Call for testing: OpenSSH 8.1

Joseph S. Testa II jtesta at positronsecurity.com
Tue Oct 8 03:08:27 AEDT 2019


While compiling the master branch on 
https://github.com/openssh/openssh-portable just now on the latest 
version of Kali Linux, I got the following warnings:


fmt_scaled.c: In function ‘fmt_scaled’:
fmt_scaled.c:272:52: warning: ‘%1lld’ directive output may be truncated 
writing between 1 and 17 bytes into a region of size between 0 and 5 
[-Wformat-truncation=]
   272 |   (void)snprintf(result, FMT_SCALED_STRSIZE, "%lld.%1lld%c",
       |                                                    ^~~~~
fmt_scaled.c:272:46: note: directive argument in the range 
[-9007199254740991, 9]
   272 |   (void)snprintf(result, FMT_SCALED_STRSIZE, "%lld.%1lld%c",
       |                                              ^~~~~~~~~~~~~~
In file included from /usr/include/stdio.h:867,
                  from /usr/include/resolv.h:58,
                  from ../openbsd-compat/getrrsetbyname.h:59,
                  from ../openbsd-compat/openbsd-compat.h:44,
                  from ../includes.h:174,
                  from fmt_scaled.c:41:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:67:10: note: 
‘__builtin___snprintf_chk’ output between 5 and 40 bytes into a 
destination of size 7
    67 |   return __builtin___snprintf_chk (__s, __n, 
__USE_FORTIFY_LEVEL - 1,
       | 
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    68 |        __bos (__s), __fmt, __va_arg_pack ());
       |        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ar: creating libopenbsd-compat.a
sshkey.c: In function ‘sshkey_format_cert_validity’:
sshkey.c:2994:42: warning: ‘%s’ directive output may be truncated 
writing up to 31 bytes into a region of size between 24 and 55 
[-Wformat-truncation=]
  2994 |   snprintf(ret, sizeof(ret), "from %s to %s", from, to);
       |                                          ^~         ~~
In file included from /usr/include/stdio.h:867,
                  from /usr/include/resolv.h:58,
                  from openbsd-compat/getrrsetbyname.h:59,
                  from openbsd-compat/openbsd-compat.h:44,
                  from includes.h:174,
                  from sshkey.c:28:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:67:10: note: 
‘__builtin___snprintf_chk’ output between 10 and 72 bytes into a 
destination of size 64
    67 |   return __builtin___snprintf_chk (__s, __n, 
__USE_FORTIFY_LEVEL - 1,
       | 
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    68 |        __bos (__s), __fmt, __va_arg_pack ());
       |        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
hostfile.c: In function ‘host_hash’:
hostfile.c:150:44: warning: ‘%s’ directive output may be truncated 
writing up to 511 bytes into a region of size between 509 and 1020 
[-Wformat-truncation=]
   150 |  snprintf(encoded, sizeof(encoded), "%s%s%c%s", HASH_MAGIC, 
uu_salt,
       |                                            ^~
   151 |      HASH_DELIM, uu_result);
       |                  ~~~~~~~~~
In file included from /usr/include/stdio.h:867,
                  from /usr/include/resolv.h:58,
                  from openbsd-compat/getrrsetbyname.h:59,
                  from openbsd-compat/openbsd-compat.h:44,
                  from includes.h:174,
                  from hostfile.c:39:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:67:10: note: 
‘__builtin___snprintf_chk’ output between 5 and 1027 bytes into a 
destination of size 1024
    67 |   return __builtin___snprintf_chk (__s, __n, 
__USE_FORTIFY_LEVEL - 1,
       | 
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    68 |        __bos (__s), __fmt, __va_arg_pack ());
       |        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ar: creating libssh.a
sshconnect.c: In function ‘check_host_key.constprop’:
sshconnect.c:895:8: warning: ‘%s’ directive output may be truncated 
writing up to 1023 bytes into a region of size between 773 and 973 
[-Wformat-truncation=]
   895 |        "The authenticity of host '%.200s (%s)' can't be "
       |        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
......
   900 |        host, ip, msg1, type, fp,
       |                  ~~~~
sshconnect.c:896:20: note: format string is defined here
   896 |        "established%s\n"
       |                    ^~
In file included from /usr/include/stdio.h:867,
                  from /usr/include/resolv.h:58,
                  from openbsd-compat/getrrsetbyname.h:59,
                  from openbsd-compat/openbsd-compat.h:44,
                  from includes.h:174,
                  from sshconnect.c:16:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:67:10: note: 
‘__builtin___snprintf_chk’ output 144 or more bytes (assuming 2391) into 
a destination of size 1024
    67 |   return __builtin___snprintf_chk (__s, __n, 
__USE_FORTIFY_LEVEL - 1,
       | 
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    68 |        __bos (__s), __fmt, __va_arg_pack ());
       |        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ssh-keygen.c: In function ‘do_convert_to’:
ssh-keygen.c:346:34: warning: ‘%s’ directive output may be truncated 
writing up to 1024 bytes into a region of size 39 [-Wformat-truncation=]
   346 |      "%u-bit %s, converted by %s@%s from OpenSSH",
       |                                  ^~
   347 |      sshkey_size(k), sshkey_type(k),
   348 |      pw->pw_name, hostname);
       |                   ~~~~~~~~
In file included from /usr/include/stdio.h:867,
                  from /usr/include/resolv.h:58,
                  from openbsd-compat/getrrsetbyname.h:59,
                  from openbsd-compat/openbsd-compat.h:44,
                  from includes.h:174,
                  from ssh-keygen.c:15:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:67:10: note: 
‘__builtin___snprintf_chk’ output 36 or more bytes (assuming 1060) into 
a destination of size 61
    67 |   return __builtin___snprintf_chk (__s, __n, 
__USE_FORTIFY_LEVEL - 1,
       | 
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    68 |        __bos (__s), __fmt, __va_arg_pack ());
       |        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ssh-keygen.c: In function ‘main’:
ssh-keygen.c:3280:41: warning: ‘%s’ directive output may be truncated 
writing up to 1024 bytes into a region of size 1023 [-Wformat-truncation=]
  3280 |   snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, 
hostname);
       |                                         ^~                ~~~~~~~~
In file included from /usr/include/stdio.h:867,
                  from /usr/include/resolv.h:58,
                  from openbsd-compat/getrrsetbyname.h:59,
                  from openbsd-compat/openbsd-compat.h:44,
                  from includes.h:174,
                  from ssh-keygen.c:15:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:67:10: note: 
‘__builtin___snprintf_chk’ output 2 or more bytes (assuming 1026) into a 
destination of size 1024
    67 |   return __builtin___snprintf_chk (__s, __n, 
__USE_FORTIFY_LEVEL - 1,
       | 
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    68 |        __bos (__s), __fmt, __va_arg_pack ());
       |        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ssh-keygen.c:1079:41: warning: ‘%s’ directive output may be truncated 
writing up to 1024 bytes into a region of size 1023 [-Wformat-truncation=]
  1079 |   snprintf(comment, sizeof comment, "%s@%s", pw->pw_name,
       |                                         ^~
  1080 |       hostname);
       |       ~~~~~~~~
In file included from /usr/include/stdio.h:867,
                  from /usr/include/resolv.h:58,
                  from openbsd-compat/getrrsetbyname.h:59,
                  from openbsd-compat/openbsd-compat.h:44,
                  from includes.h:174,
                  from ssh-keygen.c:15:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:67:10: note: 
‘__builtin___snprintf_chk’ output 2 or more bytes (assuming 1026) into a 
destination of size 1024
    67 |   return __builtin___snprintf_chk (__s, __n, 
__USE_FORTIFY_LEVEL - 1,
       | 
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    68 |        __bos (__s), __fmt, __va_arg_pack ());
       |        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ssh-agent.c: In function ‘main’:
ssh-agent.c:1232:48: warning: ‘/agent.’ directive output may be 
truncated writing 7 bytes into a region of size between 1 and 4096 
[-Wformat-truncation=]
  1232 |   snprintf(socket_name, sizeof socket_name, "%s/agent.%ld", 
socket_dir,
       |                                                ^~~~~~~
ssh-agent.c:1232:45: note: directive argument in the range [-2147483648, 
2147483647]
  1232 |   snprintf(socket_name, sizeof socket_name, "%s/agent.%ld", 
socket_dir,
       |                                             ^~~~~~~~~~~~~~
In file included from /usr/include/stdio.h:867,
                  from /usr/include/resolv.h:58,
                  from openbsd-compat/getrrsetbyname.h:59,
                  from openbsd-compat/openbsd-compat.h:44,
                  from includes.h:174,
                  from ssh-agent.c:37:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:67:10: note: 
‘__builtin___snprintf_chk’ output between 9 and 4114 bytes into a 
destination of size 4096
    67 |   return __builtin___snprintf_chk (__s, __n, 
__USE_FORTIFY_LEVEL - 1,
       | 
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    68 |        __bos (__s), __fmt, __va_arg_pack ());
       |        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Here's the version of gcc in use:

# gcc --version
gcc (Debian 9.2.1-8) 9.2.1 20190909


FYI, all tests pass on Kali Linux.

    - Joe


-- 
Joseph S. Testa II
Founder & Principal Security Consultant
Positron Security


More information about the openssh-unix-dev mailing list