CVE-2021-28041: Fix double free in ssh-agent(1)

Closes: #984940
author: Colin Watson <cjwatson@debian.org> 2021-03-13 09:37:24 +0000
committer: Colin Watson <cjwatson@debian.org> 2021-03-13 09:59:15 +0000
commit: 8d74de9b71bcde4c41ac9348433c95e66210d3ce (patch)
tree: ac932367525f4e070b05f01f84b6aa5ae72cb0cf
parent: 96647c5c515268939666c587fa1bc459ac38b332 (diff)
parent: 421db3656dcafbe810226463bf27a18a0b1c3186 (diff)
5 files changed, 36 insertions, 2 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 2e5545893..7f231bb16 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-27cf2f667b46a99f4469f41bcb8e004834a3d34f
+421db3656dcafbe810226463bf27a18a0b1c3186
-27cf2f667b46a99f4469f41bcb8e004834a3d34f
+421db3656dcafbe810226463bf27a18a0b1c3186
 2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb
 2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb
 openssh_8.4p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 9b1a33ab7..f2be0802c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+openssh (1:8.4p1-5) UNRELEASED; urgency=medium
+  * CVE-2021-28041: Fix double free in ssh-agent(1) (closes: #984940).
+ -- Colin Watson <cjwatson@debian.org>  Sat, 13 Mar 2021 09:37:26 +0000
 openssh (1:8.4p1-4) unstable; urgency=medium
  * Avoid using libmd's <sha2.h> even if it's installed (closes: #982705).
diff --git a/debian/patches/series b/debian/patches/series
index 5b00428bc..8f6b09f6f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -25,3 +25,4 @@ conch-old-privkey-format.patch
 revert-ipqos-defaults.patch
 revert-x32-sandbox-breakage.patch
 ssh-copy-id-heredoc-syntax.patch
+ssh-agent-double-free.patch
diff --git a/debian/patches/ssh-agent-double-free.patch b/debian/patches/ssh-agent-double-free.patch
new file mode 100644
index 000000000..20ae613cd
--- /dev/null
+++ b/debian/patches/ssh-agent-double-free.patch
@@ -0,0 +1,26 @@
+From 421db3656dcafbe810226463bf27a18a0b1c3186 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sat, 13 Mar 2021 09:35:05 +0000
+Subject: Double free in ssh-agent(1)
+Origin: upstream, https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/015_sshagent.patch.sig
+Bug-Debian: https://bugs.debian.org/984940
+Last-Update: 2021-03-13
+Patch-Name: ssh-agent-double-free.patch
+---
+ ssh-agent.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/ssh-agent.c b/ssh-agent.c
+index e1fd1f3f6..48155c96e 100644
+--- a/ssh-agent.c
+++ b/ssh-agent.c
+@@ -581,6 +581,7 @@ process_add_identity(SocketEntry *e)
+                                goto err;
+                        }
+                        free(ext_name);
+                       ext_name = NULL;
+                        break;
+                default:
+                        error("%s: Unknown constraint %d", __func__, ctype);
diff --git a/ssh-agent.c b/ssh-agent.c
index e1fd1f3f6..48155c96e 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -581,6 +581,7 @@ process_add_identity(SocketEntry *e)
                                goto err;
                        }
                        free(ext_name);
+                        ext_name = NULL;
                        break;
                default:
                        error("%s: Unknown constraint %d", __func__, ctype);
author	Colin Watson <cjwatson@debian.org>	2021-03-13 09:37:24 +0000
committer	Colin Watson <cjwatson@debian.org>	2021-03-13 09:59:15 +0000
commit	8d74de9b71bcde4c41ac9348433c95e66210d3ce (patch)
tree	ac932367525f4e070b05f01f84b6aa5ae72cb0cf
parent	96647c5c515268939666c587fa1bc459ac38b332 (diff)
parent	421db3656dcafbe810226463bf27a18a0b1c3186 (diff)

