From anarcat@anarcat.dyndns.org  Wed Nov 21 13:46:47 2001
Return-Path: <anarcat@anarcat.dyndns.org>
Received: from tomts8-srv.bellnexxia.net (tomts8.bellnexxia.net [209.226.175.52])
	by hub.freebsd.org (Postfix) with ESMTP id EDFE637B405
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 21 Nov 2001 13:46:41 -0800 (PST)
Received: from khan.anarcat.dyndns.org ([65.94.128.110])
          by tomts8-srv.bellnexxia.net
          (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP
          id <20011121214641.JFSC13234.tomts8-srv.bellnexxia.net@khan.anarcat.dyndns.org>
          for <FreeBSD-gnats-submit@freebsd.org>;
          Wed, 21 Nov 2001 16:46:41 -0500
Received: from shall.anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1])
	by khan.anarcat.dyndns.org (Postfix) with ESMTP id CCF271893
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 21 Nov 2001 16:47:55 -0500 (EST)
Received: by shall.anarcat.dyndns.org (Postfix, from userid 1000)
	id 6B26E20ADB; Wed, 21 Nov 2001 16:48:17 -0500 (EST)
Message-Id: <20011121214817.6B26E20ADB@shall.anarcat.dyndns.org>
Date: Wed, 21 Nov 2001 16:48:17 -0500 (EST)
From: The Anarcat <anarcat@anarcat.dyndns.org>
Reply-To: The Anarcat <anarcat@anarcat.dyndns.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: ssh-keygen -p core dumps
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         32175
>Category:       bin
>Synopsis:       ssh-keygen -p core dumps
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    green
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Nov 21 13:50:00 PST 2001
>Closed-Date:    Sat Mar 01 20:00:23 PST 2003
>Last-Modified:  Sat Mar 01 20:00:23 PST 2003
>Originator:     The Anarcat
>Release:        FreeBSD 4.4-STABLE i386
>Organization:
Nada, Inc.
>Environment:
System: FreeBSD shall.anarcat.dyndns.org 4.4-STABLE FreeBSD 4.4-STABLE #0: Fri Nov 16 12:57:38 EST 2001 anarcat@shall.anarcat.dyndns.org:/usr/obj/usr/src/sys/SHALL i386

>Description:

ssh-keygen core dumps when trying to change my DSA passphrase.

Compiling the program with debugging symbols disables the bug, so it's
tricky to debug.

Here is what I can get from gdb:

anarcat@shall[~]% gdb `which ssh-keygen` ssh-keygen.core 
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-unknown-freebsd"...
(no debugging symbols found)...
Core was generated by `ssh-keygen'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libcrypto.so.2...(no debugging symbols
found)...
done.
Reading symbols from /usr/lib/libc.so.4...(no debugging symbols
found)...done.
Reading symbols from /usr/libexec/ld-elf.so.1...(no debugging symbols
found)...
done.
#0  0x2819be32 in vfprintf () from /usr/lib/libc.so.4
(gdb) bt
#0  0x2819be32 in vfprintf () from /usr/lib/libc.so.4
#1  0x281891e4 in printf () from /usr/lib/libc.so.4
#2  0x804b1f8 in sigprocmask ()
#3  0x804ba34 in sigprocmask ()
#4  0x804a215 in sigprocmask ()
(gdb) 

I am no gdb guru, but it seems to me that if I do this:

(gdb) run -p -d
Starting program: /usr/bin/ssh-keygen -p -d
(no debugging symbols found)...(no debugging symbols found)...
Enter file in which the key is (/home/anarcat/.ssh/id_dsa): 
Enter old passphrase: 
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x2819be32 in vfprintf () from /usr/lib/libc.so.4
(gdb) bt
#0  0x2819be32 in vfprintf () from /usr/lib/libc.so.4
#1  0x281891e4 in printf () from /usr/lib/libc.so.4
#2  0x804b1f8 in sigprocmask ()
#3  0x804ba34 in sigprocmask ()
#4  0x804a215 in sigprocmask ()
(gdb) symbol /usr/obj/usr/src/secure/usr.bin/ssh-keygen/ssh-keygen.debug 
Reading symbols from
/usr/obj/usr/src/secure/usr.bin/ssh-keygen/ssh-keygen.debug...done.

I don't supposed it would work? Anyways, by the results of the tests I
ran here, no.

Is this correct? Is the information from ssh-keygen.debug valid even if
ssh-keygen was run?

>How-To-Repeat:

anarcat@shall[~]% ssh-keygen -p -d
Enter file in which the key is (/home/anarcat/.ssh/id_dsa): 
Enter old passphrase: 
zsh: segmentation fault  ssh-keygen -p -d

It does not affect RSA keys:

anarcat@shall[~]% ssh-keygen -p   
Enter file in which the key is (/home/anarcat/.ssh/identity): 
Enter old passphrase: 
Key has comment 'anarcat@shall.anarcat.dyndns.org'
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved with the new passphrase.

>Fix:

Workaround:
Compile the program with debugging symbols:

anarcat@shall[/usr/obj/usr/src/secure/usr.bin/ssh-keygen]%
./ssh-keygen.debug -p -d
Enter file in which the key is (/home/anarcat/.ssh/id_dsa): 
Enter old passphrase: 
Key has comment 'zP'
Enter new passphrase (empty for no passphrase): 
sh-keygen.debug in free(): warning: junk pointer, too high to make
sense.
Your identification has been saved with the new passphrase.

Fix:

Unknown. The problem is probably with comment handling code.

