Invalid memory access / read stack overflow when reading config with zero bytes
Damien Miller
djm at mindrot.org
Mon Mar 30 11:30:56 AEDT 2015
On Mon, 30 Mar 2015, Hanno B?ck wrote:
> On Mon, 30 Mar 2015 10:43:18 +1100 (AEDT)
> Damien Miller <djm at mindrot.org> wrote:
>
> > reproduced; the line numbers were wrong.
>
> Sorry for the line numbers, should've thought of that. I used the
> standard Gentoo package and it seems it does patching on that file.
>
> I can confirm your patch fixes the issue, thanks. Will now run another
> fuzzing job with the patch applied, will inform you if it finds
> anything.
Thanks - we'll certainly fix bugs in config parsing, but they aren't
that interesting from a security perspective. Someone who can write
to ~/.ssh/config already has arbitrary code execution via ProxyCommand,
etc.
authorized_keys is a good thing to fuzz if you can set up a good test
enviornment. I've spent about a CPU-month fuzzing key parsing and KRLs,
so I have some confidence that they are clean.
cf. https://anongit.mindrot.org/openssh-fuzz-cases.git/
-d
More information about the openssh-unix-dev
mailing list