Page MenuHomePhabricator

libssh-4: parsing of known_hosts file fails for entries with a comment field
Closed, ResolvedPublic


Reported downstream:

Package: libssh-4
Version: 0.5.2-1
Severity: normal

Dear Maintainer,

The parser of knownhosts file does not fully comply with the specification of
hosts files as described in sshd(8).

More precisely, if an entry contains a comment field (4th field) like in:,abel, ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA14isG3iFLMaqbmNoF1rXcG0dPwKWANn7Exi1ZlF52EflIfevLH5qCNg1JpIklwITgreGGrzZmPqWG89mZipz0+oYYDhSQjecGCKrA6QtP93uhFC+8KID0yQw6GmtxtcLZWxthbVZQLbRVjuieYsvXZ4mVEXjsNDXAJKjZHu3ZBlbzATZBWW0k1dE7KC5XKq/w/E5KXD4Jy0AonJdZxnpyNunw04Zt8gfvjIpokq+x8Mwe1+6LZpzCf7Hb+dL7/yYvLcSDLm5wllfuJ9mwRgFFG0Ka2+XFphPS8jzsw5G6M5+niwcKlkVeV43HqOFO7jWHCP/sJMF0+WkmCDOQ1HoCQ== root`abel

Then the entry is not processed and libssh asks for user confirmation of the

Removing the comment (here "root`abel") fixes the problem. However comment
fields are explicitly allowed by the knownhosts spec, and should therefore be
supported (they are for example used in the known
hosts provided by DSA, from
which the above example is extracted).

The problematic code is in src/known//hosts.c around line 153: the code assumes
that having four fields imply that this is an old RSA-1 key, which is a wrong

~~~~System Information:
Debian Release: wheezy/sid

APT prefers testing
APT policy: (990, 'testing')

Architecture: amd64 (x86//64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=frFR.UTF-8, LCCTYPE=fr//FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libssh-4 depends on:
ii libc6 2.13-35
ii libssl1.0.0 1.0.1c-4
ii multiarch-support 2.13-35
ii zlib1g 1:1.2.7.dfsg-13

libssh-4 recommends no packages.

libssh-4 suggests no packages.
~~~~no debconf information

Event Timeline

migration created this object with visibility "Restricted Project (Project)".
migration created this object with edit policy "Restricted Project (Project)".
asn changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".Aug 17 2017, 3:12 PM
asn raised the priority of this task from Normal to High.Nov 16 2017, 12:17 PM
asn added a comment.Aug 10 2018, 4:07 PM

Fixed with libssh-0.8.0

Use the new known_hosts API

asn closed this task as Resolved.Aug 10 2018, 4:07 PM