bugzilla-daemon at bugzilla.mindrot.org
2017-Aug-26 11:39 UTC
[Bug 2768] New: Possible string truncations in sshconnect2.c
https://bugzilla.mindrot.org/show_bug.cgi?id=2768 Bug ID: 2768 Summary: Possible string truncations in sshconnect2.c Product: Portable OpenSSH Version: -current Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: cjwatson at debian.org Created attachment 3041 --> https://bugzilla.mindrot.org/attachment.cgi?id=3041&action=edit Increase prompt buffer sizes to fit text sshconnect2.c: In function ?userauth_passwd?: sshconnect2.c:909:42: warning: ?%.128s? directive output may be truncated writing up to 128 bytes into a region of size between 119 and 149 [-Wformat-truncation=] snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ", ^~~~~~ In file included from /usr/include/stdio.h:938:0, from /usr/include/bsd/libutil.h:46, from includes.h:141, from sshconnect2.c:27: /usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note: ?__builtin___snprintf_chk? output between 15 and 173 bytes into a destination of size 150 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ __bos (__s), __fmt, __va_arg_pack ()); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sshconnect2.c: In function ?input_userauth_passwd_changereq?: sshconnect2.c:960:19: warning: ?%.128s? directive output may be truncated writing up to 128 bytes into a region of size between 113 and 143 [-Wformat-truncation=] "Enter %.30s@%.128s's old password: ", ^~~~~~ In file included from /usr/include/stdio.h:938:0, from /usr/include/bsd/libutil.h:46, from includes.h:141, from sshconnect2.c:27: /usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note: ?__builtin___snprintf_chk? output between 25 and 183 bytes into a destination of size 150 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ __bos (__s), __fmt, __va_arg_pack ()); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sshconnect2.c:969:20: warning: ?%.128s? directive output may be truncated writing up to 128 bytes into a region of size between 113 and 143 [-Wformat-truncation=] "Enter %.30s@%.128s's new password: ", ^~~~~~ In file included from /usr/include/stdio.h:938:0, from /usr/include/bsd/libutil.h:46, from includes.h:141, from sshconnect2.c:27: /usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note: ?__builtin___snprintf_chk? output between 25 and 183 bytes into a destination of size 150 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ __bos (__s), __fmt, __va_arg_pack ()); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sshconnect2.c:977:21: warning: ?%.128s? directive output may be truncated writing up to 128 bytes into a region of size between 112 and 142 [-Wformat-truncation=] "Retype %.30s@%.128s's new password: ", ^~~~~~ In file included from /usr/include/stdio.h:938:0, from /usr/include/bsd/libutil.h:46, from includes.h:141, from sshconnect2.c:27: /usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note: ?__builtin___snprintf_chk? output between 26 and 184 bytes into a destination of size 150 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ __bos (__s), __fmt, __va_arg_pack ()); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The relevant buffers are just plain too small. Patch attached. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Aug-26 23:10 UTC
[Bug 2768] Possible string truncations in sshconnect2.c
https://bugzilla.mindrot.org/show_bug.cgi?id=2768 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au Blocks| |2698 --- Comment #1 from Darren Tucker <dtucker at zip.com.au> --- Looks reasonable, sending upstream (but with slightly larger buffers). Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2698 [Bug 2698] Tracking bug for OpenSSH 7.6 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Aug-27 00:38 UTC
[Bug 2768] Possible string truncations in sshconnect2.c
https://bugzilla.mindrot.org/show_bug.cgi?id=2768 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #2 from Darren Tucker <dtucker at zip.com.au> --- Committed upstream, it'll be synced into portable in due course. Thanks. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Apr-06 02:26 UTC
[Bug 2768] Possible string truncations in sshconnect2.c
https://bugzilla.mindrot.org/show_bug.cgi?id=2768 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #3 from Damien Miller <djm at mindrot.org> --- Close all resolved bugs after release of OpenSSH 7.7. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.