libssh2: apply patch for CVE-2026-7598

(cherry picked from commit df1eba6695)
2026-06-05 21:03:40 +00:00 · 2026-05-03 14:40:33 +02:00
parent e9fe3f1abb
commit 50b848d952
2 changed files with 43 additions and 0 deletions
--- a/pkgs/by-name/li/libssh2/CVE-2026-7598.patch
+++ b/pkgs/by-name/li/libssh2/CVE-2026-7598.patch
@@ -0,0 +1,38 @@
+diff --git a/src/userauth.c b/src/userauth.c
+index f8e02651c4..43d9ab9b9d 100644
+--- a/src/userauth.c
+++ b/src/userauth.c
+@@ -80,6 +80,12 @@ static char *userauth_list(LIBSSH2_SESSION *session, const char *username,
+         memset(&session->userauth_list_packet_requirev_state, 0,
+                sizeof(session->userauth_list_packet_requirev_state));
+ 
+        if(username_len > UINT32_MAX - 27) {
+            _libssh2_error(session, LIBSSH2_ERROR_PROTO,
+                           "username_len out of bounds");
+            return NULL;
+        }
+
+         session->userauth_list_data_len = username_len + 27;
+ 
+         if(session->userauth_list_data) {
+@@ -316,6 +322,11 @@ userauth_password(LIBSSH2_SESSION *session,
+          * 40 = packet_type(1) + username_len(4) + service_len(4) +
+          * service(14)"ssh-connection" + method_len(4) + method(8)"password" +
+          * chgpwdbool(1) + password_len(4) */
+        if(username_len > UINT32_MAX - 40) {
+            return _libssh2_error(session, LIBSSH2_ERROR_PROTO,
+                                  "username_len out of bounds");
+        }
+
+         session->userauth_pswd_data_len = username_len + 40;
+ 
+         session->userauth_pswd_data0 =
+@@ -456,7 +467,7 @@ userauth_password(LIBSSH2_SESSION *session,
+                         }
+ 
+                         /* basic data_len + newpw_len(4) */
+-                        if(username_len + password_len + 44 <= UINT_MAX) {
+                        if(username_len <= UINT32_MAX - password_len - 44) {
+                             session->userauth_pswd_data_len =
+                                 username_len + password_len + 44;
+                             s = session->userauth_pswd_data =
--- a/pkgs/by-name/li/libssh2/package.nix
+++ b/pkgs/by-name/li/libssh2/package.nix
@@ -23,6 +23,11 @@ stdenv.mkDerivation rec {
    hash = "sha256-2ex2y+NNuY7sNTn+LImdJrDIN8s+tGalaw8QnKv2WPc=";
  };

+  patches = [
+    # https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1
+    ./CVE-2026-7598.patch
+  ];
+
  # this could be accomplished by updateAutotoolsGnuConfigScriptsHook, but that causes infinite recursion
  # necessary for FreeBSD code path in configure
  postPatch = ''