diff --git a/debian/.git-dpm b/debian/.git-dpm index 2e5545893..7f231bb16 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1	# see git-dpm(1) from git-dpm package	1	# see git-dpm(1) from git-dpm package
2	27cf2f667b46a99f4469f41bcb8e004834a3d34f	2	421db3656dcafbe810226463bf27a18a0b1c3186
3	27cf2f667b46a99f4469f41bcb8e004834a3d34f	3	421db3656dcafbe810226463bf27a18a0b1c3186
4	2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb	4	2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb
5	2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb	5	2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb
6	openssh_8.4p1.orig.tar.gz	6	openssh_8.4p1.orig.tar.gz


diff --git a/debian/changelog b/debian/changelog index 9b1a33ab7..f2be0802c 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -1,3 +1,9 @@
		1	openssh (1:8.4p1-5) UNRELEASED; urgency=medium
		2
		3	* CVE-2021-28041: Fix double free in ssh-agent(1) (closes: #984940).
		4
		5	-- Colin Watson <cjwatson@debian.org> Sat, 13 Mar 2021 09:37:26 +0000
		6
1	openssh (1:8.4p1-4) unstable; urgency=medium	7	openssh (1:8.4p1-4) unstable; urgency=medium
2		8
3	* Avoid using libmd's <sha2.h> even if it's installed (closes: #982705).	9	* Avoid using libmd's <sha2.h> even if it's installed (closes: #982705).


diff --git a/debian/patches/series b/debian/patches/series index 5b00428bc..8f6b09f6f 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -25,3 +25,4 @@ conch-old-privkey-format.patch
25	revert-ipqos-defaults.patch	25	revert-ipqos-defaults.patch
26	revert-x32-sandbox-breakage.patch	26	revert-x32-sandbox-breakage.patch
27	ssh-copy-id-heredoc-syntax.patch	27	ssh-copy-id-heredoc-syntax.patch
		28	ssh-agent-double-free.patch


diff --git a/debian/patches/ssh-agent-double-free.patch b/debian/patches/ssh-agent-double-free.patch new file mode 100644 index 000000000..20ae613cd --- /dev/null +++ b/debian/patches/ssh-agent-double-free.patch
@@ -0,0 +1,26 @@
		1	From 421db3656dcafbe810226463bf27a18a0b1c3186 Mon Sep 17 00:00:00 2001
		2	From: Colin Watson <cjwatson@debian.org>
		3	Date: Sat, 13 Mar 2021 09:35:05 +0000
		4	Subject: Double free in ssh-agent(1)
		5
		6	Origin: upstream, https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/015_sshagent.patch.sig
		7	Bug-Debian: https://bugs.debian.org/984940
		8	Last-Update: 2021-03-13
		9
		10	Patch-Name: ssh-agent-double-free.patch
		11	---
		12	ssh-agent.c \| 1 +
		13	1 file changed, 1 insertion(+)
		14
		15	diff --git a/ssh-agent.c b/ssh-agent.c
		16	index e1fd1f3f6..48155c96e 100644
		17	--- a/ssh-agent.c
		18	+++ b/ssh-agent.c
		19	@@ -581,6 +581,7 @@ process_add_identity(SocketEntry *e)
		20	goto err;
		21	}
		22	free(ext_name);
		23	+ ext_name = NULL;
		24	break;
		25	default:
		26	error("%s: Unknown constraint %d", __func__, ctype);


diff --git a/ssh-agent.c b/ssh-agent.c index e1fd1f3f6..48155c96e 100644 --- a/ssh-agent.c +++ b/ssh-agent.c
@@ -581,6 +581,7 @@ process_add_identity(SocketEntry *e)
581	goto err;	581	goto err;
582	}	582	}
583	free(ext_name);	583	free(ext_name);
		584	ext_name = NULL;
584	break;	585	break;
585	default:	586	default:
586	error("%s: Unknown constraint %d", __func__, ctype);	587	error("%s: Unknown constraint %d", __func__, ctype);