[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#801530: openssh-client: Segfault on malformed keys - possible security impact

Package: openssh-client
Version: 1:6.7p1-5
Severity: important
Tags: security

Dear Maintainer,

I believe that the sanest way to generate an SSH fingerprint, for display
to users, etc, is via executing:

    ssh-keygen -l -f path/to/public.key

This is the rationale behind the following blog-post:


The gzipped key attached to this email, generated via magical-fuzzing,
will result in a segfault, and a suspicious EIP setting.  This may
indicate code-execution possiblities, and so should probably have
a CVE identifier assigned.

Demonstration is as simple as:

helsinki ~ $ ssh-keygen -l -f ~/key.trigger.pub
Segmentation fault

The backtrace shows EIP as 0x000055555556807e, which looks at least
partially controllable.  I've not yet delved into the details.

-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-client depends on:
ii  adduser           3.113+nmu3
ii  dpkg              1.17.25
ii  libc6             2.19-18+deb8u1
ii  libedit2          3.1-20140620-2
ii  libgssapi-krb5-2  1.12.1+dfsg-19
ii  libselinux1       2.3-2
ii  libssl1.0.0       1.0.1k-3+deb8u1
ii  passwd            1:4.2-3
ii  zlib1g            1:1.2.8.dfsg-2+b1

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.9-1

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- Configuration Files:
/etc/ssh/ssh_config changed [not included]

-- no debconf information

Attachment: key.trigger.pub.gz
Description: application/gzip

Reply to: