Package: openssh-client
Version: 1:4.3p2-8
Severity: normal
[Cc: to the security team since this might be something exploitable
by a malicious ssh server]
I can reproducably crash ssh (client) by breaking the network
connection to sshd in random ways:
------------------------------------------------------------
$ gdb --args ~sliedes/rec/openssh-4.3p2/build-deb/ssh -vvv -p 2002 sli3@localhost ls -a
GNU gdb 6.6-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) r
Starting program: /home/sliedes/rec/openssh-4.3p2/build-deb/ssh -vvv -p 2002 sli3@localhost ls -a
OpenSSH_4.3p2 Debian-8, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 2002.
debug1: Connection established.
debug1: identity file /home/sli2/.ssh/identity type -1
debug3: Not a RSA1 key file /home/sli2/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/sli2/.ssh/id_rsa type 1
debug1: identity file /home/sli2/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3p2 Debian-8
debug1: match: OpenSSH_4.3p2 Debian-8 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-8
debug2: fd 5 setting O_NONBLOCK
debug1: Miscellaneous failure
Unknown code krb5 195
debug1: Miscellaneous failure
Unknown code krb5 195
debug1: SSH2_MSG_KEXINIT sent
Program received signal SIGSEGV, Segmentation fault.
0x00000000004269d3 in packet_enable_delayed_compress () at ../packet.c:676
676 if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
(gdb) bt
#0 0x00000000004269d3 in packet_enable_delayed_compress () at ../packet.c:676
#1 0x0000000000427a57 in packet_read_poll2 (seqnr_p=0x7fff6b7abca8) at ../packet.c:1163
#2 0x0000000000427a97 in packet_read_poll_seqnr (seqnr_p=0x7fff6b7abca8) at ../packet.c:1182
#3 0x0000000000427082 in packet_read_seqnr (seqnr_p=0x7fff6b7abca8) at ../packet.c:884
#4 0x000000000042d42f in dispatch_run (mode=0, done=0x56e778, ctxt=0x56e710) at ../dispatch.c:86
#5 0x0000000000413ae8 in ssh_kex2 (host=0x56fcf0 "localhost", hostaddr=0x552420) at ../sshconnect2.c:182
#6 0x0000000000411d84 in ssh_login (sensitive=0x554d80, orighost=0x557ed5 "localhost", hostaddr=0x552420, pw=0x557df0) at ../sshconnect.c:978
#7 0x000000000040722c in main (ac=2, av=0x7fff6b7ac1c0) at ../ssh.c:742
(gdb) bt full
#0 0x00000000004269d3 in packet_enable_delayed_compress () at ../packet.c:676
comp = (Comp *) 0x60
mode = 0
#1 0x0000000000427a57 in packet_read_poll2 (seqnr_p=0x7fff6b7abca8) at ../packet.c:1163
padlen = 7
need = 696
macbuf = (u_char *) 0x0
cp = (u_char *) 0x56d4b0 ""
type = 52 '4'
maclen = 0
block_size = 8
enc = (Enc *) 0x0
mac = (Mac *) 0x0
comp = (Comp *) 0x0
packet_length = 700
#2 0x0000000000427a97 in packet_read_poll_seqnr (seqnr_p=0x7fff6b7abca8) at ../packet.c:1182
reason = 0
seqnr = 1048576
type = 0 '\0'
msg = 0x7fff6b7a9c50 ""
#3 0x0000000000427082 in packet_read_seqnr (seqnr_p=0x7fff6b7abca8) at ../packet.c:884
type = 0
len = 704
setp = (fd_set *) 0x56f9e0
buf = "\000\000\002Œ\a4ÓC$Ù\022š·ý7\237/çR\003€\034\000\000\000Ydiffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1\000\000\000\017ssh-rsa,qsh-dss\000\000\000\235aes128-cbc,3des-cbc,blowdish-cbc,cast128-cbc,arcfour128,arcfou"...
