build(ssh): patch libssh2 against CVE-2026-55200#1877
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4bda3f22da
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| ### Security | ||
|
|
||
| - Patched CVE-2026-55200 in libssh2, a critical out-of-bounds write that let a malicious SSH server corrupt memory and run code before authentication finished. It affected every SSH tunnel and jump host. |
There was a problem hiding this comment.
Rebuild the iOS libssh2 artifact before claiming the fix
When TableProMobile is built or tested, it links ../Libs/ios/LibSSH2.xcframework from the downloaded tablepro-libs-ios-v1.tar.gz, but this commit only updates the macOS .a checksums and adds patching to the future iOS rebuild script; it does not update or verify the shipped iOS xcframework. That leaves mobile SSH tunnels on the vulnerable libssh2 while the changelog says the CVE is patched, so please rebuild/upload the iOS archive before making this security claim or scope the note to macOS only.
Useful? React with 👍 / 👎.
The problem
CVE-2026-55200 (CVSS 4.0 base score 9.2, critical) is an out-of-bounds write in libssh2's
ssh2_transport_read(). A malicious SSH server can send a craftedpacket_length, corrupt the client's heap before authentication finishes, and reach remote code execution. A public PoC exists.It affects libssh2 through 1.11.1, which is what we pin. Every SSH tunnel and every jump host parses packets from a server, so this is on by default for anyone using SSH.
Why this is a patch and not a version bump
libssh2 1.11.1 is still the newest release (Oct 2024) and no release carries the fix. Upstream fixed it on master in 97acf3df (libssh2#2052), June 2026. There is nothing to bump to.
So the pinned release tarball and its SHA-256 stay exactly as they are, and the fix rides as a patch applied at build time. Switching to a GitHub commit tarball was the alternative and was rejected: those archives are auto-generated and their checksums have changed under people before, which would defeat the point of pinning.
scripts/patches/*.patchis applied to the extracted source by bothscripts/build-libssh2.shandscripts/ios/build-libssh2-ios.sh. Drop the patch and bumpLIBSSH2_VERSIONonce a release contains the fix.The upstream commit does not apply as-is
Master renamed
_libssh2_ntohu32()tossh2_ntohu32()after 1.11.1 was cut, so the patch had to be backported. Doing that surfaced the actual shape of the bug.transport.csetspacket_lengthin two places:!encrypted || !REQUIRES_FULL_PACKETbranch, which already bounds it againstLIBSSH2_PACKET_MAXPAYLOADelsebranch, taken when the cipher requires a full packet (chacha20-poly1305, AES-GCM), which only checked< 1The second one is the vulnerability. The patch adds the same guard there. The guard itself is byte-for-byte upstream's; only the function name differs.
Verification
transport.chas the bound in the previously unguarded branch.patchfailing would abort the build underset -e).transport.c.o, patched vs unpatched: the objects differ, so the patch materially changed codegen rather than being a no-op. (The compiler tail-merges the newreturn LIBSSH2_ERROR_OUT_OF_BOUNDARYinto the existing ones, so the count of-41return sites is unchanged; the branch structure is not.)libssh2_channel_direct_streamlocal_exis still exported, so feat(ssh): forward a tunnel to a Unix socket on the remote server (#1871) #1876 is unaffected.Not verified: the PoC itself was not run against the rebuilt library.
Libraries
Rebuilt and published to the
libs-v1release.scripts/publish-libs.shconfirmed every library I did not rebuild still matches the checksums at HEAD, so nothing else was silently reverted.Libs/checksums.sha256is updated for the four libssh2 entries and nothing else.Follow-up
iOS:
scripts/ios/build-libssh2-ios.shnow applies the patch too, but the xcframeworks inLibs/ios/have not been rebuilt or re-uploaded in this PR. They carry the same vulnerable code and should be rebuilt.