Merge 6.6p1.

* New upstream release (http://www.openssh.com/txt/release-6.6).

1 files changed, 22 insertions, 2 deletions

diff --git a/gss-serv.c b/gss-serv.c
index feb1ed763..c33463bdf 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -72,6 +72,25 @@ ssh_gssapi_mech* supported_mechs[]= {
         &gssapi_null_mech,
 };
 
+/*
+ * ssh_gssapi_supported_oids() can cause sandbox violations, so prepare the
+ * list of supported mechanisms before privsep is set up.
+ */
+static gss_OID_set supported_oids;
+
+void
+ssh_gssapi_prepare_supported_oids(void)
+{
+        ssh_gssapi_supported_oids(&supported_oids);
+}
+
+OM_uint32
+ssh_gssapi_test_oid_supported(OM_uint32 *ms, gss_OID member, int *present)
+{
+        if (supported_oids == NULL)
+                ssh_gssapi_prepare_supported_oids();
+        return gss_test_oid_set_member(ms, member, supported_oids, present);
+}
 
 /*
  * Acquire credentials for a server running on the current host.
@@ -435,7 +454,8 @@ ssh_gssapi_userok(char *user, struct passwd *pw)
                         gss_release_buffer(&lmin, &gssapi_client.displayname);
                         gss_release_buffer(&lmin, &gssapi_client.exportedname);
                         gss_release_cred(&lmin, &gssapi_client.creds);
-                        memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));
+                        explicit_bzero(&gssapi_client,
+                            sizeof(ssh_gssapi_client));
                         return 0;
                 }
         else