[AutoPR- Security] Patch libssh for CVE-2026-3731 [MEDIUM]

[azurelinux-security]

Auto Patch libssh for CVE-2026-3731.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1067127&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

• Auto Patch libssh for CVE-2026-3731 (MEDIUM).

Change Log

• CVE-2026-3731

Does this affect the toolchain?

YES/NO

Associated issues

• N/A

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2026-3731

Test Methodology

• Pipeline build id: Buddy Build URL

[azurelinux-security]

🔒 CVE Patch Review: CVE-2026-3731

PR #16159 — [AutoPR- Security] Patch libssh for CVE-2026-3731 [MEDIUM]
Package: libssh | Branch: 3.0-dev

---

Spec File Validation

Check	Status	Detail
Release bump	✅	Release bumped 5 → 6
Patch entry	✅	Patch entries added: ['CVE-2026-3731.patch'] (covers ['CVE-2026-3731'])
Patch application	✅	%autosetup found in full spec — patches applied automatically
Changelog	✅	Changelog entry looks good
Signatures	✅	No source tarball changes — signatures N/A
Manifests	✅	Not a toolchain PR — manifests N/A

---

Build Verification

• Build status: ❌ FAILED
• Artifact downloaded: ✅
• CVE applied during build: ✅
• Errors (2):
  • L66: time="2026-03-11T06:12:06Z" level=debug msg="Error: Failed to synchronize cache for repo 'Azure Linux Official Base 3.0 x86_64'"
  • L78: time="2026-03-11T06:12:09Z" level=debug msg="Error: Failed to synchronize cache for repo 'Azure Linux Official Base 3.0 x86_64'"
• Warnings (273):
  • L451: time="2026-03-11T06:12:18Z" level=debug msg="CMake Warning:"
  • L698: time="2026-03-11T06:12:20Z" level=debug msg="/usr/src/azl/BUILD/libssh-0.10.6/src/legacy.c:128:3: warning: 'publickey_from_file' is deprecated [-Wdeprecated-declarations]"
  • L707: time="2026-03-11T06:12:20Z" level=debug msg="/usr/src/azl/BUILD/libssh-0.10.6/src/legacy.c:132:5: warning: 'privatekey_from_file' is deprecated [-Wdeprecated-declarations]"
  • L713: time="2026-03-11T06:12:20Z" level=debug msg="/usr/src/azl/BUILD/libssh-0.10.6/src/legacy.c:135:5: warning: 'privatekey_from_file' is deprecated [-Wdeprecated-declarations]"
  • L719: time="2026-03-11T06:12:20Z" level=debug msg="/usr/src/azl/BUILD/libssh-0.10.6/src/legacy.c:142:3: warning: 'privatekey_free' is deprecated [-Wdeprecated-declarations]"
  • L726: time="2026-03-11T06:12:20Z" level=debug msg="/usr/src/azl/BUILD/libssh-0.10.6/src/legacy.c:294:3: warning: 'ssh_channel_select' is deprecated [-Wdeprecated-declarations]"
  • L733: time="2026-03-11T06:12:20Z" level=debug msg="/usr/src/azl/BUILD/libssh-0.10.6/src/legacy.c:744:5: warning: 'publickey_from_file' is deprecated [-Wdeprecated-declarations]"
  • L756: time="2026-03-11T06:12:20Z" level=debug msg="/usr/src/azl/BUILD/libssh-0.10.6/src/legacy.c:128:3: warning: 'publickey_from_file' is deprecated [-Wdeprecated-declarations]"
  • L765: time="2026-03-11T06:12:20Z" level=debug msg="/usr/src/azl/BUILD/libssh-0.10.6/src/legacy.c:132:5: warning: 'privatekey_from_file' is deprecated [-Wdeprecated-declarations]"
  • L771: time="2026-03-11T06:12:20Z" level=debug msg="/usr/src/azl/BUILD/libssh-0.10.6/src/legacy.c:135:5: warning: 'privatekey_from_file' is deprecated [-Wdeprecated-declarations]"
  • … and 263 more

