Reported downstream: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693811

Package: libssh-4
Version: 0.5.2-1
Severity: normal

Dear Maintainer,

The parser of knownhosts file does not fully comply with the specification of
knownhosts files as described in sshd(8).

More precisely, if an entry contains a comment field (4th field) like in:

abel.debian.org,abel,217.140.96.56 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA14isG3iFLMaqbmNoF1rXcG0dPwKWANn7Exi1ZlF52EflIfevLH5qCNg1JpIklwITgreGGrzZmPqWG89mZipz0+oYYDhSQjecGCKrA6QtP93uhFC+8KID0yQw6GmtxtcLZWxthbVZQLbRVjuieYsvXZ4mVEXjsNDXAJKjZHu3ZBlbzATZBWW0k1dE7KC5XKq/w/E5KXD4Jy0AonJdZxnpyNunw04Zt8gfvjIpokq+x8Mwe1+6LZpzCf7Hb+dL7/yYvLcSDLm5wllfuJ9mwRgFFG0Ka2+XFphPS8jzsw5G6M5+niwcKlkVeV43HqOFO7jWHCP/sJMF0+WkmCDOQ1HoCQ== root`abel

Then the entry is not processed and libssh asks for user confirmation of the
fingerprint.

Removing the comment (here "root`abel") fixes the problem. However comment
fields are explicitly allowed by the knownhosts spec, and should therefore be
supported (they are for example used in the knownhosts provided by DSA, from
which the above example is extracted).

The problematic code is in src/known//hosts.c around line 153: the code assumes
that having four fields imply that this is an old RSA-1 key, which is a wrong
assumption.

Regards,
~~~~System Information:
Debian Release: wheezy/sid

APT prefers testing
APT policy: (990, 'testing')

Architecture: amd64 (x86//64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=frFR.UTF-8, LCCTYPE=fr//FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libssh-4 depends on:
ii libc6 2.13-35
ii libssl1.0.0 1.0.1c-4
ii multiarch-support 2.13-35
ii zlib1g 1:1.2.7.dfsg-13

libssh-4 recommends no packages.

libssh-4 suggests no packages.
~~~~no debconf information