rpms/openssh
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix several vulnerabilities published with new openssh-7.0, namely:

Browse Source 
Privilege separation weakness related to PAM support (#1252844)
		https://anongit.mindrot.org/openssh.git/commit/?id=d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
	Use-after-free bug related to PAM support (#1252852)
		https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7
This commit is contained in:
Jakub Jelen 2015-08-14 12:00:28 +02:00
parent 9c925c2906
commit 08d2600aab
2 changed files with 49 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
openssh-6.6p1-security-7.0.patch Normal file
View File

@ -0,0 +1,44 @@
diff --git a/monitor.c b/monitor.c
index b410965..f1b873d 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device;
int
mm_answer_pam_init_ctx(int sock, Buffer *m)
{
-
debug3("%s", __func__);
- authctxt->user = buffer_get_string(m, NULL);
sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
sshpam_authok = NULL;
buffer_clear(m);
@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
int
mm_answer_pam_free_ctx(int sock, Buffer *m)
{
+ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
debug3("%s", __func__);
(sshpam_device.free_ctx)(sshpam_ctxt);
+ sshpam_ctxt = sshpam_authok = NULL;
buffer_clear(m);
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
auth_method = "keyboard-interactive";
auth_submethod = "pam";
- return (sshpam_authok == sshpam_ctxt);
+ return r;
}
#endif
diff --git a/monitor_wrap.c b/monitor_wrap.c
index e6217b3..eac421b 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
debug3("%s", __func__);
buffer_init(&m);
- buffer_put_cstring(&m, authctxt->user);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);

5
openssh.spec
View File

@ -234,6 +234,10 @@ Patch923: openssh-6.6p1-security-from-6.9.patch
Patch924: openssh-6.6p1-authentication-limits-bypass.patch
# Handle terminal control characters in scp progressmeter (#1247204)
Patch925: openssh-6.6p1-scp-progressmeter.patch
# Vulnerabilities published with openssh-7.0:
# Privilege separation weakness related to PAM support (#1252844)
# Use-after-free bug related to PAM support (#1252852)
Patch926: openssh-6.6p1-security-7.0.patch
License: BSD
Group: Applications/Internet
@ -452,6 +456,7 @@ popd
%patch923 -p1 -b .security
%patch924 -p1 -b .kbd
%patch925 -p1 -b .progressmeter
%patch926 -p1 -b .security7
%patch200 -p1 -b .audit
%patch201 -p1 -b .audit-fps