tv = {tv_sec = 0, tv_usec = 0}
tvp = (struct timeval *) 0x0
#4 0x000000000042d42f in dispatch_run (mode=0, done=0x56e778, ctxt=0x56e710) at ../dispatch.c:86
type = 0
seqnr = 0
#5 0x0000000000413ae8 in ssh_kex2 (host=0x56fcf0 "localhost", hostaddr=0x552420) at ../sshconnect2.c:182
kex = (Kex *) 0x56e710
orig = 0x43e9b0 "diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1"
gss = 0x0
len = 32767
gss_host = 0x56fcf0 "localhost"
#6 0x0000000000411d84 in ssh_login (sensitive=0x554d80, orighost=0x557ed5 "localhost", hostaddr=0x552420, pw=0x557df0) at ../sshconnect.c:978
host = 0x56fcf0 "localhost"
cp = 0x56fcf9 ""
server_user = 0x557ed0 "sli3"
local_user = 0x56a240 "sli2"
#7 0x000000000040722c in main (ac=2, av=0x7fff6b7ac1c0) at ../ssh.c:742
i = 2
opt = -1
exit_status = 11172
p = 0x557ed0 "sli3"
cp = 0x557ed5 "localhost"
line = 0x0
buf = "/home/sli2/.ssh\000config\000\0010MA?€+\000\000àÀzkÿ\177\000\000 Àzkÿ\177\000\000\216ÿw\001", '\0' <repeats 12 times>, "â/@\000\000\000\000\000\232O0?€+\000\000P-\035@€+\000\000\001", '\0' <repeats 15 times>, "\001\000\000\000md64", '\0' <repeats 32 times>, "pq\035@€+\000\000\000 \035@\001\000\000\000P---Type <return> to continue, or q <return> to quit---
-\035@€+\000\0000MA?€+\000\000\020Ázkÿ\177\000\000èIA?€+\000\000\230Ázkÿ\177\000\001\a\000\000\000\000\000\000\000\000PA?€+\000\000\221\2060?€+\000\000\001\000\000\000x"...
st = {st_dev = 65042, st_ino = 9404654, st_nlink = 2, st_mode = 16877, st_uid = 1001, st_gid = 1002, pad0 = 0, st_rdev = 0, st_size = 4096,
st_blksize = 4096, st_blocks = 8, st_atim = {tv_sec = 1172705782, tv_nsec = 0}, st_mtim = {tv_sec = 1172706850, tv_nsec = 0}, st_ctim = {
tv_sec = 1172706850, tv_nsec = 0}, __unused = {0, 0, 0}}
pw = (struct passwd *) 0x557df0
dummy = 11172
sp = (struct servent *) 0x404c33
fwd = {listen_host = 0x0, listen_port = 11528, connect_host = 0x2 <Address 0x2 out of bounds>, connect_port = 0}
------------------------------------------------------------
If this is not informative enough to track down the problem, tell me
what I can do and I will.
Sami
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-amd64
Locale: LANG=C, LC_CTYPE=fi_FI@euro (charmap=ISO-8859-15)
Versions of packages openssh-client depends on:
ii adduser 3.102 Add and remove users and groups
ii debconf 1.5.12 Debian configuration management sy
ii dpkg 1.13.25 package maintenance system for Deb
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libcomer 1.39+1.40-WIP-2006.11.14+dfsg-1 common error description library
ii libedit2 2.9.cvs.20050518-3 BSD editline and history libraries
ii libkrb53 1.4.4-7 MIT Kerberos runtime libraries
ii libncurs 5.5-5 Shared libraries for terminal hand
ii libssl0. 0.9.8e-2 SSL shared libraries
ii passwd 1:4.0.18.1-7 change and administer password and
ii zlib1g 1:1.2.3-13 compression library - runtime
openssh-client recommends no packages.
-- no debconf information
Attachment:
signature.asc
Description: Digital signature