From owner-freebsd-bugs  Tue Jun 18 12:30:44 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 1B42037B42A
	for <freebsd-bugs@hub.freebsd.org>; Tue, 18 Jun 2002 12:30:02 -0700 (PDT)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g5IJU2U86942;
	Tue, 18 Jun 2002 12:30:02 -0700 (PDT)
	(envelope-from gnats)
Received: from nwww.freebsd.org (www.FreeBSD.org [216.136.204.117])
	by hub.freebsd.org (Postfix) with ESMTP id 5D73F37B40D
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 18 Jun 2002 12:23:42 -0700 (PDT)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by nwww.freebsd.org (8.12.2/8.12.2) with ESMTP id g5IJNghG012203
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 18 Jun 2002 12:23:42 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.2/8.12.2/Submit) id g5IJNfuI012202;
	Tue, 18 Jun 2002 12:23:41 -0700 (PDT)
Message-Id: <200206181923.g5IJNfuI012202@www.freebsd.org>
Date: Tue, 18 Jun 2002 12:23:41 -0700 (PDT)
From: AIDA Shinra <aida-s@jcom.home.ne.jp>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-1.0
Subject: bin/39478: `ssh-keygen -p -t rsa' causes segfault
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         39478
>Category:       bin
>Synopsis:       `ssh-keygen -p -t rsa' causes segfault
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 18 12:30:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     AIDA Shinra
>Release:        4.6RC(2002.06.09, RELENG_4_6)
>Organization:
>Environment:
FreeBSD xxx 4.6-RELEASE FreeBSD 4.6-RELEASE #0: Sun Jun  9 22:39:42 JST 2002     shinra@xxx:/usr/obj/usr/freebsd/src/sys/LOCAL  i386      

>Description:
When I try to change ssh2 passphrase with `ssh-keygen -p -t rsa',
ssh-keygen core dumps and I cannot change the passphrase.      
On the other hand, hanging ssh1 passphrase successfully finishes.

This is a backtrace:
% gdb -c ssh-keygen.core ssh-keygen
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
Core was generated by `ssh-keygen'.
Program terminated with signal 11, Segmentaton fault.
Reading symbols from /usr/lib/libcrypto.so.2...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x2819c002 in vfprintf () from /usr/lib/libc.so.4
(gdb) backtrace
#0  0x2819c002 in vfprintf () from /usr/lib/libc.so.4
#1  0x281889a0 in printf () from /usr/lib/libc.so.4
#2  0x804b1f8 in do_change_passphrase (pw=0x281b5180)
    at /usr/freebsd/src/secure/usr.bin/ssh-keygen/../../../crypto/openssh/ssh-keygen.c:485
#3  0x804ba34 in main (ac=, av=0xbfbff64c)
    at /usr/freebsd/src/secure/usr.bin/ssh-keygen/../../../crypto/openssh/ssh-keygen.c:754
#4  0x804a215 in _start (arguments=0xbfbff760 "./ssh-keygen") at /usr/freebsd/src/lib/csu/i386-elf/crt1.c:96
(gdb) up
#1  0x281889a0 in printf () from /usr/lib/libc.so.4
(gdb) up
#2  0x804b1f8 in do_change_passphrase (pw=0x281b5180)
    at /usr/freebsd/src/secure/usr.bin/ssh-keygen/../../../crypto/openssh/ssh-keygen.c:485
485             printf("Key has comment '%s'\n", comment);


`comment' seems garbage pointer...

>How-To-Repeat:
`ssh-keygen -p -t rsa' always results segfault.      

>Fix:
This patch will solve it.
begin 644 ssh-keygen.patch.gz
M'XL("*QR#ST``W-S:"UK97EG96XN<&%T8V@`E911;YLP$,>?X5.<*DV%`"G0
M)$L33<JD/6W5M(=-TZ1)D0>78#6Q(^PD156^^\X8%M*PA[X8?+[SW>]_!U$4
M@5)%](35&L4P&\J2KYV?F,/GO8#D`>)T-IK.TA&D<9RZ01!<N+_V?)BEJ?5<
M+"`:C2?A>PCL8[%PX2!Y[D(NEUG!Q!J7.Z;4KBB90D_I<I]I,)9C#H/=T7?A
MQ8T<\BQAD,GM%H6>N\&E`3[`UQ^/CW,7&KO<Y)U;0[KHWR:YV*4FIDFJ-#.+
ML7S!BKQ*?F`:YQ9BFM80]$CBFL)Q''SFVDM\$^&<:#E1I10E],J[,5<43$%;
MXNT[=?M;W(2MP3<4?`5>NZ?MVX)QH[`O2,C6C4),<539W0`^JB?0!8+`(YP%
M`$\?>8;^$`9WY&<*XCF%<ETMR;.CHD^-,$J,XSB<0#".[\-I*\3SJD3T.B);
M3:[L:6-O2_Y&)V"/%`T$E:YARW16#`&^EQ6P->-B:#&(]$JO-L-9EKZV&/I/
M2%V65:V`I*4DC79535U#)?=A,B*J9!HFDP9KBUN%VKN8G3BD$2DW*"YH;:[_
MJ$!?R=*>V($B:W1=>-!#UP/783O9OG;).GUE(J]-!A/DJGZG2H`+("Y95DW'
MWPC9SWB-Z#APKLT,LM#$H$S.J(?]-?H5.25IA^:7W)=@AW3%,Z:Y%/7<_T$4
;H-B!_D5'KHN>86\F":R*,;W^!=;[5/OY!```
`
end

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message