libssh-4: parsing of known_hosts file fails for entries with a comment field
Open, HighPublic

Description

Reported downstream: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693811

Package: libssh-4
Version: 0.5.2-1
Severity: normal

Dear Maintainer,

The parser of knownhosts file does not fully comply with the specification of
known
hosts files as described in sshd(8).

More precisely, if an entry contains a comment field (4th field) like in:

abel.debian.org,abel,217.140.96.56 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA14isG3iFLMaqbmNoF1rXcG0dPwKWANn7Exi1ZlF52EflIfevLH5qCNg1JpIklwITgreGGrzZmPqWG89mZipz0+oYYDhSQjecGCKrA6QtP93uhFC+8KID0yQw6GmtxtcLZWxthbVZQLbRVjuieYsvXZ4mVEXjsNDXAJKjZHu3ZBlbzATZBWW0k1dE7KC5XKq/w/E5KXD4Jy0AonJdZxnpyNunw04Zt8gfvjIpokq+x8Mwe1+6LZpzCf7Hb+dL7/yYvLcSDLm5wllfuJ9mwRgFFG0Ka2+XFphPS8jzsw5G6M5+niwcKlkVeV43HqOFO7jWHCP/sJMF0+WkmCDOQ1HoCQ== root`abel

Then the entry is not processed and libssh asks for user confirmation of the
fingerprint.

Removing the comment (here "root`abel") fixes the problem. However comment
fields are explicitly allowed by the knownhosts spec, and should therefore be
supported (they are for example used in the known
hosts provided by DSA, from
which the above example is extracted).

The problematic code is in src/known//hosts.c around line 153: the code assumes
that having four fields imply that this is an old RSA-1 key, which is a wrong
assumption.

Regards,
~~~~System Information:
Debian Release: wheezy/sid

APT prefers testing
APT policy: (990, 'testing')

Architecture: amd64 (x86//64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=frFR.UTF-8, LCCTYPE=fr//FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libssh-4 depends on:
ii libc6 2.13-35
ii libssl1.0.0 1.0.1c-4
ii multiarch-support 2.13-35
ii zlib1g 1:1.2.7.dfsg-13

libssh-4 recommends no packages.

libssh-4 suggests no packages.
~~~~no debconf information

migration created this object with visibility "Restricted Project (Project)".
migration created this object with edit policy "Restricted Project (Project)".
asn changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".Aug 17 2017, 3:12 PM
asn raised the priority of this task from Normal to High.Nov 16 2017, 12:17 PM