openssh bugs - Aug 2017 - [Bug 2768] New: Possible string truncations in sshconnect2.c

https://bugzilla.mindrot.org/show_bug.cgi?id=2768

            Bug ID: 2768
           Summary: Possible string truncations in sshconnect2.c
           Product: Portable OpenSSH
           Version: -current
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: cjwatson at debian.org

Created attachment 3041
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3041&action=edit
Increase prompt buffer sizes to fit text

sshconnect2.c: In function ?userauth_passwd?:
sshconnect2.c:909:42: warning: ?%.128s? directive output may be
truncated writing up to 128 bytes into a region of size between 119 and
149 [-Wformat-truncation=]
  snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
                                          ^~~~~~
In file included from /usr/include/stdio.h:938:0,
                 from /usr/include/bsd/libutil.h:46,
                 from includes.h:141,
                 from sshconnect2.c:27:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note:
?__builtin___snprintf_chk? output between 15 and 173 bytes into a
destination of size 150
   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        __bos (__s), __fmt, __va_arg_pack ());
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sshconnect2.c: In function ?input_userauth_passwd_changereq?:
sshconnect2.c:960:19: warning: ?%.128s? directive output may be
truncated writing up to 128 bytes into a region of size between 113 and
143 [-Wformat-truncation=]
      "Enter %.30s@%.128s's old password: ",
                   ^~~~~~
In file included from /usr/include/stdio.h:938:0,
                 from /usr/include/bsd/libutil.h:46,
                 from includes.h:141,
                 from sshconnect2.c:27:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note:
?__builtin___snprintf_chk? output between 25 and 183 bytes into a
destination of size 150
   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        __bos (__s), __fmt, __va_arg_pack ());
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sshconnect2.c:969:20: warning: ?%.128s? directive output may be
truncated writing up to 128 bytes into a region of size between 113 and
143 [-Wformat-truncation=]
       "Enter %.30s@%.128s's new password: ",
                    ^~~~~~
In file included from /usr/include/stdio.h:938:0,
                 from /usr/include/bsd/libutil.h:46,
                 from includes.h:141,
                 from sshconnect2.c:27:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note:
?__builtin___snprintf_chk? output between 25 and 183 bytes into a
destination of size 150
   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        __bos (__s), __fmt, __va_arg_pack ());
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sshconnect2.c:977:21: warning: ?%.128s? directive output may be
truncated writing up to 128 bytes into a region of size between 112 and
142 [-Wformat-truncation=]
       "Retype %.30s@%.128s's new password: ",
                     ^~~~~~
In file included from /usr/include/stdio.h:938:0,
                 from /usr/include/bsd/libutil.h:46,
                 from includes.h:141,
                 from sshconnect2.c:27:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note:
?__builtin___snprintf_chk? output between 26 and 184 bytes into a
destination of size 150
   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        __bos (__s), __fmt, __va_arg_pack ());
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The relevant buffers are just plain too small.  Patch attached.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2768

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au
             Blocks|                            |2698

--- Comment #1 from Darren Tucker <dtucker at zip.com.au> ---
Looks reasonable, sending upstream (but with slightly larger buffers).


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2698
[Bug 2698] Tracking bug for OpenSSH 7.6 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2768

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Darren Tucker <dtucker at zip.com.au> ---
Committed upstream, it'll be synced into portable in due course.

Thanks.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2768

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after release of OpenSSH 7.7.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.