[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#505330: ssh: glibc detected double free or corruption with local forwarding

Subject: ssh: glibc detected double free or corruption with local forwarding
Package: ssh
Version: 1:5.1p1-3
Severity: normal

When starting a local forward in an existing session a double free cash
can be forced. This is simple to reproduce:

% ssh somehost
[...]
% ~C
ssh> -L *.80:localhost:80
Bad forwarding specification.
*** glibc detected *** ssh: double free or corruption (fasttop): 0xb95431b0 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb7ada6b4]
/lib/i686/cmov/libc.so.6(cfree+0x96)[0xb7adc8b6]
ssh[0xb7ee3c7d]
ssh[0xb7ec014b]
ssh(client_simple_escape_filter+0x5f)[0xb7ec0e5f]
ssh[0xb7ed5145]
ssh[0xb7ed5655]
ssh[0xb7ed93fb]
ssh[0xb7ec1af8]
ssh(main+0x1885)[0xb7ebaaa5]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7a82455]
ssh[0xb7eb8b01]
======= Memory map: ========
b7800000-b7821000 rw-p b7800000 00:00 0 
b7821000-b7900000 ---p b7821000 00:00 0 
b79be000-b79ca000 r-xp 00000000 08:01 379003     /lib/libgcc_s.so.1
b79ca000-b79cb000 rw-p 0000b000 08:01 379003     /lib/libgcc_s.so.1
b79cb000-b79d5000 r-xp 00000000 08:01 331425     /lib/i686/cmov/libnss_files-2.7.so
b79d5000-b79d7000 rw-p 00009000 08:01 331425     /lib/i686/cmov/libnss_files-2.7.so
b79d7000-b7a0c000 r--s 00000000 08:01 62598      /var/cache/nscd/services
b7a0c000-b7a41000 r--s 00000000 08:01 60442      /var/cache/nscd/passwd
b7a41000-b7a43000 rw-p b7a41000 00:00 0 
b7a43000-b7a58000 r-xp 00000000 08:01 331472     /lib/i686/cmov/libpthread-2.7.so
b7a58000-b7a5a000 rw-p 00014000 08:01 331472     /lib/i686/cmov/libpthread-2.7.so
b7a5a000-b7a5c000 rw-p b7a5a000 00:00 0 
b7a5c000-b7a5e000 r-xp 00000000 08:01 116464     /lib/libkeyutils-1.2.so
b7a5e000-b7a5f000 rw-p 00001000 08:01 116464     /lib/libkeyutils-1.2.so
b7a5f000-b7a60000 rw-p b7a5f000 00:00 0 
b7a60000-b7a67000 r-xp 00000000 08:01 174787     /usr/lib/libkrb5support.so.0.1
b7a67000-b7a68000 rw-p 00006000 08:01 174787     /usr/lib/libkrb5support.so.0.1
b7a68000-b7a6a000 r-xp 00000000 08:01 328990     /lib/i686/cmov/libdl-2.7.so
b7a6a000-b7a6c000 rw-p 00001000 08:01 328990     /lib/i686/cmov/libdl-2.7.so
b7a6c000-b7bc1000 r-xp 00000000 08:01 328979     /lib/i686/cmov/libc-2.7.so
b7bc1000-b7bc2000 r--p 00155000 08:01 328979     /lib/i686/cmov/libc-2.7.so
b7bc2000-b7bc4000 rw-p 00156000 08:01 328979     /lib/i686/cmov/libc-2.7.so
b7bc4000-b7bc7000 rw-p b7bc4000 00:00 0 
b7bc7000-b7bc9000 r-xp 00000000 08:01 281074     /lib/libcom_err.so.2.1
b7bc9000-b7bca000 rw-p 00001000 08:01 281074     /lib/libcom_err.so.2.1
b7bca000-b7bed000 r-xp 00000000 08:01 166307     /usr/lib/libk5crypto.so.3.1
b7bed000-b7bee000 rw-p 00023000 08:01 166307     /usr/lib/libk5crypto.so.3.1
b7bee000-b7bef000 rw-p b7bee000 00:00 0 
b7bef000-b7c81000 r-xp 00000000 08:01 174550     /usr/lib/libkrb5.so.3.3
b7c81000-b7c83000 rw-p 00092000 08:01 174550     /usr/lib/libkrb5.so.3.3
b7c83000-b7cac000 r-xp 00000000 08:01 166306     /usr/lib/libgssapi_krb5.so.2.2
b7cac000-b7cad000 rw-p 00028000 08:01 166306     /usr/lib/libgssapi_krb5.so.2.2
b7cad000-b7cb6000 r-xp 00000000 08:01 328989     /lib/i686/cmov/libcrypt-2.7.so
b7cb6000-b7cb8000 rw-p 00008000 08:01 328989     /lib/i686/cmov/libcrypt-2.7.so
b7cb8000-b7cdf000 rw-p b7cb8000 00:00 0 
b7cdf000-b7cf4000 r-xp 00000000 08:01 328997     /lib/i686/cmov/libnsl-2.7.so
b7cf4000-b7cf6000 rw-p 00014000 08:01 328997     /lib/i686/cmov/libnsl-2.7.so
b7cf6000-b7cf8000 rw-p b7cf6000 00:00 0 
b7cf8000-b7d0c000 r-xp 00000000 08:01 281046     /usr/lib/libz.so.1.2.3.3
b7d0c000-b7d0d000 rw-p 00013000 08:01 281046     /usr/lib/libz.so.1.2.3.3
b7d0d000-b7d0f000 r-xp 00000000 08:01 331477     /lib/i686/cmov/libutil-2.7.so
b7d0f000-b7d11000 rw-p 00001000 08:01 331477     /lib/i686/cmov/libutil-2.7.so
b7d11000-b7d12000 rw-p b7d11000 00:00 0 
b7d12000-b7e4c000 r-xp 00000000 08:01 115944     /usr/lib/i686/cmov/libcrypto.so.0.9.8
b7e4c000-b7e62000 rw-p 0013a000 08:01 115944     /usr/lib/i686/cmov/libcrypto.so.0.9.8
b7e62000-b7e65000 rw-p b7e62000 00:00 0 
b7e65000-b7e75000 r-xp 00000000 08:01 331473     /lib/i686/cmov/libresolv-2.7.so
b7e75000-b7e77000 rw-p 0000f000 08:01 331473     /lib/i686/cmov/libresolv-2.7.so
b7e77000-b7e79000 rw-p b7e77000 00:00 0 
b7e94000-b7e96000 rw-p b7e94000 00:00 0 
b7e96000-b7e97000 r-xp b7e96000 00:00 0          [vdso]
b7e97000-b7eb1000 r-xp 00000000 08:01 374678     /lib/ld-2.7.so
b7eb1000-b7eb3000 rw-p 0001a000 08:01 374678     /lib/ld-2.7.so
b7eb3000-b7f03000 r-xp 00000000 08:01 Abort

(the backtrace is formatted a little because the output is a little
messed up)

The problem does not occur when invoked in the command line or when used
in ~/.ssh/config.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages ssh depends on:
ii  openssh-client                1:5.1p1-3  secure shell client, an rlogin/rsh
ii  openssh-server                1:5.1p1-3  secure shell server, an rshd repla

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: