ssh: fix deadlock on unexpected global responses (CVE-2026-39830) - backport to v0.39.0#4
Conversation
Backport of upstream fix golang/crypto@4e7a7384ecbc onto v0.39.0 for Go 1.23 compatibility (release-4.19). The go.mod go directive remains at 1.23.0; no go 1.25 language features are used. Previously, handleGlobalPacket blocked on sending to globalResponses (buffer size 1), allowing a malicious SSH peer to stall the connection read loop permanently. Fix: replace the blocking send with a conditional non-blocking send gated on globalSentPending. A drain loop in SendRequest discards any stale buffered responses before sending a new request. CVE: CVE-2026-39830 GO: GO-2026-5017 Upstream: golang@4e7a7384ecbc Co-authored-by: Cursor <cursoragent@cursor.com>
1b23b5a to
d66e1f8
Compare
|
Update: The branch has been rebased to resolve the conflict in The only difference was the drain loop form. This branch now matches A new tag
Once a maintainer with write access creates branch |
Summary
Backport of upstream fix golang/crypto@4e7a7384ecbc onto v0.39.0 for Go 1.23 compatibility (HyperShift release-4.19).
CVE-2026-39830 / GO-2026-5017
A malicious SSH peer could send unsolicited global request responses to fill the internal
globalResponseschannel buffer (size 1), causinghandleGlobalPacketto block indefinitely and stall the connection's read loop. CallingClose()could not release the blocked goroutine, resulting in a resource leak per connection.Fix: replace the blocking send in
handleGlobalPacketwith a conditional non-blocking send gated onglobalSentPending. A drain loop inSendRequestdiscards any stale buffered responses before sending a new request.Why a backport?
The upstream fix shipped in
v0.52.0which requiresgo 1.25.0. The HyperShift release-4.19 branch builds with Go 1.23 (rhel_9_golang_1.23/go-toolset:1.23.6). This backport keepsgo 1.23.0ingo.modso it can be used as areplacedirective.Requested action
Once reviewed, please:
sustaining-v0.39.1in this repo from thev0.39.0tag with this fix appliedv0.39.1-sec.1This will allow updating HyperShift's
go.modfrom:to:
Jira: https://redhat.atlassian.net/browse/ACM-35720
Upstream fix: golang@4e7a7384ecbc
CVE: CVE-2026-39830
Made with Cursor