rpms/libssh
7
0
Fork 0
Code Issues Pull Requests Releases Activity
c9s
libssh/CVE-2026-0964.patch
Pavol Žáčik 048ffad847
Backport low/medium CVE patches 
Resolves: RHEL-150661
Resolves: CVE-2025-4877
Resolves: CVE-2025-4878
Resolves: CVE-2025-5351
Resolves: CVE-2025-8114
Resolves: CVE-2025-8277
Resolves: CVE-2026-0964
Resolves: CVE-2026-0965
Resolves: CVE-2026-0966
Resolves: CVE-2026-0967
Resolves: CVE-2026-0968
2026-02-19 18:50:28 +01:00

43 lines
1.5 KiB
Diff
Raw Permalink Blame History

From 5be2d4950b4030da2f95299e12905ea9e51dbedf Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 22 Dec 2025 19:16:44 +0100
Subject: [PATCH] CVE-2026-0964 scp: Reject invalid paths received through scp
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit daa80818f89347b4d80b0c5b80659f9a9e55e8cc)
---
src/scp.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/src/scp.c b/src/scp.c
index 04eb4f1b..a33af16b 100644
--- a/src/scp.c
+++ b/src/scp.c
@@ -848,6 +848,22 @@ int ssh_scp_pull_request(ssh_scp scp)
size = strtoull(tmp, NULL, 10);
p++;
name = strdup(p);
+ /* Catch invalid name:
+ * - empty ones
+ * - containing any forward slash -- directory traversal handled
+ * differently
+ * - special names "." and ".." referring to the current and parent
+ * directories -- they are not expected either
+ */
+ if (name == NULL || name[0] == '\0' || strchr(name, '/') ||
+ strcmp(name, ".") == 0 || strcmp(name, "..") == 0) {
+ ssh_set_error(scp->session,
+ SSH_FATAL,
+ "Received invalid filename: %s",
+ name == NULL ? "<NULL>" : name);
+ SAFE_FREE(name);
+ goto error;
+ }
SAFE_FREE(scp->request_name);
scp->request_name = name;
if (buffer[0] == 'C') {
--
2.53.0
Reference in New Issue View Git Blame Copy Permalink