* Backport from 4.5p1:

- Fix a bug in the sshd privilege separation monitor that weakened its verification of successful authentication. This bug is not known to be exploitable in the absence of additional vulnerabilities.
author: Colin Watson <cjwatson@debian.org> 2006-11-15 00:48:30 +0000
committer: Colin Watson <cjwatson@debian.org> 2006-11-15 00:48:30 +0000
commit: 0afa4059aa6138214602bf85cf0fc09fa6784882 (patch)
tree: 1dfd86b575a5d7a44e2c8b80b73a07cb0cccc0aa /monitor.c
parent: e836924abc1da31a9ea47d18bda4353935668902 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/monitor.c b/monitor.c
index 821722025..867431ff1 100644
--- a/monitor.c
+++ b/monitor.c
@@ -339,7 +339,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
        /* The first few requests do not require asynchronous access */
        while (!authenticated) {
-                authenticated = monitor_read(pmonitor, mon_dispatch, &ent);
+                authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
                if (authenticated) {
                        if (!(ent->flags & MON_AUTHDECIDE))
                                fatal("%s: unexpected authentication from %d",
@@ -1220,7 +1220,7 @@ mm_answer_keyverify(int sock, Buffer *m)
        verified = key_verify(key, signature, signaturelen, data, datalen);
        debug3("%s: key %p signature %s",
-            __func__, key, verified ? "verified" : "unverified");
+            __func__, key, (verified == 1) ? "verified" : "unverified");
        key_free(key);
        xfree(blob);
@@ -1235,7 +1235,7 @@ mm_answer_keyverify(int sock, Buffer *m)
        buffer_put_int(m, verified);
        mm_request_send(sock, MONITOR_ANS_KEYVERIFY, m);
-        return (verified);
+        return (verified == 1);
 }
 static void
author	Colin Watson <cjwatson@debian.org>	2006-11-15 00:48:30 +0000
committer	Colin Watson <cjwatson@debian.org>	2006-11-15 00:48:30 +0000
commit	0afa4059aa6138214602bf85cf0fc09fa6784882 (patch)
tree	1dfd86b575a5d7a44e2c8b80b73a07cb0cccc0aa /monitor.c
parent	e836924abc1da31a9ea47d18bda4353935668902 (diff)

diff --git a/monitor.c b/monitor.c index 821722025..867431ff1 100644 --- a/monitor.c +++ b/monitor.c
@@ -339,7 +339,7 @@ monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor)
339		339
340	/* The first few requests do not require asynchronous access */	340	/* The first few requests do not require asynchronous access */
341	while (!authenticated) {	341	while (!authenticated) {
342	authenticated = monitor_read(pmonitor, mon_dispatch, &ent);	342	authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
343	if (authenticated) {	343	if (authenticated) {
344	if (!(ent->flags & MON_AUTHDECIDE))	344	if (!(ent->flags & MON_AUTHDECIDE))
345	fatal("%s: unexpected authentication from %d",	345	fatal("%s: unexpected authentication from %d",
@@ -1220,7 +1220,7 @@ mm_answer_keyverify(int sock, Buffer *m)
1220		1220
1221	verified = key_verify(key, signature, signaturelen, data, datalen);	1221	verified = key_verify(key, signature, signaturelen, data, datalen);
1222	debug3("%s: key %p signature %s",	1222	debug3("%s: key %p signature %s",
1223	__func__, key, verified ? "verified" : "unverified");	1223	__func__, key, (verified == 1) ? "verified" : "unverified");
1224		1224
1225	key_free(key);	1225	key_free(key);
1226	xfree(blob);	1226	xfree(blob);
@@ -1235,7 +1235,7 @@ mm_answer_keyverify(int sock, Buffer *m)
1235	buffer_put_int(m, verified);	1235	buffer_put_int(m, verified);
1236	mm_request_send(sock, MONITOR_ANS_KEYVERIFY, m);	1236	mm_request_send(sock, MONITOR_ANS_KEYVERIFY, m);
1237		1237
1238	return (verified);	1238	return (verified == 1);
1239	}	1239	}
1240		1240
1241	static void	1241	static void