🤖 AI Build Log Analysis

• Risk: medium
• Summary: The libssh 0.10.6-6.azl3 build completed successfully with the CVE-2026-3731 patch (and several 2025 CVE patches) applied during %prep using strict fuzz=0; compilation, linking, and installation all succeeded and RPMs were produced. There were some non-fatal repository/network errors when attempting to install packages (including ccache), and minor warnings (hostname canonicalization and a CMake deprecation notice). Tests were not executed (--nocheck), but no build or link errors occurred.
• AI-detected issues:
  • tdnf: Could not resolve hostname; failed to synchronize cache for repo 'Azure Linux Official Base 3.0 x86_64' during dependency installation.
  • tdnf: Could not resolve hostname; failed to install 'ccache' for USE_CCACHE (non-fatal since ccache was already present in the environment).
• AI-detected warnings:
  • rpmbuild warning: Could not canonicalize hostname: e83c08c1c000000.
  • CMake deprecation warning: project retains compatibility with CMake < 3.5 and may require updating cmake_minimum_required in the future.

---

🧪 Test Log Analysis

• Test status: ❌ FAILED
• Test errors (682):
  • L4540: time="2026-03-11T06:12:56Z" level=debug msg="Connection failed : Socket error: Connection reset by peer"
  • L4542: time="2026-03-11T06:12:56Z" level=debug msg="Connection failed : Socket error: Connection reset by peer"
  • L4544: time="2026-03-11T06:12:56Z" level=debug msg="Connection failed : Socket error: Connection reset by peer"
  • L4546: time="2026-03-11T06:12:56Z" level=debug msg="Connection failed : Socket error: Connection reset by peer"
  • L4548: time="2026-03-11T06:12:56Z" level=debug msg="Connection failed : Socket error: Connection reset by peer"
  • L4550: time="2026-03-11T06:12:56Z" level=debug msg="Connection failed : Socket error: Connection reset by peer"
  • L4552: time="2026-03-11T06:12:56Z" level=debug msg="Connection failed : Socket error: Connection reset by peer"
  • L4554: time="2026-03-11T06:12:56Z" level=debug msg="Connection failed : Socket error: Connection reset by peer"
  • L4556: time="2026-03-11T06:12:56Z" level=debug msg="Connection failed : Socket error: Connection reset by peer"
  • L4558: time="2026-03-11T06:12:56Z" level=debug msg="Connection failed : Socket error: Connection reset by peer"
  • … and 672 more
• Test warnings (273):
  • L445: time="2026-03-11T06:12:34Z" level=debug msg="CMake Warning:"
  • L675: time="2026-03-11T06:12:34Z" level=debug msg="/usr/src/azl/BUILD/libssh-0.10.6/src/legacy.c:128:3: warning: 'publickey_from_file' is deprecated [-Wdeprecated-declarations]"
  • L684: time="2026-03-11T06:12:34Z" level=debug msg="/usr/src/azl/BUILD/libssh-0.10.6/src/legacy.c:132:5: warning: 'privatekey_from_file' is deprecated [-Wdeprecated-declarations]"
  • L690: time="2026-03-11T06:12:34Z" level=debug msg="/usr/src/azl/BUILD/libssh-0.10.6/src/legacy.c:135:5: warning: 'privatekey_from_file' is deprecated [-Wdeprecated-declarations]"
  • L696: time="2026-03-11T06:12:34Z" level=debug msg="/usr/src/azl/BUILD/libssh-0.10.6/src/legacy.c:142:3: warning: 'privatekey_free' is deprecated [-Wdeprecated-declarations]"
  • L703: time="2026-03-11T06:12:34Z" level=debug msg="/usr/src/azl/BUILD/libssh-0.10.6/src/legacy.c:294:3: warning: 'ssh_channel_select' is deprecated [-Wdeprecated-declarations]"
  • L710: time="2026-03-11T06:12:34Z" level=debug msg="/usr/src/azl/BUILD/libssh-0.10.6/src/legacy.c:744:5: warning: 'publickey_from_file' is deprecated [-Wdeprecated-declarations]"
  • L733: time="2026-03-11T06:12:34Z" level=debug msg="/usr/src/azl/BUILD/libssh-0.10.6/src/legacy.c:128:3: warning: 'publickey_from_file' is deprecated [-Wdeprecated-declarations]"
  • L742: time="2026-03-11T06:12:34Z" level=debug msg="/usr/src/azl/BUILD/libssh-0.10.6/src/legacy.c:132:5: warning: 'privatekey_from_file' is deprecated [-Wdeprecated-declarations]"
  • L748: time="2026-03-11T06:12:34Z" level=debug msg="/usr/src/azl/BUILD/libssh-0.10.6/src/legacy.c:135:5: warning: 'privatekey_from_file' is deprecated [-Wdeprecated-declarations]"

