From c5526c5ec7deb215f6b807dd698087a59fedcb4c Mon Sep 17 00:00:00 2001 From: Funda Wang Date: Sat, 13 Sep 2025 17:41:52 +0800 Subject: [PATCH] Fix CVE-2025-48038 (cherry picked from commit b4d18cce5277e1ad15f4aeab82bed0fb2ba4bb54) --- CVE-2025-48038.patch | 72 ++++++++++++++++++++++++++++++++++++++++++++ erlang.spec | 7 +++-- 2 files changed, 77 insertions(+), 2 deletions(-) create mode 100644 CVE-2025-48038.patch diff --git a/CVE-2025-48038.patch b/CVE-2025-48038.patch new file mode 100644 index 0000000..4c95c71 --- /dev/null +++ b/CVE-2025-48038.patch @@ -0,0 +1,72 @@ +From 4e3bf86777ab3db7220c11d8ddabf15970ddd10a Mon Sep 17 00:00:00 2001 +From: Jakub Witczak +Date: Wed, 27 Aug 2025 17:49:08 +0200 +Subject: [PATCH 1/2] ssh: verify file handle size limit for client data + +- reject handles exceeding 256 bytes (as specified for SFTP) +--- + lib/ssh/src/ssh_sftpd.erl | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/lib/ssh/src/ssh_sftpd.erl b/lib/ssh/src/ssh_sftpd.erl +index e7c51cc94812..eb8637eca8ce 100644 +--- a/lib/ssh/src/ssh_sftpd.erl ++++ b/lib/ssh/src/ssh_sftpd.erl +@@ -259,6 +259,17 @@ handle_data(Type, ChannelId, Data0, State = #state{pending = Pending}) -> + handle_data(Type, ChannelId, Data, State#state{pending = <<>>}) + end. + ++%% From draft-ietf-secsh-filexfer-02 "The file handle strings MUST NOT be longer than 256 bytes." ++handle_op(Request, ReqId, <>, State = #state{xf = XF}) ++ when (Request == ?SSH_FXP_CLOSE orelse ++ Request == ?SSH_FXP_FSETSTAT orelse ++ Request == ?SSH_FXP_FSTAT orelse ++ Request == ?SSH_FXP_READ orelse ++ Request == ?SSH_FXP_READDIR orelse ++ Request == ?SSH_FXP_WRITE), ++ HLen > 256 -> ++ ssh_xfer:xf_send_status(XF, ReqId, ?SSH_FX_INVALID_HANDLE, "Invalid handle"), ++ State; + handle_op(?SSH_FXP_INIT, Version, B, State) when is_binary(B) -> + XF = State#state.xf, + Vsn = lists:min([XF#ssh_xfer.vsn, Version]), + +From ef4e1cb7658192e9b43530292908932b63763517 Mon Sep 17 00:00:00 2001 +From: Jakub Witczak +Date: Wed, 27 Aug 2025 17:49:53 +0200 +Subject: [PATCH 2/2] ssh: code formatting + +--- + lib/ssh/src/ssh_sftpd.erl | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/lib/ssh/src/ssh_sftpd.erl b/lib/ssh/src/ssh_sftpd.erl +index eb8637eca8ce..58f4f065e080 100644 +--- a/lib/ssh/src/ssh_sftpd.erl ++++ b/lib/ssh/src/ssh_sftpd.erl +@@ -277,7 +277,7 @@ handle_op(?SSH_FXP_INIT, Version, B, State) when is_binary(B) -> + ssh_xfer:xf_send_reply(XF1, ?SSH_FXP_VERSION, <>), + State#state{xf = XF1}; + handle_op(?SSH_FXP_REALPATH, ReqId, +- <>, ++ <>, + State0) -> + RelPath = relate_file_name(RPath, State0, _Canonicalize=false), + {Res, State} = resolve_symlinks(RelPath, State0), +@@ -446,14 +446,12 @@ handle_op(?SSH_FXP_RMDIR, ReqId, <>, + send_status(Status, ReqId, State1); + + handle_op(?SSH_FXP_RENAME, ReqId, +- Bin = <>, ++ Bin = <>, + State = #state{xf = #ssh_xfer{vsn = Vsn}}) when Vsn==3; Vsn==4 -> + handle_op(?SSH_FXP_RENAME, ReqId, <>, State); + + handle_op(?SSH_FXP_RENAME, ReqId, +- <>, ++ <>, + State0 = #state{file_handler = FileMod, file_state = FS0}) -> + Path = relate_file_name(BPath, State0), + Path2 = relate_file_name(BPath2, State0), diff --git a/erlang.spec b/erlang.spec index 3ea1c86..2a35e36 100644 --- a/erlang.spec +++ b/erlang.spec @@ -10,7 +10,7 @@ %global __with_sources 1 Name: erlang Version: 25.3.2.6 -Release: 9 +Release: 10 Summary: General-purpose programming language and runtime environment License: Apache-2.0 URL: https://www.erlang.org @@ -44,7 +44,7 @@ Patch21: CVE-2025-46712-1.patch Patch22: CVE-2025-46712-2.patch Patch23: CVE-2025-4748.patch Patch24: otp-0024-Add-Sw64-port.patch - +Patch25: CVE-2025-48038.patch BuildRequires: gcc gcc-c++ flex make %if %{with doc} @@ -1767,6 +1767,9 @@ useradd -r -g epmd -d /dev/null -s /sbin/nologin \ %endif %changelog +* Sat Sep 13 2025 Funda Wang - 25.3.2.6-10 +- Fix CVE-2025-48038 + * Mon Jul 14 2025 compiler -25.3.2.6-9 - Add sw_64 port -- Gitee