From 4776fad91e7e1f626f33e8c240d0ccecd663554d Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 14 Aug 2015 12:00:28 +0200
Subject: [PATCH] Fix several vulnerabilities published with new openssh-7.0,
 namely:

	Incorrectly set TTYs to be world-writable (#1252861)
		https://anongit.mindrot.org/openssh.git/commit/?id=6f941396b6835ad18018845f515b0c4fe20be21a
	Privilege separation weakness related to PAM support (#1252844)
		https://anongit.mindrot.org/openssh.git/commit/?id=d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
	Use-after-free bug related to PAM support (#1252852)
		https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7
---
 openssh-6.9p1-security-7.0.patch | 63 ++++++++++++++++++++++++++++++++
 openssh.spec                     |  6 +++
 2 files changed, 69 insertions(+)
 create mode 100644 openssh-6.9p1-security-7.0.patch

diff --git a/openssh-6.9p1-security-7.0.patch b/openssh-6.9p1-security-7.0.patch
new file mode 100644
index 0000000..0bfc9d6
--- /dev/null
+++ b/openssh-6.9p1-security-7.0.patch
@@ -0,0 +1,63 @@
+diff --git a/sshpty.c b/sshpty.c
+index 7bb7641..15da8c6 100644
+--- a/sshpty.c
++++ b/sshpty.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */
++/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -197,7 +197,7 @@ pty_setowner(struct passwd *pw, const char *tty)
+ 	/* Determine the group to make the owner of the tty. */
+ 	grp = getgrnam("tty");
+ 	gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
+-	mode = (grp != NULL) ? 0622 : 0600;
++	mode = (grp != NULL) ? 0620 : 0600;
+ 
+ 	/*
+ 	 * Change owner and mode of the tty as required.
+diff --git a/monitor.c b/monitor.c
+index b410965..f1b873d 100644
+--- a/monitor.c
++++ b/monitor.c
+@@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device;
+ int
+ mm_answer_pam_init_ctx(int sock, Buffer *m)
+ {
+-
+ 	debug3("%s", __func__);
+-	authctxt->user = buffer_get_string(m, NULL);
+ 	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
+ 	sshpam_authok = NULL;
+ 	buffer_clear(m);
+@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
+ int
+ mm_answer_pam_free_ctx(int sock, Buffer *m)
+ {
++	int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
+ 
+ 	debug3("%s", __func__);
+ 	(sshpam_device.free_ctx)(sshpam_ctxt);
++	sshpam_ctxt = sshpam_authok = NULL;
+ 	buffer_clear(m);
+ 	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+ 	auth_method = "keyboard-interactive";
+ 	auth_submethod = "pam";
+-	return (sshpam_authok == sshpam_ctxt);
++	return r;
+ }
+ #endif
+ 
+diff --git a/monitor_wrap.c b/monitor_wrap.c
+index e6217b3..eac421b 100644
+--- a/monitor_wrap.c
++++ b/monitor_wrap.c
+@@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
+ 
+ 	debug3("%s", __func__);
+ 	buffer_init(&m);
+-	buffer_put_cstring(&m, authctxt->user);
+ 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
+ 	debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
+ 	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
diff --git a/openssh.spec b/openssh.spec
index e067d9d..53a381c 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -227,6 +227,11 @@ Patch929: openssh-6.9p1-permit-root-login.patch
 Patch930: openssh-6.9p1-authentication-limits-bypass.patch
 # Handle terminal control characters in scp progressmeter (#1247204)
 Patch931: openssh-6.9p1-scp-progressmeter.patch
+# Vulnerabilities published with openssh-7.0:
+#  Incorrectly set TTYs to be world-writable (#1252861)
+#  Privilege separation weakness related to PAM support (#1252844)
+#  Use-after-free bug related to PAM support (#1252852)
+Patch932: openssh-6.9p1-security-7.0.patch
 
 
 
@@ -452,6 +457,7 @@ popd
 %patch929 -p1 -b .root-login
 %patch930 -p1 -b .kbd
 %patch931 -p1 -b .progressmeter
+%patch932 -p1 -b .security
 
 %patch200 -p1 -b .audit
 %patch700 -p1 -b .fips