🤖 AI Test Log Analysis

• Risk: high
• Summary: The libssh test suite did not pass after applying the CVE-2026-3731 patch. CTest reports 40 failures out of 61 tests (34% passed), and the logs show multiple crashes (core dump) and memory corruption indications ("free(): invalid pointer"). Notably, three cipher/HMAC overlap unit tests failed, which appear directly related to the CVE area. Many client/server, authentication, knownhosts, proxycommand, SCP, and SFTP tests failed or aborted, often following connection failures and crashes. Despite these failures, the %check step exited with status 0 and the package build proceeded, indicating test failures were not gating.
• AI-detected test issues:
  • CTest summary: 34% tests passed, 40 tests failed out of 61
  • Core dump during tests: "/usr/bin/timeout: the monitored command dumped core" followed by repeated "free(): invalid pointer" messages, indicating memory corruption/double-free
  • Algorithm overlap tests failed: torture_algorithm_chacha20_with_no_hmac_overlap, torture_algorithm_aes256gcm_with_no_hmac_overlap, torture_algorithm_aes128gcm_with_no_hmac_overlap; assertion at tests/torture.c:1108 (0x1 != 0) suggests detected MAC/cipher buffer overlap when none should occur
  • Multiple tests aborted (crashed): 7 - torture_misc (Subprocess aborted), 8 - torture_config (Subprocess aborted), 9 - torture_options (Subprocess aborted), 11 - torture_knownhosts_parsing (Subprocess aborted), 13 - torture_packet_filter (Subprocess aborted), 19 - torture_packet (Subprocess aborted), 20 - torture_keyfiles (Subprocess aborted), 21 - torture_pki (Subprocess aborted), 22 - torture_pki_rsa (Subprocess aborted), 23 - torture_pki_ed25519 (Subprocess aborted), 27 - torture_pki_rsa_uri (Subprocess aborted), 28 - torture_pki_ecdsa_uri (Subprocess aborted), 29 - torture_pki_ecdsa (Subprocess aborted), 34 - torture_threads_pki_rsa (Subprocess aborted), 56 - pkd_hello_i1 (Subprocess aborted), 57 - pkd_hello_rekey (Subprocess aborted)
  • Functional tests failed (likely due to connection failures and/or crashes): 35 - torture_algorithms (Failed), 36 - torture_client_config (Failed), 37 - torture_connect (Failed), 38 - torture_hostkey (Failed), 39 - torture_auth (Failed), 40 - torture_forward (Failed), 41 - torture_knownhosts (Failed), 42 - torture_knownhosts_verify (Failed), 43 - torture_proxycommand (Failed), 44 - torture_session (Failed), 45 - torture_request_env (Failed), 46 - torture_client_global_requests (Failed), 47 - torture_scp (Failed), 48 - torture_auth_pkcs11 (Failed), 49 - torture_sftp_init (Failed), 51 - torture_sftp_canonicalize_path (Failed), 52 - torture_sftp_dir (Failed), 53 - torture_sftp_read (Failed), 54 - torture_sftp_fsync (Failed), 55 - torture_override (Failed), 58 - torture_server (Failed), 59 - torture_server_auth_kbdint (Failed), 60 - torture_server_config (Failed), 61 - torture_server_algorithms (Failed)
  • Repeated "Connection failed: Failed to connect: Connection refused" preceding or accompanying failures, suggesting the test server/client handshake failed, possibly due to crashes

---

Patch Analysis

• Match type: backport
• Risk assessment: low
• Summary: The PR applies the same logical fix as upstream by changing the bounds checks in sftp_extensions_get_name and sftp_extensions_get_data from idx > count to idx >= count, preventing an out-of-bounds read when idx equals the number of extensions. The differences are limited to whitespace/indentation and packaging metadata, indicating a straightforward backport to a different codebase version.

Detailed analysis

1. Core fix equivalence: The upstream patch changes two checks in src/sftp.c from 'if (idx > sftp->ext->count)' to 'if (idx >= sftp->ext->count)' in the functions sftp_extensions_get_name and sftp_extensions_get_data. The PR patch makes the same logical changes in the same two functions.

2. Context and structural differences: The PR patch targets a different revision of src/sftp.c (line ranges ~768 and ~784 vs. upstream ~587 and ~606), and the local coding style shows different brace placement and indentation. The PR also introduces an indentation change on the modified 'if' lines (two extra spaces). These are cosmetic and have no effect on behavior.

3. Packaging/metadata: The PR adds the patch as SPECS/libssh/CVE-2026-3731.patch, includes an extra Signed-off-by for Azure Linux and an Upstream-reference URL. The commit hash in the patch header differs (7e85a3… vs. upstream f80670…), which is normal for downstream packaging. None of these affect functionality.

4. Missing hunks: None. Both upstream hunks are present and adapted to the downstream file context.

5. Risk and regression considerations: The change tightens the bounds check to reject idx == count, which is correct for a zero-based array of length 'count' and prevents the out-of-bounds read at the heart of the CVE. This may cause callers erroneously using idx == count to now receive an error, which is the intended behavior and matches upstream. No other logic is modified, so regression risk is low.

Conclusion: This is a faithful backport of the upstream fix with only cosmetic differences and packaging adjustments.

Raw diff (upstream vs PR)

--- upstream
+++ pr
@@ -1,40 +1,48 @@
-From f80670a7aba86cbb442c9b115c9eaf4ca04601b8 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Thu, 11 Dec 2025 13:22:44 +0100
-Subject: sftp: Fix out-of-bound read from sftp extensions
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
-Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
-(cherry picked from commit 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60)
----
- src/sftp.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/sftp.c b/src/sftp.c
-index c9f82912a..d12901230 100644
---- a/src/sftp.c
-+++ b/src/sftp.c
-@@ -587,7 +587,7 @@ const char *sftp_extensions_get_name(sftp_session sftp, unsigned int idx)
-         return NULL;
-     }
- 
--    if (idx > sftp->ext->count) {
-+    if (idx >= sftp->ext->count) {
-         ssh_set_error_invalid(sftp->session);
-         return NULL;
-     }
-@@ -606,7 +606,7 @@ const char *sftp_extensions_get_data(sftp_session sftp, unsigned int idx)
-         return NULL;
-     }
- 
--    if (idx > sftp->ext->count) {
-+    if (idx >= sftp->ext->count) {
-         ssh_set_error_invalid(sftp->session);
-         return NULL;
-     }
--- 
-cgit v1.2.3
-
+diff --git a/SPECS/libssh/CVE-2026-3731.patch b/SPECS/libssh/CVE-2026-3731.patch
+new file mode 100644
+index 00000000000..cab6f3cb20c
+--- /dev/null
++++ b/SPECS/libssh/CVE-2026-3731.patch
+@@ -0,0 +1,42 @@
++From 7e85a3106d43699b1662d46480b377bfc55fcbbf Mon Sep 17 00:00:00 2001
++From: Jakub Jelen <jjelen@redhat.com>
++Date: Thu, 11 Dec 2025 13:22:44 +0100
++Subject: [PATCH] sftp: Fix out-of-bound read from sftp extensions
++MIME-Version: 1.0
++Content-Type: text/plain; charset=UTF-8
++Content-Transfer-Encoding: 8bit
++
++Signed-off-by: Jakub Jelen <jjelen@redhat.com>
++Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
++(cherry picked from commit 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60)
++Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
++Upstream-reference: https://git.libssh.org/projects/libssh.git/patch/?id=f80670a7aba86cbb442c9b115c9eaf4ca04601b8
++---
++ src/sftp.c | 4 ++--
++ 1 file changed, 2 insertions(+), 2 deletions(-)
++
++diff --git a/src/sftp.c b/src/sftp.c
++index e01012a..e55f5e1 100644
++--- a/src/sftp.c
+++++ b/src/sftp.c
++@@ -768,7 +768,7 @@ const char *sftp_extensions_get_name(sftp_session sftp, unsigned int idx) {
++     return NULL;
++   }
++ 
++-  if (idx > sftp->ext->count) {
+++    if (idx >= sftp->ext->count) {
++     ssh_set_error_invalid(sftp->session);
++     return NULL;
++   }
++@@ -784,7 +784,7 @@ const char *sftp_extensions_get_data(sftp_session sftp, unsigned int idx) {
++     return NULL;
++   }
++ 
++-  if (idx > sftp->ext->count) {
+++    if (idx >= sftp->ext->count) {
++     ssh_set_error_invalid(sftp->session);
++     return NULL;
++   }
++-- 
++2.45.4
++

---

Verdict

❌ CHANGES REQUESTED — Please address the issues flagged above.