diff options
author | Colin Watson <cjwatson@debian.org> | 2015-08-19 18:34:29 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2015-08-19 18:37:32 +0100 |
commit | d2d9171e73cd2db10fabf9dd4924d3dcd5f13c7a (patch) | |
tree | deedfca8dcc980d858d5caacbde773e44a081bc2 /debian/patches/backport-pam-use-after-free.patch | |
parent | a608a63196dbda54e9bdd656baa253c56e76bace (diff) | |
parent | c0ec3def4bec4afe1cad9e99081e658200b13a02 (diff) |
Backport PAM security fixes.
- sshd(8): Fixed a privilege separation weakness related to PAM support.
Attackers who could successfully compromise the pre-authentication
process for remote code execution and who had valid credentials on the
host could impersonate other users. Reported by Moritz Jodeit.
- sshd(8): Fixed a use-after-free bug related to PAM support that was
reachable by attackers who could compromise the pre-authentication
process for remote code execution (closes: #795711). Also reported by
Moritz Jodeit.
Diffstat (limited to 'debian/patches/backport-pam-use-after-free.patch')
-rw-r--r-- | debian/patches/backport-pam-use-after-free.patch | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/debian/patches/backport-pam-use-after-free.patch b/debian/patches/backport-pam-use-after-free.patch new file mode 100644 index 000000000..460654953 --- /dev/null +++ b/debian/patches/backport-pam-use-after-free.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From c0ec3def4bec4afe1cad9e99081e658200b13a02 Mon Sep 17 00:00:00 2001 | ||
2 | From: Damien Miller <djm@mindrot.org> | ||
3 | Date: Tue, 11 Aug 2015 13:34:12 +1000 | ||
4 | Subject: set sshpam_ctxt to NULL after free | ||
5 | |||
6 | Avoids use-after-free in monitor when privsep child is compromised. | ||
7 | Reported by Moritz Jodeit; ok dtucker@ | ||
8 | |||
9 | Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7 | ||
10 | Forwarded: not-needed | ||
11 | Last-Update: 2015-08-19 | ||
12 | |||
13 | Patch-Name: backport-pam-use-after-free.patch | ||
14 | --- | ||
15 | monitor.c | 4 +++- | ||
16 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/monitor.c b/monitor.c | ||
19 | index 870a6b9..e8541b4 100644 | ||
20 | --- a/monitor.c | ||
21 | +++ b/monitor.c | ||
22 | @@ -1225,14 +1225,16 @@ mm_answer_pam_respond(int sock, Buffer *m) | ||
23 | int | ||
24 | mm_answer_pam_free_ctx(int sock, Buffer *m) | ||
25 | { | ||
26 | + int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; | ||
27 | |||
28 | debug3("%s", __func__); | ||
29 | (sshpam_device.free_ctx)(sshpam_ctxt); | ||
30 | + sshpam_ctxt = sshpam_authok = NULL; | ||
31 | buffer_clear(m); | ||
32 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); | ||
33 | auth_method = "keyboard-interactive"; | ||
34 | auth_submethod = "pam"; | ||
35 | - return (sshpam_authok == sshpam_ctxt); | ||
36 | + return r; | ||
37 | } | ||
38 | #endif | ||
39 | |||