azurelinux-security
diff --git a/‎SPECS/erlang/CVE-2025-48038.patch‎
Lines changed: 80 additions & 0 deletions b/‎SPECS/erlang/CVE-2025-48038.patch‎
Lines changed: 80 additions & 0 deletions
@@ -0,0 +1,80 @@
+From 81eaa87eaf6b0064aebda2c142fde189b257ea36 Mon Sep 17 00:00:00 2001
+From: Jakub Witczak <[email protected]>
+Date: Wed, 27 Aug 2025 17:49:08 +0200
+Subject: [PATCH 1/2] ssh: verify file handle size limit for client data
+
+- reject handles exceeding 256 bytes (as specified for SFTP)
+---
+ lib/ssh/src/ssh_sftpd.erl | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/lib/ssh/src/ssh_sftpd.erl b/lib/ssh/src/ssh_sftpd.erl
+index f3d8053..5120884 100644
+--- a/lib/ssh/src/ssh_sftpd.erl
++++ b/lib/ssh/src/ssh_sftpd.erl
+@@ -222,6 +222,17 @@ handle_data(Type, ChannelId, Data0, State = #state{pending = Pending}) ->
+             handle_data(Type, ChannelId, Data, State#state{pending = <<>>})
+     end.
+ 
++%% From draft-ietf-secsh-filexfer-02 "The file handle strings MUST NOT be longer than 256 bytes."
++handle_op(Request, ReqId, <<?UINT32(HLen), _/binary>>, State = #state{xf = XF})
++  when (Request == ?SSH_FXP_CLOSE orelse
++        Request == ?SSH_FXP_FSETSTAT orelse
++        Request == ?SSH_FXP_FSTAT orelse
++        Request == ?SSH_FXP_READ orelse
++        Request == ?SSH_FXP_READDIR orelse
++        Request == ?SSH_FXP_WRITE),
++       HLen > 256 ->
++    ssh_xfer:xf_send_status(XF, ReqId, ?SSH_FX_INVALID_HANDLE, "Invalid handle"),
++    State;
+ handle_op(?SSH_FXP_INIT, Version, B, State) when is_binary(B) ->
+     XF = State#state.xf,
+     Vsn = lists:min([XF#ssh_xfer.vsn, Version]),
+-- 
+2.45.4
+
+
+From 7380d99c3e69f0732276e4667d4260fbdbd4a5a3 Mon Sep 17 00:00:00 2001
+From: Jakub Witczak <[email protected]>
+Date: Wed, 27 Aug 2025 17:49:53 +0200
+Subject: [PATCH 2/2] ssh: code formatting
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://patch-diff.githubusercontent.com/raw/erlang/otp/pull/10156.patch
+---
+ lib/ssh/src/ssh_sftpd.erl | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/lib/ssh/src/ssh_sftpd.erl b/lib/ssh/src/ssh_sftpd.erl
+index 5120884..fec6527 100644
+--- a/lib/ssh/src/ssh_sftpd.erl
++++ b/lib/ssh/src/ssh_sftpd.erl
+@@ -240,7 +240,7 @@ handle_op(?SSH_FXP_INIT, Version, B, State) when is_binary(B) ->
+     ssh_xfer:xf_send_reply(XF1, ?SSH_FXP_VERSION, <<?UINT32(Vsn)>>),
+     State#state{xf = XF1};
+ handle_op(?SSH_FXP_REALPATH, ReqId,
+-	  <<?UINT32(Rlen), RPath:Rlen/binary>>,
++	  <<?UINT32(RLen), RPath:RLen/binary>>,
+ 	  State0) ->
+     RelPath = relate_file_name(RPath, State0, _Canonicalize=false),
+     {Res, State} = resolve_symlinks(RelPath, State0),
+@@ -409,14 +409,12 @@ handle_op(?SSH_FXP_RMDIR, ReqId, <<?UINT32(PLen), BPath:PLen/binary>>,
+     send_status(Status, ReqId, State1);
+ 
+ handle_op(?SSH_FXP_RENAME, ReqId,
+-  	  Bin = <<?UINT32(PLen), _:PLen/binary, ?UINT32(PLen2),
+-  		 _:PLen2/binary>>,
++  	  Bin = <<?UINT32(PLen), _:PLen/binary, ?UINT32(PLen2), _:PLen2/binary>>,
+   	  State = #state{xf = #ssh_xfer{vsn = Vsn}}) when Vsn==3; Vsn==4  ->
+     handle_op(?SSH_FXP_RENAME, ReqId, <<Bin/binary, 0:32>>, State);
+ 
+ handle_op(?SSH_FXP_RENAME, ReqId,
+-	  <<?UINT32(PLen), BPath:PLen/binary, ?UINT32(PLen2), 
+-	   BPath2:PLen2/binary, ?UINT32(Flags)>>,
++	  <<?UINT32(PLen), BPath:PLen/binary, ?UINT32(PLen2), BPath2:PLen2/binary, ?UINT32(Flags)>>,
+ 	  State0 = #state{file_handler = FileMod, file_state = FS0}) ->
+     Path = relate_file_name(BPath, State0),
+     Path2 = relate_file_name(BPath2, State0),
+-- 
+2.45.4
+