I am available for further testing, but I of course cannot disclose my
private keyfile. ;)
>Release-Note:
>Audit-Trail:

From: ian j hart <ianjhart@ntlworld.com>
To: freebsd-gnats-submit@freebsd.org, anarcat@anarcat.dyndns.org
Cc:  
Subject: Re: bin/32175: ssh-keygen -p core dumps
Date: Thu, 20 Dec 2001 02:08:29 +0000

 Printing the comment is the source of the crash.
 The error appears to be in /usr/src/crypto/openssh/authfile.c
 
 *** authfile.c.orig     Thu Dec 20 01:17:00 2001
 --- authfile.c  Thu Dec 20 01:21:33 2001
 ***************
 *** 556,562 ****
         lseek(fd, (off_t) 0, SEEK_SET);         /* rewind */
         if (pub == NULL) {
                 /* closes fd */
 !               return key_load_private_pem(fd, KEY_UNSPEC, passphrase,
 NULL);
         } else {
                 /* it's a SSH v1 key if the public key part is readable
 */
                 key_free(pub);
 --- 556,562 ----
         lseek(fd, (off_t) 0, SEEK_SET);         /* rewind */
         if (pub == NULL) {
                 /* closes fd */
 !               return key_load_private_pem(fd, KEY_UNSPEC, passphrase,
 commentp);
         } else {
                 /* it's a SSH v1 key if the public key part is readable
 */
                 key_free(pub);
 
 commentp is the address of a pointer to a heap? allocated
 string (for the comment). key_load_private_pem will
 allocate memory and intialise commentp, if it gets
 a non-null value.
 
 As authfile.c is part of libssl someone who knows about
 this stuff should verify this fix. Because of this I
 present an alternative workaround.
 
 *** ssh-keygen.c.orig   Thu Dec 20 01:16:52 2001
 --- ssh-keygen.c        Thu Dec 20 01:20:49 2001
 ***************
 *** 456,462 ****
   void
   do_change_passphrase(struct passwd *pw)
   {
 !       char *comment;
         char *old_passphrase, *passphrase1, *passphrase2;
         struct stat st;
         Key *private;
 --- 456,462 ----
   void
   do_change_passphrase(struct passwd *pw)
   {
 !       char *comment = NULL;
         char *old_passphrase, *passphrase1, *passphrase2;
         struct stat st;
         Key *private;
 
 This only affects ssh-keygen. The offending printf survives
 the null pointer, as does the xfree() later in the function.
 
 Call tree:
 ssh-keygen.c:	457:void do_change_passphrase(struct passwd *pw)
 		477:private = key_load_private(identity_file, old_passphrase ,
 &comment);
 authfile.c:	541:Key *key_load_private(const char *filename, const char
 *passphrase, char **commentp)
 		559:return key_load_private_pem(fd, KEY_UNSPEC, passphrase, NULL); 
 <--- error
 		435:Key *key_load_private_pem(int fd, int type, const char
 *passphrase, char **commentp)
 		478:        if (prv != NULL && commentp)
 		                *commentp = xstrdup(name);
 
 I wasn't sure whether to quote the whole thing here. Perhaps
 someone could advise me on "style".
 
 -- 
 ian j hart

From: ian j hart <ianjhart@ntlworld.com>
To: freebsd-gnats-submit@freebsd.org, anarcat@anarcat.dyndns.org
Cc:  
Subject: Re: bin/32175: ssh-keygen -p core dumps
Date: Thu, 20 Dec 2001 21:02:13 +0000

 s/libssl/libssh/
 Must remember to sleep.
 
 -- 
 ian j hart
Responsible-Changed-From-To: freebsd-bugs->green 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Sun Dec 30 06:14:00 PST 2001 
Responsible-Changed-Why:  
Over to the OpenSSH maintainer, who'll probably just pass the work 
on to Eivind. :-) 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=32175 
State-Changed-From-To: open->feedback 
State-Changed-By: green 
State-Changed-When: Mon Jan 7 07:55:33 PST 2002 
State-Changed-Why:  
Committed to -CURRENT, thanks. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=32175 

From: The Anarcat <anarcat@anarcat.dyndns.org>
To: green@FreeBSD.org
Cc: freebsd-gnats-submit@FreeBSD.org, stable@freebsd.org,
	qa@freebsd.org, re@freebsd.org
Subject: Re: bin/32175: ssh-keygen -p core dumps
Date: Mon, 21 Jan 2002 19:06:19 -0500

 --uZ3hkaAS1mZxFaxD
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Mon Jan 07, 2002 at 07:56:41AM -0800, green@FreeBSD.org wrote:
 >=20
 > State-Changed-From-To: open->feedback
 > Committed to -CURRENT, thanks.
 
 Fix confirmed on -stable.
 
 Please commit fix before release.
 
 A.
 
 --uZ3hkaAS1mZxFaxD
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.6 (FreeBSD)
 Comment: For info see http://www.gnupg.org
 
 iEYEARECAAYFAjxMrPkACgkQttcWHAnWiGdgEwCfTzcBe/jO4cPXCrx3Ug77Shji
 FMcAnA7o+gn7job9Toc2r8yNRxOHDXkq
 =1PoF
 -----END PGP SIGNATURE-----
 
 --uZ3hkaAS1mZxFaxD--

From: The Anarcat <anarcat@anarcat.dyndns.org>
To: freebsd-gnats-submit@FreeBSD.org, anarcat@anarcat.dyndns.org
Cc:  
Subject: Re: bin/32175: ssh-keygen -p core dumps
Date: Sun, 07 Apr 2002 13:58:12 -0400

 This pr can be closed.
 
State-Changed-From-To: feedback->closed 
State-Changed-By: dougb 
State-Changed-When: Sat Mar 1 20:00:05 PST 2003 
State-Changed-Why:  

Originator reports problem solved. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=32175 
>Unformatted:
