From 669db415332fd00d30aef4fed70ddca12f39afbf Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Mon, 18 Apr 2016 12:39:11 +0200 Subject: [PATCH] Fix for CVE-2015-8325 (#1328013) --- openssh-7.2p2-CVE-2015-8325.patch | 32 +++++++++++++++++++++++++++++++ openssh.spec | 3 +++ 2 files changed, 35 insertions(+) create mode 100644 openssh-7.2p2-CVE-2015-8325.patch diff --git a/openssh-7.2p2-CVE-2015-8325.patch b/openssh-7.2p2-CVE-2015-8325.patch new file mode 100644 index 0000000..4224051 --- /dev/null +++ b/openssh-7.2p2-CVE-2015-8325.patch @@ -0,0 +1,32 @@ +From 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Mon Sep 17 00:00:00 2001 +From: Damien Miller +Date: Wed, 13 Apr 2016 10:39:57 +1000 +Subject: ignore PAM environment vars when UseLogin=yes + +If PAM is configured to read user-specified environment variables +and UseLogin=yes in sshd_config, then a hostile local user may +attack /bin/login via LD_PRELOAD or similar environment variables +set via PAM. + +CVE-2015-8325, found by Shayan Sadigh, via Colin Watson +--- + session.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/session.c b/session.c +index 4859245..4653b09 100644 +--- a/session.c ++++ b/session.c +@@ -1322,7 +1322,7 @@ do_setup_env(Session *s, const char *shell) + * Pull in any environment variables that may have + * been set by PAM. + */ +- if (options.use_pam) { ++ if (options.use_pam && !options.use_login) { + char **p; + + p = fetch_pam_child_environment(); +-- +cgit v0.11.2 + + diff --git a/openssh.spec b/openssh.spec index ecbea54..9a09ad6 100644 --- a/openssh.spec +++ b/openssh.spec @@ -228,6 +228,8 @@ Patch933: openssh-7.0p1-show-more-fingerprints.patch # Preserve IUTF8 tty mode flag over ssh connections (#1270248) # https://bugzilla.mindrot.org/show_bug.cgi?id=2477 Patch936: openssh-7.1p1-iutf8.patch +# CVE-2015-8325: ignore PAM environment vars when UseLogin=yes +Patch937: openssh-7.2p2-CVE-2015-8325.patch License: BSD @@ -462,6 +464,7 @@ popd %patch932 -p1 -b .gsskexalg %patch933 -p1 -b .fingerprint %patch936 -p1 -b .iutf8 +%patch937 -p1 -b .pam_uselogin_cve %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race