From 2c323f88c58b02ab3d157420387928c1843d74ea Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Mon, 24 Feb 2025 11:06:53 +0800
Subject: [PATCH] Fix CVE-2025-26618

---
 CVE-2025-26618.patch | 89 ++++++++++++++++++++++++++++++++++++++++++++
 erlang.spec          |  6 ++-
 2 files changed, 94 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2025-26618.patch

diff --git a/CVE-2025-26618.patch b/CVE-2025-26618.patch
new file mode 100644
index 0000000..2b9e7bc
--- /dev/null
+++ b/CVE-2025-26618.patch
@@ -0,0 +1,89 @@
+From 0ed2573cbd55c92e9125c9dc70fa1ca7fed82872 Mon Sep 17 00:00:00 2001
+From: Jakub Witczak <kuba@erlang.org>
+Date: Thu, 6 Feb 2025 19:00:44 +0100
+Subject: [PATCH] ssh: sftp reject packets exceeding limit
+
+Origin: https://github.com/erlang/otp/commit/0ed2573cbd55c92e9125c9dc70fa1ca7fed82872
+---
+ lib/ssh/src/ssh_sftpd.erl | 47 ++++++++++++++++++++++++++-------------
+ 1 file changed, 32 insertions(+), 15 deletions(-)
+
+diff --git a/lib/ssh/src/ssh_sftpd.erl b/lib/ssh/src/ssh_sftpd.erl
+index c86ed2cb8199..6bcad0d056e7 100644
+--- a/lib/ssh/src/ssh_sftpd.erl
++++ b/lib/ssh/src/ssh_sftpd.erl
+@@ -27,7 +27,7 @@
+ -behaviour(ssh_server_channel).
+ 
+ -include_lib("kernel/include/file.hrl").
+-
++-include_lib("kernel/include/logger.hrl").
+ -include("ssh.hrl").
+ -include("ssh_xfer.hrl").
+ -include("ssh_connect.hrl"). %% For ?DEFAULT_PACKET_SIZE and ?DEFAULT_WINDOW_SIZE
+@@ -128,9 +128,8 @@ init(Options) ->
+ %% Description: Handles channel messages
+ %%--------------------------------------------------------------------
+ handle_ssh_msg({ssh_cm, _ConnectionManager,
+-		{data, _ChannelId, Type, Data}}, State) ->
+-    State1 = handle_data(Type, Data, State),
+-    {ok, State1};
++		{data, ChannelId, Type, Data}}, State) ->
++    handle_data(Type, ChannelId, Data, State);
+ 
+ handle_ssh_msg({ssh_cm, _, {eof, ChannelId}}, State) ->
+     {stop, ChannelId, State};
+@@ -187,24 +186,42 @@ terminate(_, #state{handles=Handles, file_handler=FileMod, file_state=FS}) ->
+ %%--------------------------------------------------------------------
+ %%% Internal functions
+ %%--------------------------------------------------------------------
+-handle_data(0, <<?UINT32(Len), Msg:Len/binary, Rest/binary>>, 
++handle_data(0, ChannelId, <<?UINT32(Len), Msg:Len/binary, Rest/binary>>,
+ 	    State = #state{pending = <<>>}) ->
+     <<Op, ?UINT32(ReqId), Data/binary>> = Msg,
+     NewState = handle_op(Op, ReqId, Data, State),
+     case Rest of
+ 	<<>> ->
+-	    NewState;   
++	    {ok, NewState};
+ 	_ ->
+-	    handle_data(0, Rest, NewState)
++	    handle_data(0, ChannelId, Rest, NewState)
+     end;
+-	     
+-handle_data(0, Data, State = #state{pending = <<>>}) ->
+-    State#state{pending = Data};
+-
+-handle_data(Type, Data, State = #state{pending = Pending}) -> 
+-     handle_data(Type, <<Pending/binary, Data/binary>>, 
+-                 State#state{pending = <<>>}).
+- 
++handle_data(0, _ChannelId, Data, State = #state{pending = <<>>}) ->
++    {ok, State#state{pending = Data}};
++handle_data(Type, ChannelId, Data0, State = #state{pending = Pending}) ->
++    Data = <<Pending/binary, Data0/binary>>,
++    Size = byte_size(Data),
++    case Size > ?SSH_MAX_PACKET_SIZE of
++        true ->
++            ReportFun =
++                fun([S]) ->
++                        Report =
++                            #{label => {error_logger, error_report},
++                              report =>
++                                  io_lib:format("SFTP packet size (~B) exceeds the limit!",
++                                                [S])},
++                        Meta =
++                            #{error_logger =>
++                                  #{tag => error_report,type => std_error},
++                             report_cb => fun(#{report := Msg}) -> {Msg, []} end},
++                        {Report, Meta}
++                end,
++            ?LOG_ERROR(ReportFun, [Size]),
++            {stop, ChannelId, State};
++        _ ->
++            handle_data(Type, ChannelId, Data, State#state{pending = <<>>})
++    end.
++
+ handle_op(?SSH_FXP_INIT, Version, B, State) when is_binary(B) ->
+     XF = State#state.xf,
+     Vsn = lists:min([XF#ssh_xfer.vsn, Version]),
diff --git a/erlang.spec b/erlang.spec
index 9fd5dea..8ab3253 100644
--- a/erlang.spec
+++ b/erlang.spec
@@ -10,7 +10,7 @@
 %global __with_sources 1
 Name:                erlang
 Version:             25.3.2.6
-Release:             3
+Release:             4
 Summary:             General-purpose programming language and runtime environment
 License:             Apache-2.0
 URL:                 https://www.erlang.org
@@ -33,6 +33,7 @@ Patch10:             otp-0010-configure.ac-C99-fix-for-ERTS___AFTER_MORECORE_HOO
 Patch11:             otp-0011-configure.ac-C99-fixes-for-poll_works-check.patch
 Patch12:             otp-0012-Revert-Do-not-install-erlang-sources.patch
 Patch13:             CVE-2023-48795.patch
+Patch14:             CVE-2025-26618.patch
 
 BuildRequires:       gcc gcc-c++ flex make
 %if %{with doc}
@@ -1755,6 +1756,9 @@ useradd -r -g epmd -d /dev/null -s /sbin/nologin \
 %endif
 
 %changelog
+* Mon Feb 24 2025 yaoxin <1024769339@qq.com> - 25.3.2.6-4
+- Fix CVE-2025-26618
+
 * Wed May 15 2024 zhangzikang <zhangzikang@kylinos.cn> - 25.3.2.6-3
 - Fix build error for loongarch64