Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Bugs
[Bug 3409] ssh-keygen -Y find-principals segfaults on malformed allowed_signers_file
bugzilla-daemon at mindrot
Mar 18, 2022, 7:20 PM
Post #1 of 3 (179 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3409

--- Comment #1 from Mateusz Adamowski <mateusz@adamowski.pl> ---
I managed to identify minimal malformed input that crashes the program:

$ ssh-keygen -Y verify -n file -s ed25519.c.sig -f <( printf "?\x00\n"
) -I a < ed25519.c

The problem is probably with strdelim_internal() function [misc.c:398]

When it cannot find accepted separator (whitespaces, quotes), it
returns the original pointer, but also it sets value passed by pointer
(char **s) to NULL.

This value is never checked in parse_principals_key_and_options()
[sshsig.c:718] and ultimately passed to sshkey_read()

I added following check right before a call to sshkey_read():

if (cp == NULL) {
error("%s:%lu: invalid line", path, linenum);
r = SSH_ERR_INVALID_FORMAT;
goto out;
}

And it seems to solve this problem.

However, I think that parse_principals_key_and_options() function
should have some extra pre-check, that would immediately eliminate
malformed lines, especially these containing 0x00 and other
non-printable characters.

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3409] ssh-keygen -Y find-principals segfaults on malformed allowed_signers_file [ In reply to ]
bugzilla-daemon at mindrot
Mar 29, 2022, 9:30 PM
Post #2 of 3 (171 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3409

Damien Miller <djm@mindrot.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3395
Resolution|--- |FIXED
CC| |djm@mindrot.org
Status|NEW |RESOLVED

--- Comment #2 from Damien Miller <djm@mindrot.org> ---
Thanks, I committed a similar fix. It will be in the OpenSSH 9.0
release, due very soon.


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3395
[Bug 3395] Tracking bug for openssh-9.0
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3409] ssh-keygen -Y find-principals segfaults on malformed allowed_signers_file [ In reply to ]
bugzilla-daemon at mindrot
Apr 7, 2022, 7:12 PM
Post #3 of 3 (168 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3409

Damien Miller <djm@mindrot.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED

--- Comment #3 from Damien Miller <djm@mindrot.org> ---
closing bug resolved during openssh-9.0 release cycle

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal