On Mon, 30 Mar 2015, Hanno B?ck wrote: > On Mon, 30 Mar 2015 10:43:18 +1100 (AEDT) > Damien Miller <djm@xxxxxxxxxxx> wrote: > > > reproduced; the line numbers were wrong. > > Sorry for the line numbers, should've thought of that. I used the > standard Gentoo package and it seems it does patching on that file. > > I can confirm your patch fixes the issue, thanks. Will now run another > fuzzing job with the patch applied, will inform you if it finds > anything. Thanks - we'll certainly fix bugs in config parsing, but they aren't that interesting from a security perspective. Someone who can write to ~/.ssh/config already has arbitrary code execution via ProxyCommand, etc. authorized_keys is a good thing to fuzz if you can set up a good test enviornment. I've spent about a CPU-month fuzzing key parsing and KRLs, so I have some confidence that they are clean. cf. https://anongit.mindrot.org/openssh-fuzz-cases.git/ -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
