From 8f8619e1e639556acfcbcc3c93056b87cb6c2840 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 15 May 2014 09:55:25 +0200
Subject: [PATCH] ignore environment variables with embedded '=' or '\0'
 characters (#1077843) CVE-2014-2532

---
 openssh-6.4p1-ignore-bad-env-var.patch | 37 ++++++++++++++++++++++++++
 openssh.spec                           |  3 +++
 2 files changed, 40 insertions(+)
 create mode 100644 openssh-6.4p1-ignore-bad-env-var.patch

diff --git a/openssh-6.4p1-ignore-bad-env-var.patch b/openssh-6.4p1-ignore-bad-env-var.patch
new file mode 100644
index 0000000..3bb49c2
--- /dev/null
+++ b/openssh-6.4p1-ignore-bad-env-var.patch
@@ -0,0 +1,37 @@
+diff -U0 openssh-6.4p1/ChangeLog.bad-env-var openssh-6.4p1/ChangeLog
+--- openssh-6.4p1/ChangeLog.bad-env-var	2014-03-19 21:37:36.270509907 +0100
++++ openssh-6.4p1/ChangeLog	2014-03-19 21:37:36.276509878 +0100
+@@ -0,0 +1,7 @@
++20140304
++ - OpenBSD CVS Sync
++   - djm@cvs.openbsd.org 2014/03/03 22:22:30
++     [session.c]
++     ignore enviornment variables with embedded '=' or '\0' characters;
++     spotted by Jann Horn; ok deraadt@
++
+diff -up openssh-6.4p1/session.c.bad-env-var openssh-6.4p1/session.c
+--- openssh-6.4p1/session.c.bad-env-var	2014-03-19 21:37:36.233510090 +0100
++++ openssh-6.4p1/session.c	2014-03-19 21:37:36.277509873 +0100
+@@ -990,6 +990,11 @@ child_set_env(char ***envp, u_int *envsi
+ 	u_int envsize;
+ 	u_int i, namelen;
+ 
++	if (strchr(name, '=') != NULL) {
++		error("Invalid environment variable \"%.100s\"", name);
++		return;
++	}
++
+ 	/*
+ 	 * If we're passed an uninitialized list, allocate a single null
+ 	 * entry before continuing.
+@@ -2255,8 +2260,8 @@ session_env_req(Session *s)
+ 	char *name, *val;
+ 	u_int name_len, val_len, i;
+ 
+-	name = packet_get_string(&name_len);
+-	val = packet_get_string(&val_len);
++	name = packet_get_cstring(&name_len);
++	val = packet_get_cstring(&val_len);
+ 	packet_check_eom();
+ 
+ 	/* Don't set too many environment variables */
diff --git a/openssh.spec b/openssh.spec
index 5b78b54..37d757a 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -193,6 +193,8 @@ Patch907: openssh-6.4p1-CLOCK_BOOTTIME.patch
 # Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
 # dialog by offering only certificate keys. (#1081338)
 Patch908: openssh-6.4p1-CVE-2014-2653.patch
+# ignore environment variables with embedded '=' or '\0' characters (#1077843)
+Patch909: openssh-6.4p1-ignore-bad-env-var.patch
 
 
 License: BSD
@@ -420,6 +422,7 @@ popd
 %patch906 -p1 -b .fromto-remote
 %patch907 -p1 -b .CLOCK_BOOTTIME
 %patch908 -p1 -b .CVE-2014-2653
+%patch909 -p1 -b .bad-env-var
 
 %if 0
 # Nothing here yet