summaryrefslogtreecommitdiff
path: root/debian/patches/backport-pam-use-after-free.patch
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2015-08-19 18:34:29 +0100
committerColin Watson <cjwatson@debian.org>2015-08-19 18:37:32 +0100
commitd2d9171e73cd2db10fabf9dd4924d3dcd5f13c7a (patch)
treedeedfca8dcc980d858d5caacbde773e44a081bc2 /debian/patches/backport-pam-use-after-free.patch
parenta608a63196dbda54e9bdd656baa253c56e76bace (diff)
parentc0ec3def4bec4afe1cad9e99081e658200b13a02 (diff)
Backport PAM security fixes.
- sshd(8): Fixed a privilege separation weakness related to PAM support. Attackers who could successfully compromise the pre-authentication process for remote code execution and who had valid credentials on the host could impersonate other users. Reported by Moritz Jodeit. - sshd(8): Fixed a use-after-free bug related to PAM support that was reachable by attackers who could compromise the pre-authentication process for remote code execution (closes: #795711). Also reported by Moritz Jodeit.
Diffstat (limited to 'debian/patches/backport-pam-use-after-free.patch')
-rw-r--r--debian/patches/backport-pam-use-after-free.patch39
1 files changed, 39 insertions, 0 deletions
diff --git a/debian/patches/backport-pam-use-after-free.patch b/debian/patches/backport-pam-use-after-free.patch
new file mode 100644
index 000000000..460654953
--- /dev/null
+++ b/debian/patches/backport-pam-use-after-free.patch
@@ -0,0 +1,39 @@
1From c0ec3def4bec4afe1cad9e99081e658200b13a02 Mon Sep 17 00:00:00 2001
2From: Damien Miller <djm@mindrot.org>
3Date: Tue, 11 Aug 2015 13:34:12 +1000
4Subject: set sshpam_ctxt to NULL after free
5
6Avoids use-after-free in monitor when privsep child is compromised.
7Reported by Moritz Jodeit; ok dtucker@
8
9Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7
10Forwarded: not-needed
11Last-Update: 2015-08-19
12
13Patch-Name: backport-pam-use-after-free.patch
14---
15 monitor.c | 4 +++-
16 1 file changed, 3 insertions(+), 1 deletion(-)
17
18diff --git a/monitor.c b/monitor.c
19index 870a6b9..e8541b4 100644
20--- a/monitor.c
21+++ b/monitor.c
22@@ -1225,14 +1225,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
23 int
24 mm_answer_pam_free_ctx(int sock, Buffer *m)
25 {
26+ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
27
28 debug3("%s", __func__);
29 (sshpam_device.free_ctx)(sshpam_ctxt);
30+ sshpam_ctxt = sshpam_authok = NULL;
31 buffer_clear(m);
32 mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
33 auth_method = "keyboard-interactive";
34 auth_submethod = "pam";
35- return (sshpam_authok == sshpam_ctxt);
36+ return r;
37 }
38 #endif
39