Package: openssh-client Version: 1:6.7p1-5 Severity: important Tags: security Dear Maintainer, I believe that the sanest way to generate an SSH fingerprint, for display to users, etc, is via executing: ssh-keygen -l -f path/to/public.key This is the rationale behind the following blog-post: http://blog.steve.org.uk/generating_fingerprints_from_ssh_keys.html The gzipped key attached to this email, generated via magical-fuzzing, will result in a segfault, and a suspicious EIP setting. This may indicate code-execution possiblities, and so should probably have a CVE identifier assigned. Demonstration is as simple as: helsinki ~ $ ssh-keygen -l -f ~/key.trigger.pub Segmentation fault The backtrace shows EIP as 0x000055555556807e, which looks at least partially controllable. I've not yet delved into the details. -- System Information: Debian Release: 8.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openssh-client depends on: ii adduser 3.113+nmu3 ii dpkg 1.17.25 ii libc6 2.19-18+deb8u1 ii libedit2 3.1-20140620-2 ii libgssapi-krb5-2 1.12.1+dfsg-19 ii libselinux1 2.3-2 ii libssl1.0.0 1.0.1k-3+deb8u1 ii passwd 1:4.2-3 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages openssh-client recommends: ii xauth 1:1.0.9-1 Versions of packages openssh-client suggests: pn keychain <none> pn libpam-ssh <none> pn monkeysphere <none> pn ssh-askpass <none> -- Configuration Files: /etc/ssh/ssh_config changed [not included] -- no debconf information
Attachment:
key.trigger.pub.gz
Description: application/gzip