Update libssh2 to fix CVE-2026-55200#359
Conversation
195b3b7 to
8ddef88
Compare
|
@yodaldevoid 👋 would you be up for reviewing this? I'm realizing that I sort of transferred ownership/maintenance of this crate to others a few years back and never actually got around to transferring the github repo here out of my personal account. I see you've been the one mantaining and/or committing to this repo for the past few years hence my ask. If not, do you know of others that are still available to maintain this crate? If you'd rather hand off maintenance that's also totally fine and I can try to enlist other folks for this. Also, for some background, this affects Cargo and so the upstream Rust project would like to get some form of these fixes published to crates.io in the near future for the Rust 1.97 release next week. I can probably help out here as a one-time thing if you're otherwise busy and/or would like to hand off maintainership, though. |
|
Given that this is security relevant for Cargo, I'm happy to have this be moved under rust-lang for Cargo, with @yodaldevoid having maintainer rights, maybe also the Cargo team, and the security WG having access for dealing with this type of issue. |
|
I see nothing inherently wrong with the PR. I would have taken care of this over the weekend, including the once again broken CI, but I was away all weekend. I can get a release out later today. As for maintenance, I would be more than happy to see it moved under the rust-lang organization. I've felt for a while that I have been doing less than the bare minimum that this crate really needs. |
|
@yodaldevoid great, thanks! I'm not sure what's going on with CI, I assume it's already broken |
|
I'm happy to do that if you're happy, but I'd caution in the sense that I don't think it would procure more maintainers out of thin air, it's more that folks would feel empowered to land stuff Cargo-impacting without feeling blocked on a repo that lives elsewhere. There's two other folks who have write access to this repo right now, too, as @wez and @crisidev. Would y'all still like to be maintainers of this repository/crate? If so we can make sure you're still on the list of write-approved folks after the repo transfers, but if not y'all can be removed during the transition. (thanks for the historical help regardless!) |
Correct. Though I personally do want to try and update this crate to a newer libssh2 so I hope to be doing that work regardless. And I'll probably stay subscribed to the repo and try to help out where I can. |
|
I don't have a lot of time for maintaining this package unfortunately and I have been neglecting it recently. I am sorry 😞 |
|
So, looking into the CI failure it is definitely caused by the PR. OpenSSH only implements up to SFTP v3 which doesn't support the "file is write protected" error that is seen here. It looks like the fix for CVE-2025-15661 has broken error parsing from the symlink command. This bug seems to be a part of the original patch and was fixed in libssh2/libssh2@4ed26f5. I will merge this and make a release as soon as I see that patch included in your backport. |
8ddef88 to
905141b
Compare
|
Done. |
|
Releases of both crates have been published and tags have been made. Sorry for the delay. |
This PR updates the
libssh2submodule to a backported version of1.11.1that addresses multiple recent security vulnerabilities and includes a critical follow-up bugfix:Patched Vulnerabilities:
ssh2_transport_read()due to missing bounds check onpacket_lengthin thechacha20-poly1305path.97acf3dfda80c91c3a8c9f2372546301d4a1a7a8EXT_INFOhandler inpacket.cdue to unchecked return value of_libssh2_get_string().17626857d20b3c9a1addfa45979dadcee1cd84a4sftp.c.2dae3024897e1898d389835151f4e9606227721dAdditional Fixes:
FXP_STATUSresponse insftp_symlink. This fixes a critical bug introduced by theCVE-2025-15661patch which caused the request ID to be incorrectly interpreted as the status code.4ed26f5740bdd409269ed9fb48a28bf8f565b681The submodule commit is updated to
090f23d1852a0b62e081bd12c4d05adc1c4af47a, which resides inManishearth/libssh2(branchbackport-cve-2026-55200).Note
For upstream CI to pass, these commits will need to be made available in the main
libssh2/libssh2repository, as the.gitmodulesstill points there. However, this is fully ready for packaging/release sincelibssh2-sysbundles the C source code oncargo publish. We have temporarily updated.gitmodulesto point to the fork to ensure CI runs green on this PR in the meantime.Changes:
libssh2submodule to patched1.11.1(090f23d1).libssh2-sysversion to0.3.2.ssh2version to0.9.6and update its dependency onlibssh2-systo0.3.2.Manishearth/libssh2fork to make CI green.