CVE-2015-8325: Ignore PAM environment vars when UseLogin=yes.

author: Colin Watson <cjwatson@debian.org> 2016-04-13 08:48:22 +0100
committer: Colin Watson <cjwatson@debian.org> 2016-04-13 08:48:25 +0100
commit: c538beb27bf0892bce07fba749cc9f309089e838 (patch)
tree: d1e44e962068df2509f9d634b9b7424a300763cb
parent: 9f7ab403be0043d1b160999835af0a3783413775 (diff)
parent: 7f3fb4e5fdddc6600e70ae663c21511fbcf2c64c (diff)
5 files changed, 38 insertions, 3 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 56d701e88..589d66c5c 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-d888c9637031a93c13c168a35e99e9aa76c14a9a
+7f3fb4e5fdddc6600e70ae663c21511fbcf2c64c
-d888c9637031a93c13c168a35e99e9aa76c14a9a
+7f3fb4e5fdddc6600e70ae663c21511fbcf2c64c
 f0329aac23c61e1a5197d6d57349a63f459bccb0
 f0329aac23c61e1a5197d6d57349a63f459bccb0
 openssh_7.2p2.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 6c8010be9..261b42c15 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
 openssh (1:7.2p2-3) UNRELEASED; urgency=medium
  * Change all openssh.org references to openssh.com (closes: #819213).
+  * CVE-2015-8325: Ignore PAM environment vars when UseLogin=yes.
 -- Colin Watson <cjwatson@debian.org>  Sun, 03 Apr 2016 18:09:59 +0100
diff --git a/debian/patches/CVE-2015-8325.patch b/debian/patches/CVE-2015-8325.patch
new file mode 100644
index 000000000..de2c33577
--- /dev/null
+++ b/debian/patches/CVE-2015-8325.patch
@@ -0,0 +1,33 @@
+From 7f3fb4e5fdddc6600e70ae663c21511fbcf2c64c Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Wed, 13 Apr 2016 10:39:57 +1000
+Subject: ignore PAM environment vars when UseLogin=yes
+If PAM is configured to read user-specified environment variables
+and UseLogin=yes in sshd_config, then a hostile local user may
+attack /bin/login via LD_PRELOAD or similar environment variables
+set via PAM.
+CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755
+Last-Update: 2016-04-13
+Patch-Name: CVE-2015-8325.patch
+---
+ session.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/session.c b/session.c
+index f246b8a..8ab9814 100644
+--- a/session.c
+++ b/session.c
+@@ -1317,7 +1317,7 @@ do_setup_env(Session *s, const char *shell)
+         * Pull in any environment variables that may have
+         * been set by PAM.
+         */
+-       if (options.use_pam) {
+       if (options.use_pam && !options.use_login) {
+                char **p;
+ 
+                p = fetch_pam_child_environment();
diff --git a/debian/patches/series b/debian/patches/series
index e5821f627..b5c9fb392 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -25,3 +25,4 @@ gnome-ssh-askpass2-icon.patch
 sigstop.patch
 systemd-readiness.patch
 debian-config.patch
+CVE-2015-8325.patch
diff --git a/session.c b/session.c
index f246b8a62..8ab981451 100644
--- a/session.c
+++ b/session.c
@@ -1317,7 +1317,7 @@ do_setup_env(Session *s, const char *shell)
         * Pull in any environment variables that may have
         * been set by PAM.
         */
-        if (options.use_pam) {
+        if (options.use_pam && !options.use_login) {
                char **p;
                p = fetch_pam_child_environment();
author	Colin Watson <cjwatson@debian.org>	2016-04-13 08:48:22 +0100
committer	Colin Watson <cjwatson@debian.org>	2016-04-13 08:48:25 +0100
commit	c538beb27bf0892bce07fba749cc9f309089e838 (patch)
tree	d1e44e962068df2509f9d634b9b7424a300763cb
parent	9f7ab403be0043d1b160999835af0a3783413775 (diff)
parent	7f3fb4e5fdddc6600e70ae663c21511fbcf2c64c (diff)

diff --git a/debian/.git-dpm b/debian/.git-dpm index 56d701e88..589d66c5c 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1	# see git-dpm(1) from git-dpm package	1	# see git-dpm(1) from git-dpm package
2	d888c9637031a93c13c168a35e99e9aa76c14a9a	2	7f3fb4e5fdddc6600e70ae663c21511fbcf2c64c
3	d888c9637031a93c13c168a35e99e9aa76c14a9a	3	7f3fb4e5fdddc6600e70ae663c21511fbcf2c64c
4	f0329aac23c61e1a5197d6d57349a63f459bccb0	4	f0329aac23c61e1a5197d6d57349a63f459bccb0
5	f0329aac23c61e1a5197d6d57349a63f459bccb0	5	f0329aac23c61e1a5197d6d57349a63f459bccb0
6	openssh_7.2p2.orig.tar.gz	6	openssh_7.2p2.orig.tar.gz


diff --git a/debian/changelog b/debian/changelog index 6c8010be9..261b42c15 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -1,6 +1,7 @@
1	openssh (1:7.2p2-3) UNRELEASED; urgency=medium	1	openssh (1:7.2p2-3) UNRELEASED; urgency=medium
2		2
3	* Change all openssh.org references to openssh.com (closes: #819213).	3	* Change all openssh.org references to openssh.com (closes: #819213).
		4	* CVE-2015-8325: Ignore PAM environment vars when UseLogin=yes.
4		5
5	-- Colin Watson <cjwatson@debian.org> Sun, 03 Apr 2016 18:09:59 +0100	6	-- Colin Watson <cjwatson@debian.org> Sun, 03 Apr 2016 18:09:59 +0100
6		7


diff --git a/debian/patches/CVE-2015-8325.patch b/debian/patches/CVE-2015-8325.patch new file mode 100644 index 000000000..de2c33577 --- /dev/null +++ b/debian/patches/CVE-2015-8325.patch
@@ -0,0 +1,33 @@
		1	From 7f3fb4e5fdddc6600e70ae663c21511fbcf2c64c Mon Sep 17 00:00:00 2001
		2	From: Damien Miller <djm@mindrot.org>
		3	Date: Wed, 13 Apr 2016 10:39:57 +1000
		4	Subject: ignore PAM environment vars when UseLogin=yes
		5
		6	If PAM is configured to read user-specified environment variables
		7	and UseLogin=yes in sshd_config, then a hostile local user may
		8	attack /bin/login via LD_PRELOAD or similar environment variables
		9	set via PAM.
		10
		11	CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
		12
		13	Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755
		14	Last-Update: 2016-04-13
		15
		16	Patch-Name: CVE-2015-8325.patch
		17	---
		18	session.c \| 2 +-
		19	1 file changed, 1 insertion(+), 1 deletion(-)
		20
		21	diff --git a/session.c b/session.c
		22	index f246b8a..8ab9814 100644
		23	--- a/session.c
		24	+++ b/session.c
		25	@@ -1317,7 +1317,7 @@ do_setup_env(Session s, const char shell)
		26	* Pull in any environment variables that may have
		27	* been set by PAM.
		28	*/
		29	- if (options.use_pam) {
		30	+ if (options.use_pam && !options.use_login) {
		31	char **p;
		32
		33	p = fetch_pam_child_environment();


diff --git a/debian/patches/series b/debian/patches/series index e5821f627..b5c9fb392 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -25,3 +25,4 @@ gnome-ssh-askpass2-icon.patch
25	sigstop.patch	25	sigstop.patch
26	systemd-readiness.patch	26	systemd-readiness.patch
27	debian-config.patch	27	debian-config.patch
		28	CVE-2015-8325.patch


diff --git a/session.c b/session.c index f246b8a62..8ab981451 100644 --- a/session.c +++ b/session.c
@@ -1317,7 +1317,7 @@ do_setup_env(Session s, const char shell)
1317	* Pull in any environment variables that may have	1317	* Pull in any environment variables that may have
1318	* been set by PAM.	1318	* been set by PAM.
1319	*/	1319	*/
1320	if (options.use_pam) {	1320	if (options.use_pam && !options.use_login) {
1321	char **p;	1321	char **p;
1322		1322
1323	p = fetch_pam_child_environment();	1323	p = fetch_pam_child_environment();