From nobody@www.freebsd.org  Tue Jun 18 12:23:43 2002
Return-Path: <nobody@www.freebsd.org>
Received: from nwww.freebsd.org (www.FreeBSD.org [216.136.204.117])
	by hub.freebsd.org (Postfix) with ESMTP id 5D73F37B40D
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 18 Jun 2002 12:23:42 -0700 (PDT)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by nwww.freebsd.org (8.12.2/8.12.2) with ESMTP id g5IJNghG012203
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 18 Jun 2002 12:23:42 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.2/8.12.2/Submit) id g5IJNfuI012202;
	Tue, 18 Jun 2002 12:23:41 -0700 (PDT)
Message-Id: <200206181923.g5IJNfuI012202@www.freebsd.org>
Date: Tue, 18 Jun 2002 12:23:41 -0700 (PDT)
From: AIDA Shinra <aida-s@jcom.home.ne.jp>
To: freebsd-gnats-submit@FreeBSD.org
Subject: `ssh-keygen -p -t rsa' causes segfault
X-Send-Pr-Version: www-1.0

>Number:         39478
>Category:       bin
>Synopsis:       `ssh-keygen -p -t rsa' causes segfault
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 18 12:30:01 PDT 2002
>Closed-Date:    Wed Oct 30 07:04:31 PST 2002
>Last-Modified:  Wed Oct 30 07:04:31 PST 2002
>Originator:     AIDA Shinra
>Release:        4.6RC(2002.06.09, RELENG_4_6)
>Organization:
>Environment:
FreeBSD xxx 4.6-RELEASE FreeBSD 4.6-RELEASE #0: Sun Jun  9 22:39:42 JST 2002     shinra@xxx:/usr/obj/usr/freebsd/src/sys/LOCAL  i386      

>Description:
When I try to change ssh2 passphrase with `ssh-keygen -p -t rsa',
ssh-keygen core dumps and I cannot change the passphrase.      
On the other hand, hanging ssh1 passphrase successfully finishes.

This is a backtrace:
% gdb -c ssh-keygen.core ssh-keygen
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
Core was generated by `ssh-keygen'.
Program terminated with signal 11, Segmentaton fault.
Reading symbols from /usr/lib/libcrypto.so.2...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x2819c002 in vfprintf () from /usr/lib/libc.so.4
(gdb) backtrace
#0  0x2819c002 in vfprintf () from /usr/lib/libc.so.4
#1  0x281889a0 in printf () from /usr/lib/libc.so.4
#2  0x804b1f8 in do_change_passphrase (pw=0x281b5180)
    at /usr/freebsd/src/secure/usr.bin/ssh-keygen/../../../crypto/openssh/ssh-keygen.c:485
#3  0x804ba34 in main (ac=, av=0xbfbff64c)
    at /usr/freebsd/src/secure/usr.bin/ssh-keygen/../../../crypto/openssh/ssh-keygen.c:754
#4  0x804a215 in _start (arguments=0xbfbff760 "./ssh-keygen") at /usr/freebsd/src/lib/csu/i386-elf/crt1.c:96
(gdb) up
#1  0x281889a0 in printf () from /usr/lib/libc.so.4
(gdb) up
#2  0x804b1f8 in do_change_passphrase (pw=0x281b5180)
    at /usr/freebsd/src/secure/usr.bin/ssh-keygen/../../../crypto/openssh/ssh-keygen.c:485
485             printf("Key has comment '%s'\n", comment);


`comment' seems garbage pointer...

>How-To-Repeat:
`ssh-keygen -p -t rsa' always results segfault.      

>Fix:
This patch will solve it.
begin 644 ssh-keygen.patch.gz
M'XL("*QR#ST``W-S:"UK97EG96XN<&%T8V@`E911;YLP$,>?X5.<*DV%`"G0
M)$L33<JD/6W5M(=-TZ1)D0>78#6Q(^PD156^^\X8%M*PA[X8?+[SW>]_!U$4
M@5)%](35&L4P&\J2KYV?F,/GO8#D`>)T-IK.TA&D<9RZ01!<N+_V?)BEJ?5<
M+"`:C2?A>PCL8[%PX2!Y[D(NEUG!Q!J7.Z;4KBB90D_I<I]I,)9C#H/=T7?A
MQ8T<\BQAD,GM%H6>N\&E`3[`UQ^/CW,7&KO<Y)U;0[KHWR:YV*4FIDFJ-#.+
ML7S!BKQ*?F`:YQ9BFM80]$CBFL)Q''SFVDM\$^&<:#E1I10E],J[,5<43$%;
MXNT[=?M;W(2MP3<4?`5>NZ?MVX)QH[`O2,C6C4),<539W0`^JB?0!8+`(YP%
M`$\?>8;^$`9WY&<*XCF%<ETMR;.CHD^-,$J,XSB<0#".[\-I*\3SJD3T.B);
M3:[L:6-O2_Y&)V"/%`T$E:YARW16#`&^EQ6P->-B:#&(]$JO-L-9EKZV&/I/
M2%V65:V`I*4DC79535U#)?=A,B*J9!HFDP9KBUN%VKN8G3BD$2DW*"YH;:[_
MJ$!?R=*>V($B:W1=>-!#UP/783O9OG;).GUE(J]-!A/DJGZG2H`+("Y95DW'
MWPC9SWB-Z#APKLT,LM#$H$S.J(?]-?H5.25IA^:7W)=@AW3%,Z:Y%/7<_T$4
;H-B!_D5'KHN>86\F":R*,;W^!=;[5/OY!```
`
end

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: dougb 
Responsible-Changed-When: Fri Jun 21 20:12:31 PDT 2002 
Responsible-Changed-Why:  

des is the nominal ssh maintainer. I confirmed this myself. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=39478 
State-Changed-From-To: open->closed 
State-Changed-By: des 
State-Changed-When: Wed Oct 30 07:04:30 PST 2002 
State-Changed-Why:  
Fixed earlier this year by the 3.4p1 upgrade. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=39478 
>Unformatted:
