Bug 3273

Summary:

ssh-keygen uses getpwuid() without pwcopy()

Product:

Portable OpenSSH

Reporter:

Donovan Watteau <contrib>

Component:

ssh-keygen

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

normal

CC:

djm

Priority:

Version:

8.5p1

Hardware:

PPC

OS:

Mac OS X

Bug Depends on:

Bug Blocks:

3270

Attachments:

Description	Flags
Add missing call to pwcopy() in ssh-keygen.c	none

Description Donovan Watteau 2021-03-07 20:28:46 AEDT

Created attachment 3477 [details]
Add missing call to pwcopy() in ssh-keygen.c

On Mac OS X 10.5.8 PPC, with OpenSSL 1.1.1j from MacPorts, t7.out regress test currently fails with the following crash:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xc0000000
0x93f047c8 in strlen ()
(gdb) bt
#0  0x93f047c8 in strlen ()
#1  0x93f9777c in __vfprintf$LDBL128 ()
#2  0x93f9b898 in snprintf$LDBL128 ()
#3  0x000114a0 in main (argc=0, argv=0xbffff848) at ssh-keygen.c:3670

which seems to come from pw_name in this snprintf call:

        else {
                /* Create default comment field for the passphrase. */
                snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname);
        }

This looks similar to bug 1377 and bug 1414, i.e. pw_name comes from getpwuid() which is called without a pwcopy().

The attached diff simply adds it, like some other ssh tools already do, and makes t7.out pass again on MacOS X Leopard PPC.

Comment 1 Damien Miller 2021-03-12 14:44:05 AEDT

fixed in openssh-8.6

Comment 2 Damien Miller 2021-04-23 15:03:59 AEST

closing resolved bugs as of 8.6p1 release