Overview

File curl-CVE-2025-15224.patch of Package curl.42129

From 16d5f2a5660c61cc27bd5f1c7f512391d1c927aa Mon Sep 17 00:00:00 2001
From: Harry Sintonen <sintonen@iki.fi>
Date: Mon, 29 Dec 2025 16:56:39 +0100
Subject: [PATCH] libssh: require private key or user-agent for public key auth

Closes #20110
---
 lib/vssh/libssh.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Index: curl-8.14.1/lib/vssh/libssh.c
===================================================================
--- curl-8.14.1.orig/lib/vssh/libssh.c
+++ curl-8.14.1/lib/vssh/libssh.c
@@ -698,7 +698,11 @@ static int myssh_state_authlist(struct C
           "keyboard-interactive, " : "",
           sshc->auth_methods & SSH_AUTH_METHOD_PASSWORD ?
           "password": "");
-  if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) {
+  /* For public key auth we need either the private key or
+     CURLSSH_AUTH_AGENT. */
+  if((sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) &&
+    (data->set.str[STRING_SSH_PRIVATE_KEY] ||
+     (data->set.ssh_auth_types & CURLSSH_AUTH_AGENT))) {
     myssh_state(data, sshc, SSH_AUTH_PKEY_INIT);
     infof(data, "Authentication using SSH public key file");
   }
openSUSE Build Service is sponsored by
Places