[Bug 3273] New: ssh-keygen uses getpwuid() without pwcopy()

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sun Mar 7 20:28:46 AEDT 2021


https://bugzilla.mindrot.org/show_bug.cgi?id=3273

            Bug ID: 3273
           Summary: ssh-keygen uses getpwuid() without pwcopy()
           Product: Portable OpenSSH
           Version: 8.5p1
          Hardware: PPC
                OS: Mac OS X
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: contrib at dwatteau.fr

Created attachment 3477
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3477&action=edit
Add missing call to pwcopy() in ssh-keygen.c

On Mac OS X 10.5.8 PPC, with OpenSSL 1.1.1j from MacPorts, t7.out
regress test currently fails with the following crash:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xc0000000
0x93f047c8 in strlen ()
(gdb) bt
#0  0x93f047c8 in strlen ()
#1  0x93f9777c in __vfprintf$LDBL128 ()
#2  0x93f9b898 in snprintf$LDBL128 ()
#3  0x000114a0 in main (argc=0, argv=0xbffff848) at ssh-keygen.c:3670

which seems to come from pw_name in this snprintf call:

        else {
                /* Create default comment field for the passphrase. */
                snprintf(comment, sizeof comment, "%s@%s", pw->pw_name,
hostname);
        }

This looks similar to bug 1377 and bug 1414, i.e. pw_name comes from
getpwuid() which is called without a pwcopy().

The attached diff simply adds it, like some other ssh tools already do,
and makes t7.out pass again on MacOS X Leopard PPC.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list