Subject: lib/22347: ssh will render broken fingerprint in known_hosts
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <wulf@netbsd.org>
List: netbsd-bugs
Date: 08/03/2003 11:46:07
>Number: 22347
>Category: lib
>Synopsis: ssh will render broken fingerprint in known_hosts
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: lib-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Aug 03 11:47:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator: Berndt Josef fWulf
>Release: NetBSD-1.6U
>Organization:
NTC-Electronics
>Environment:
NetBSD husky 1.6U NetBSD 1.6U (HUSKY2) #5: Wed Jul 30 16:08:58 CST 2003 root@husky:/usr/src/sys/arch/i386/compile/HUSKY2 i386
>Description:
ssh will render a bad signature in the known_hosts file due to bad buffersize calculations in the BN_bn2dec() conversion function of the libcrypto library that uses the snprintf(3) function.
>How-To-Repeat:
Establish a ssh connection to a new host and confirm fingerprint. Inspect fingerprint in known_hosts file and notice that only the first few digits of the signature are saved causing any subsequent connections to this host to fail with "StrictHostKeyChecking ask" enabled in ssh_config.
>Fix:
--- ./src/crypto/dist/openssl/crypto/bn/bn_print.c.orig 2003-08-03 20:45:32.000000000 +0930
+++ ./src/crypto/dist/openssl/crypto/bn/bn_print.c 2003-08-03 20:46:45.000000000 +0930
@@ -139,12 +139,12 @@
/* We now have a series of blocks, BN_DEC_NUM chars
* in length, where the last one needs truncation.
* The blocks need to be reversed in order. */
- snprintf(p, sizeof(buf) - (p - buf), BN_DEC_FMT1, *lp);
+ snprintf(p, num - (p - buf) + 3, BN_DEC_FMT1, *lp);
while (*p) p++;
while (lp != bn_data)
{
lp--;
- snprintf(p, sizeof(buf) - (p - buf), BN_DEC_FMT2, *lp);
+ snprintf(p, num - (p - buf) + 3, BN_DEC_FMT2, *lp);
while (*p) p++;
}
}
>Release-Note:
>Audit-Trail:
>Unformatted: