openssh bugs - Apr 2022 - [Bug 3408] segfault in ssh-keygen -Y check-novalidate when -n option is missing

https://bugzilla.mindrot.org/show_bug.cgi?id=3408

            Bug ID: 3408
           Summary: segfault in ssh-keygen -Y check-novalidate when -n
                    option is missing
           Product: Portable OpenSSH
           Version: -current
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: mateusz at adamowski.pl

This bug report is just a copy of PR #307 on Github
https://github.com/openssh/openssh-portable/pull/307




I found a bug in ssh-keygen

Steps to reproduce:

$ ssh-keygen -Y check-novalidate -s anyfile.txt.sig < anyfile.txt
Segmentation fault (core dumped)

The problem is missing -n option resulting in null pointer being passed
to strcmp()

(gdb) bt
#0  __strcmp_sse2_unaligned () at
../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:31
#1  0x0000563613b33dcf in sshsig_wrap_verify
(signature=signature at entry=0x563614433040, hashalg=0x5636144332f0
"sha512", 
    h_message=<optimized out>,
expect_namespace=expect_namespace at entry=0x0,
sign_keyp=sign_keyp at entry=0x7fffb358fed0, 
    sig_details=sig_details at entry=0x7fffb358fed8) at sshsig.c:339
#2  0x0000563613b354f0 in sshsig_verify_fd (signature=0x563614433040,
fd=0, expect_namespace=0x0, sign_keyp=0x7fffb358fed0, 
    sig_details=0x7fffb358fed8) at sshsig.c:605
#3  0x0000563613b2c566 in sig_verify (signature=0x7fffb35926d0
"nauka1.txt.sig", sig_namespace=0x0, principal=0x0, 
    allowed_keys=0x0, revoked_keys=0x0, opts=<optimized out>, nopts=0)
at ssh-keygen.c:2753
#4  0x0000563613b321b8 in main (argc=0, argv=0x7fffb3590560) at
ssh-keygen.c:3546

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3408

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Blocks|                            |3395
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Thanks, fix has been committed and will be in OpenSSH 9.0

commit a0b5816f8f1f645acdf74f7bc11b34455ec30bac
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Fri Mar 18 02:31:25 2022 +0000

    upstream: ssh-keygen -Y check-novalidate requires namespace or SEGV

    will ensue. Patch from Mateusz Adamowski via GHPR#307

    OpenBSD-Commit-ID: 99e8ec38f9feb38bce6de240335be34aedeba5fd


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3395
[Bug 3395] Tracking bug for openssh-9.0
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3408

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
closing bug resolved during openssh-9.0 release cycle

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.