Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20250826192934.GA4202@openwall.com>
Date: Tue, 26 Aug 2025 21:29:34 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: libssh2 Base64 Encoding Heap Overflow in Known Hosts SHA1 Hash Processing

Hi,

Thank you for finding this, getting it fixed, and bringing it in here.

Just one minor detail:

On Tue, Aug 26, 2025 at 09:56:06PM +0400, Dhiraj Mishra wrote:
> I've successfully created a libFuzzer harness targeting the
> libssh2_knownhost_readline() API, used for parsing SSH known_hosts files.
> The fuzzer discovered a heap buffer overflow vulnerability in the
> _libssh2_base64_encode() function when processing malformed hashed hostname
> entries.

> ==41411==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x6020000000d5 at pc 0x00010728cb0f bp 0x7ff7b9a37f90 sp 0x7ff7b9a37758
> READ of size 6 at 0x6020000000d5 thread T0

> SUMMARY: AddressSanitizer: heap-buffer-overflow misc.c:463 in
> _libssh2_base64_encode

This looks like yet another case of ASan mislabeling over-reads as
overflows (which it does all the time).

Can someone in particular please volunteer for getting this wording
fixed in ASan, I guess separately in clang and gcc?

Meanwhile, we should be careful to recognize and re-label such findings,
so e.g. this message's Subject and first paragraph should correctly say
"over-read" and not "overflow".  Of course, until ASan's wording is
fixed, realistically many if not most vulnerability reports based on
fuzzing+ASan will continue to be mislabeled like that, probably also
leading to wrong CVSS vectors and thus wrong scores (likely
exaggerated).  But at least the few of us reading this message may try
and do better, please.

Thanks,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.