> There's no vulnerability here - it's an unexploitable NULL dereference. I am considering the case where a user uploads a public-key to a service, and ssh-keygen is used to display a fingerprint of that key. (I run such a service, the github key-management page is another example - although they don't do things the same way my service crashed on the bogus key, theirs didn't!) Anyway thanks again for looking at it, in the future I'll try against HEAD before reporting things. Steve -- http://www.steve.org.uk/ _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
