Skip to content

build(ssh): patch libssh2 against CVE-2026-55200#1877

Merged
datlechin merged 1 commit into
mainfrom
fix/libssh2-cve-2026-55200
Jul 14, 2026
Merged

build(ssh): patch libssh2 against CVE-2026-55200#1877
datlechin merged 1 commit into
mainfrom
fix/libssh2-cve-2026-55200

Conversation

@datlechin

Copy link
Copy Markdown
Member

The problem

CVE-2026-55200 (CVSS 4.0 base score 9.2, critical) is an out-of-bounds write in libssh2's ssh2_transport_read(). A malicious SSH server can send a crafted packet_length, corrupt the client's heap before authentication finishes, and reach remote code execution. A public PoC exists.

It affects libssh2 through 1.11.1, which is what we pin. Every SSH tunnel and every jump host parses packets from a server, so this is on by default for anyone using SSH.

Why this is a patch and not a version bump

libssh2 1.11.1 is still the newest release (Oct 2024) and no release carries the fix. Upstream fixed it on master in 97acf3df (libssh2#2052), June 2026. There is nothing to bump to.

So the pinned release tarball and its SHA-256 stay exactly as they are, and the fix rides as a patch applied at build time. Switching to a GitHub commit tarball was the alternative and was rejected: those archives are auto-generated and their checksums have changed under people before, which would defeat the point of pinning.

scripts/patches/*.patch is applied to the extracted source by both scripts/build-libssh2.sh and scripts/ios/build-libssh2-ios.sh. Drop the patch and bump LIBSSH2_VERSION once a release contains the fix.

The upstream commit does not apply as-is

Master renamed _libssh2_ntohu32() to ssh2_ntohu32() after 1.11.1 was cut, so the patch had to be backported. Doing that surfaced the actual shape of the bug.

transport.c sets packet_length in two places:

  • the !encrypted || !REQUIRES_FULL_PACKET branch, which already bounds it against LIBSSH2_PACKET_MAXPAYLOAD
  • the else branch, taken when the cipher requires a full packet (chacha20-poly1305, AES-GCM), which only checked < 1

The second one is the vulnerability. The patch adds the same guard there. The guard itself is byte-for-byte upstream's; only the function name differs.

Verification

  • The patch applies cleanly to a fresh extract of the pinned 1.11.1 tarball, and the resulting transport.c has the bound in the previously unguarded branch.
  • The real build applied it for both architectures (patch failing would abort the build under set -e).
  • Same-toolchain A/B of transport.c.o, patched vs unpatched: the objects differ, so the patch materially changed codegen rather than being a no-op. (The compiler tail-merges the new return LIBSSH2_ERROR_OUT_OF_BOUNDARY into the existing ones, so the count of -41 return sites is unchanged; the branch structure is not.)
  • Deployment targets still macOS 14.0 for all three slices.
  • libssh2_channel_direct_streamlocal_ex is still exported, so feat(ssh): forward a tunnel to a Unix socket on the remote server (#1871) #1876 is unaffected.

Not verified: the PoC itself was not run against the rebuilt library.

Libraries

Rebuilt and published to the libs-v1 release. scripts/publish-libs.sh confirmed every library I did not rebuild still matches the checksums at HEAD, so nothing else was silently reverted.

Libs/checksums.sha256 is updated for the four libssh2 entries and nothing else.

Follow-up

iOS: scripts/ios/build-libssh2-ios.sh now applies the patch too, but the xcframeworks in Libs/ios/ have not been rebuilt or re-uploaded in this PR. They carry the same vulnerable code and should be rebuilt.

@datlechin datlechin merged commit 6b066d7 into main Jul 14, 2026
3 checks passed
@datlechin datlechin deleted the fix/libssh2-cve-2026-55200 branch July 14, 2026 15:30

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4bda3f22da

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread CHANGELOG.md

### Security

- Patched CVE-2026-55200 in libssh2, a critical out-of-bounds write that let a malicious SSH server corrupt memory and run code before authentication finished. It affected every SSH tunnel and jump host.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Rebuild the iOS libssh2 artifact before claiming the fix

When TableProMobile is built or tested, it links ../Libs/ios/LibSSH2.xcframework from the downloaded tablepro-libs-ios-v1.tar.gz, but this commit only updates the macOS .a checksums and adds patching to the future iOS rebuild script; it does not update or verify the shipped iOS xcframework. That leaves mobile SSH tunnels on the vulnerable libssh2 while the changelog says the CVE is patched, so please rebuild/upload the iOS archive before making this security claim or scope the note to macOS only.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant