Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions SPECS/erlang/CVE-2026-54886.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
From 397e0ee405e3dc69c6eb231f11bbdb065677d4dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20W=C4=85sowski?= <michal@erlang.org>
Date: Thu, 25 Jun 2026 11:33:33 +0200
Subject: [PATCH] Fix extended data infinite loop in sftpd

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/erlang/otp/commit/eaf9550b8ad4738b81149d3f617102d980c6dd18.patch
---
lib/ssh/src/ssh_sftpd.erl | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/ssh/src/ssh_sftpd.erl b/lib/ssh/src/ssh_sftpd.erl
index ea29fb7..8de37bd 100644
--- a/lib/ssh/src/ssh_sftpd.erl
+++ b/lib/ssh/src/ssh_sftpd.erl
@@ -208,7 +208,7 @@ handle_data(0, ChannelId, <<?UINT32(Len), Msg:Len/binary, Rest/binary>>,
end;
handle_data(0, _ChannelId, Data, State = #state{pending = <<>>}) ->
{ok, State#state{pending = Data}};
-handle_data(Type, ChannelId, Data0, State = #state{pending = Pending}) ->
+handle_data(0, ChannelId, Data0, State = #state{pending = Pending}) ->
Data = <<Pending/binary, Data0/binary>>,
Size = byte_size(Data),
case Size > ?SSH_MAX_PACKET_SIZE of
@@ -229,8 +229,11 @@ handle_data(Type, ChannelId, Data0, State = #state{pending = Pending}) ->
?LOG_ERROR(ReportFun, [Size]),
{stop, ChannelId, State};
_ ->
- handle_data(Type, ChannelId, Data, State#state{pending = <<>>})
- end.
+ handle_data(0, ChannelId, Data, State#state{pending = <<>>})
+ end;
+handle_data(_Type, _ChannelId, _Data, State) ->
+ %% Same as openssh sftpd, we ignore extended data
+ {ok, State}.

%% From draft-ietf-secsh-filexfer-02 "The file handle strings MUST NOT be longer than 256 bytes."
handle_op(Request, ReqId, <<?UINT32(HLen), _/binary>>, State = #state{xf = XF})
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/erlang/erlang.spec
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
Summary: erlang
Name: erlang
Version: 26.2.5.21
Release: 2%{?dist}
Release: 3%{?dist}
License: Apache-2.0
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -15,6 +15,7 @@ Patch2: CVE-2026-48858.patch
Patch3: CVE-2026-48860.patch
Patch4: CVE-2026-49759.patch
Patch5: CVE-2026-49760.patch
Patch6: CVE-2026-54886.patch
BuildRequires: ncurses-devel
BuildRequires: openssl-devel
BuildRequires: unixODBC-devel
Expand Down Expand Up @@ -59,6 +60,9 @@ export ERL_TOP=`pwd`
%{_libdir}/erlang/*

%changelog
* Mon Jul 06 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 26.2.5.21-3
- Patch for CVE-2026-54886

* Tue Jun 16 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 26.2.5.21-2
- Patch for CVE-2026-49760, CVE-2026-49759, CVE-2026-48860, CVE-2026-48858, CVE-2026-48856, CVE-2026-48855

Expand Down
Loading