Your message dated Mon, 24 Dec 2007 22:26:41 +0000 with message-id <20071224222641.GP13328@riva.ucam.org> and subject line Bug#412932: openssh-client: ssh client SEGV on invalid input from server has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: openssh-client: ssh client SEGV on invalid input from server
- From: Sami Liedes <sliedes@cc.hut.fi>
- Date: Thu, 1 Mar 2007 02:29:16 +0200
- Message-id: <20070301002916.GD1570@baron.tky.hut.fi>
Package: openssh-client Version: 1:4.3p2-8 Severity: normal [Cc: to the security team since this might be something exploitable by a malicious ssh server] I can reproducably crash ssh (client) by breaking the network connection to sshd in random ways: ------------------------------------------------------------ $ gdb --args ~sliedes/rec/openssh-4.3p2/build-deb/ssh -vvv -p 2002 sli3@localhost ls -a GNU gdb 6.6-debian Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "x86_64-linux-gnu"... Using host libthread_db library "/lib/libthread_db.so.1". (gdb) r Starting program: /home/sliedes/rec/openssh-4.3p2/build-deb/ssh -vvv -p 2002 sli3@localhost ls -a OpenSSH_4.3p2 Debian-8, OpenSSL 0.9.8e 23 Feb 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to localhost [127.0.0.1] port 2002. debug1: Connection established. debug1: identity file /home/sli2/.ssh/identity type -1 debug3: Not a RSA1 key file /home/sli2/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/sli2/.ssh/id_rsa type 1 debug1: identity file /home/sli2/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3p2 Debian-8 debug1: match: OpenSSH_4.3p2 Debian-8 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-8 debug2: fd 5 setting O_NONBLOCK debug1: Miscellaneous failure Unknown code krb5 195 debug1: Miscellaneous failure Unknown code krb5 195 debug1: SSH2_MSG_KEXINIT sent Program received signal SIGSEGV, Segmentation fault. 0x00000000004269d3 in packet_enable_delayed_compress () at ../packet.c:676 676 if (comp && !comp->enabled && comp->type == COMP_DELAYED) { (gdb) bt #0 0x00000000004269d3 in packet_enable_delayed_compress () at ../packet.c:676 #1 0x0000000000427a57 in packet_read_poll2 (seqnr_p=0x7fff6b7abca8) at ../packet.c:1163 #2 0x0000000000427a97 in packet_read_poll_seqnr (seqnr_p=0x7fff6b7abca8) at ../packet.c:1182 #3 0x0000000000427082 in packet_read_seqnr (seqnr_p=0x7fff6b7abca8) at ../packet.c:884 #4 0x000000000042d42f in dispatch_run (mode=0, done=0x56e778, ctxt=0x56e710) at ../dispatch.c:86 #5 0x0000000000413ae8 in ssh_kex2 (host=0x56fcf0 "localhost", hostaddr=0x552420) at ../sshconnect2.c:182 #6 0x0000000000411d84 in ssh_login (sensitive=0x554d80, orighost=0x557ed5 "localhost", hostaddr=0x552420, pw=0x557df0) at ../sshconnect.c:978 #7 0x000000000040722c in main (ac=2, av=0x7fff6b7ac1c0) at ../ssh.c:742 (gdb) bt full #0 0x00000000004269d3 in packet_enable_delayed_compress () at ../packet.c:676 comp = (Comp *) 0x60 mode = 0 #1 0x0000000000427a57 in packet_read_poll2 (seqnr_p=0x7fff6b7abca8) at ../packet.c:1163 padlen = 7 need = 696 macbuf = (u_char *) 0x0 cp = (u_char *) 0x56d4b0 "" type = 52 '4' maclen = 0 block_size = 8 enc = (Enc *) 0x0 mac = (Mac *) 0x0 comp = (Comp *) 0x0 packet_length = 700 #2 0x0000000000427a97 in packet_read_poll_seqnr (seqnr_p=0x7fff6b7abca8) at ../packet.c:1182 reason = 0 seqnr = 1048576 type = 0 '\0' msg = 0x7fff6b7a9c50 "" #3 0x0000000000427082 in packet_read_seqnr (seqnr_p=0x7fff6b7abca8) at ../packet.c:884 type = 0 len = 704 setp = (fd_set *) 0x56f9e0 buf = "\000\000\002Œ\a4ÓC$Ù\022š·ý7\237/çR\003€\034\000\000\000Ydiffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1\000\000\000\017ssh-rsa,qsh-dss\000\000\000\235aes128-cbc,3des-cbc,blowdish-cbc,cast128-cbc,arcfour128,arcfou"... tv = {tv_sec = 0, tv_usec = 0} tvp = (struct timeval *) 0x0 #4 0x000000000042d42f in dispatch_run (mode=0, done=0x56e778, ctxt=0x56e710) at ../dispatch.c:86 type = 0 seqnr = 0 #5 0x0000000000413ae8 in ssh_kex2 (host=0x56fcf0 "localhost", hostaddr=0x552420) at ../sshconnect2.c:182 kex = (Kex *) 0x56e710 orig = 0x43e9b0 "diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" gss = 0x0 len = 32767 gss_host = 0x56fcf0 "localhost" #6 0x0000000000411d84 in ssh_login (sensitive=0x554d80, orighost=0x557ed5 "localhost", hostaddr=0x552420, pw=0x557df0) at ../sshconnect.c:978 host = 0x56fcf0 "localhost" cp = 0x56fcf9 "" server_user = 0x557ed0 "sli3" local_user = 0x56a240 "sli2" #7 0x000000000040722c in main (ac=2, av=0x7fff6b7ac1c0) at ../ssh.c:742 i = 2 opt = -1 exit_status = 11172 p = 0x557ed0 "sli3" cp = 0x557ed5 "localhost" line = 0x0 buf = "/home/sli2/.ssh\000config\000\0010MA?€+\000\000àÀzkÿ\177\000\000 Àzkÿ\177\000\000\216ÿw\001", '\0' <repeats 12 times>, "â/@\000\000\000\000\000\232O0?€+\000\000P-\035@€+\000\000\001", '\0' <repeats 15 times>, "\001\000\000\000md64", '\0' <repeats 32 times>, "pq\035@€+\000\000\000 \035@\001\000\000\000P---Type <return> to continue, or q <return> to quit--- -\035@€+\000\0000MA?€+\000\000\020Ázkÿ\177\000\000èIA?€+\000\000\230Ázkÿ\177\000\001\a\000\000\000\000\000\000\000\000PA?€+\000\000\221\2060?€+\000\000\001\000\000\000x"... st = {st_dev = 65042, st_ino = 9404654, st_nlink = 2, st_mode = 16877, st_uid = 1001, st_gid = 1002, pad0 = 0, st_rdev = 0, st_size = 4096, st_blksize = 4096, st_blocks = 8, st_atim = {tv_sec = 1172705782, tv_nsec = 0}, st_mtim = {tv_sec = 1172706850, tv_nsec = 0}, st_ctim = { tv_sec = 1172706850, tv_nsec = 0}, __unused = {0, 0, 0}} pw = (struct passwd *) 0x557df0 dummy = 11172 sp = (struct servent *) 0x404c33 fwd = {listen_host = 0x0, listen_port = 11528, connect_host = 0x2 <Address 0x2 out of bounds>, connect_port = 0} ------------------------------------------------------------ If this is not informative enough to track down the problem, tell me what I can do and I will. Sami -- System Information: Debian Release: 4.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-4-amd64 Locale: LANG=C, LC_CTYPE=fi_FI@euro (charmap=ISO-8859-15) Versions of packages openssh-client depends on: ii adduser 3.102 Add and remove users and groups ii debconf 1.5.12 Debian configuration management sy ii dpkg 1.13.25 package maintenance system for Deb ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries ii libcomer 1.39+1.40-WIP-2006.11.14+dfsg-1 common error description library ii libedit2 2.9.cvs.20050518-3 BSD editline and history libraries ii libkrb53 1.4.4-7 MIT Kerberos runtime libraries ii libncurs 5.5-5 Shared libraries for terminal hand ii libssl0. 0.9.8e-2 SSL shared libraries ii passwd 1:4.0.18.1-7 change and administer password and ii zlib1g 1:1.2.3-13 compression library - runtime openssh-client recommends no packages. -- no debconf informationAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 412932-done@bugs.debian.org
- Subject: Re: Bug#412932: openssh-client: ssh client SEGV on invalid input from server
- From: Colin Watson <cjwatson@debian.org>
- Date: Mon, 24 Dec 2007 22:26:41 +0000
- Message-id: <20071224222641.GP13328@riva.ucam.org>
- In-reply-to: <20070301002916.GD1570@baron.tky.hut.fi>
- References: <20070301002916.GD1570@baron.tky.hut.fi>
Source: openssh Source-Version: 1:4.6p1-1 On Thu, Mar 01, 2007 at 02:29:16AM +0200, Sami Liedes wrote: > I can reproducably crash ssh (client) by breaking the network > connection to sshd in random ways: [...] > Program received signal SIGSEGV, Segmentation fault. > 0x00000000004269d3 in packet_enable_delayed_compress () at ../packet.c:676 > 676 if (comp && !comp->enabled && comp->type == COMP_DELAYED) { Thanks for your report. This was fixed upstream in OpenSSH 4.4p1: revision 1.144 date: 2006/09/21 03:00:25; author: dtucker; state: Exp; lines: +4 -1 - markus@cvs.openbsd.org 2006/09/19 21:14:08 [packet.c] client NULL deref on protocol error; Tavis Ormandy, Google Security Team Cheers, -- Colin Watson [cjwatson@debian.org]
--- End Message ---