openssh bugs - Mar 2021 - [Bug 3273] New: ssh-keygen uses getpwuid() without pwcopy()

https://bugzilla.mindrot.org/show_bug.cgi?id=3273

            Bug ID: 3273
           Summary: ssh-keygen uses getpwuid() without pwcopy()
           Product: Portable OpenSSH
           Version: 8.5p1
          Hardware: PPC
                OS: Mac OS X
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: contrib at dwatteau.fr

Created attachment 3477
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3477&action=edit
Add missing call to pwcopy() in ssh-keygen.c

On Mac OS X 10.5.8 PPC, with OpenSSL 1.1.1j from MacPorts, t7.out
regress test currently fails with the following crash:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xc0000000
0x93f047c8 in strlen ()
(gdb) bt
#0  0x93f047c8 in strlen ()
#1  0x93f9777c in __vfprintf$LDBL128 ()
#2  0x93f9b898 in snprintf$LDBL128 ()
#3  0x000114a0 in main (argc=0, argv=0xbffff848) at ssh-keygen.c:3670

which seems to come from pw_name in this snprintf call:

        else {
                /* Create default comment field for the passphrase. */
                snprintf(comment, sizeof comment, "%s@%s",
pw->pw_name,
hostname);
        }

This looks similar to bug 1377 and bug 1414, i.e. pw_name comes from
getpwuid() which is called without a pwcopy().

The attached diff simply adds it, like some other ssh tools already do,
and makes t7.out pass again on MacOS X Leopard PPC.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3273

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED
             Blocks|                            |3270

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
fixed in openssh-8.6


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3270
[Bug 3270] Tracking bug for 8.6 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3273

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.