Bug 3273 - ssh-keygen uses getpwuid() without pwcopy()
Summary: ssh-keygen uses getpwuid() without pwcopy()
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh-keygen (show other bugs)
Version: 8.5p1
Hardware: PPC Mac OS X
: P5 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_8_6
  Show dependency treegraph
 
Reported: 2021-03-07 20:28 AEDT by Donovan Watteau
Modified: 2021-04-23 15:03 AEST (History)
1 user (show)

See Also:

Attachments
Add missing call to pwcopy() in ssh-keygen.c (305 bytes, patch)
2021-03-07 20:28 AEDT, Donovan Watteau 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Donovan Watteau 2021-03-07 20:28:46 AEDT 
Created attachment 3477 [details]
Add missing call to pwcopy() in ssh-keygen.c

On Mac OS X 10.5.8 PPC, with OpenSSL 1.1.1j from MacPorts, t7.out regress test currently fails with the following crash:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xc0000000
0x93f047c8 in strlen ()
(gdb) bt
#0  0x93f047c8 in strlen ()
#1  0x93f9777c in __vfprintf$LDBL128 ()
#2  0x93f9b898 in snprintf$LDBL128 ()
#3  0x000114a0 in main (argc=0, argv=0xbffff848) at ssh-keygen.c:3670

which seems to come from pw_name in this snprintf call:

        else {
                /* Create default comment field for the passphrase. */
                snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname);
        }

This looks similar to bug 1377 and bug 1414, i.e. pw_name comes from getpwuid() which is called without a pwcopy().

The attached diff simply adds it, like some other ssh tools already do, and makes t7.out pass again on MacOS X Leopard PPC.
Comment 1 Damien Miller 2021-03-12 14:44:05 AEDT 
fixed in openssh-8.6
Comment 2 Damien Miller 2021-04-23 15:03:59 AEST 
closing resolved bugs as of 8.6p1 release