATCH] libssh 0.11.3: Fix CVE-2026-3731

[Gyorgy Sarvari]

Why not upgrade it to 0.11.4 in master, instead of patching it?

On 3/10/26 13:14, Deepak Rathore via lists.openembedded.org wrote:
> From: Deepak Rathore <deeratho@cisco.com>
>
> Upstream Repository: https://git.libssh.org/projects/libssh.git
>
> Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3731
> Type: Security Fix
> CVE: CVE-2026-3731
> Score: 9.8
> Patch: https://git.libssh.org/projects/libssh.git/commit/?id=855a0853ad3a
>
> Signed-off-by: Deepak Rathore <deeratho@cisco.com>
>
> diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731.patch
> new file mode 100644
> index 0000000000..88e6ff1c48
> --- /dev/null
> +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731.patch
> @@ -0,0 +1,43 @@
> +From e46f096ad5294428509077c887233554d62ead0e Mon Sep 17 00:00:00 2001
> +From: Jakub Jelen <jjelen@redhat.com>
> +Date: Thu, 11 Dec 2025 13:22:44 +0100
> +Subject: [PATCH] sftp: Fix out-of-bound read from sftp extensions
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +CVE: CVE-2026-3731
> +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=855a0853ad3a]
> +
> +Signed-off-by: Jakub Jelen <jjelen@redhat.com>
> +Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
> +(cherry picked from commit 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60)
> +Signed-off-by: Deepak Rathore <deeratho@cisco.com>
> +---
> + src/sftp.c | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/sftp.c b/src/sftp.c
> +index 37b4133b..cbcdb066 100644
> +--- a/src/sftp.c
> ++++ b/src/sftp.c
> +@@ -583,7 +583,7 @@ const char *sftp_extensions_get_name(sftp_session sftp, unsigned int idx) {
> +     return NULL;
> +   }
> +
> +-  if (idx > sftp->ext->count) {
> ++  if (idx >= sftp->ext->count) {
> +     ssh_set_error_invalid(sftp->session);
> +     return NULL;
> +   }
> +@@ -599,7 +599,7 @@ const char *sftp_extensions_get_data(sftp_session sftp, unsigned int idx) {
> +     return NULL;
> +   }
> +
> +-  if (idx > sftp->ext->count) {
> ++  if (idx >= sftp->ext->count) {
> +     ssh_set_error_invalid(sftp->session);
> +     return NULL;
> +   }
> +--
> +2.51.0
> diff --git a/meta-oe/recipes-support/libssh/libssh_0.11.3.bb b/meta-oe/recipes-support/libssh/libssh_0.11.3.bb
> index 5928581312..9f66736b29 100644
> --- a/meta-oe/recipes-support/libssh/libssh_0.11.3.bb
> +++ b/meta-oe/recipes-support/libssh/libssh_0.11.3.bb
> @@ -9,6 +9,7 @@ DEPENDS = "zlib openssl"
>  SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable-0.11;tag=${BPN}-${PV} \
>             file://0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch \
>             file://run-ptest \
> +           file://CVE-2026-3731.patch \
>            "
>  
>  SRC_URI:append:toolchain-clang = " file://0001-CompilerChecks.cmake-drop-Wunused-variable-flag.patch"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#125024): https://lists.openembedded.org/g/openembedded-devel/message/125024
> Mute This Topic: https://lists.openembedded.org/mt/118239463/6084445
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [meta-openembedded][master][PATCH] libssh 0.11.3: Fix CVE-2026-3731

[Deepak Rathore]

[-- Attachment #1: Type: text/plain, Size: 398 bytes --]

Hi Gyorgy Sarvari,

This CVE is fixed in libssh-0.12.0 tag and master branch which is major upgrade for master branch. Please refer below URL:
projects/libssh.git - libssh shared repository ( https://git.libssh.org/projects/libssh.git/commit/?h=libssh-0.12.0&id=855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60 )

Please suggest if we can upgrade to libssh-0.12.0 release or not.

Regards,
Deepak

[-- Attachment #2: Type: text/html, Size: 529 bytes --]

Re: [oe] [meta-openembedded][master][PATCH] libssh 0.11.3: Fix CVE-2026-3731

[Gyorgy Sarvari]

On 3/10/26 16:13, Deepak Rathore via lists.openembedded.org wrote:
> Hi Gyorgy Sarvari,
>  
> This CVE is fixed in libssh-0.12.0 tag and master branch which is
> major upgrade for master branch. Please refer below URL:
> projects/libssh.git - libssh shared repository
> <https://git.libssh.org/projects/libssh.git/commit/?h=libssh-0.12.0&id=855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60>
>  
> Please suggest if we can upgrade to libssh-0.12.0 release or not.

Certainly you can - the Stable/LTS policy for frozen major versions is
only valid for the named branches.
Master branch can take all version updates anytime, without any special
process.

>  
> Regards,
> Deepak
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#125033): https://lists.openembedded.org/g/openembedded-devel/message/125033
> Mute This Topic: https://lists.openembedded.org/mt/118239463/6084445
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>