6 files changed, 23 insertions, 4 deletions

diff --git a/auth.h b/auth.h
index 267e7b022..e76cf871a 100644
--- a/auth.h
+++ b/auth.h
@@ -49,6 +49,7 @@ typedef struct KbdintDevice KbdintDevice;
 
 struct Authctxt {
         int              success;
+        int              authenticated; /* authenticated and alarms cancelled */
         int              postponed;     /* authentication needs another step */
         int              valid;         /* user exists and is allowed to login */
         int              attempt;
diff --git a/debian/changelog b/debian/changelog
index 705a61580..6007a9d7b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,12 @@ openssh (1:4.3p2-4) UNRELEASED; urgency=high
     - CVE-2006-4924: Fix a pre-authentication denial of service found by
       Tavis Ormandy, that would cause sshd(8) to spin until the login grace
       time expired (closes: #389995).
+    - CVE-2006-5051: Fix an unsafe signal hander reported by Mark Dowd. The
+      signal handler was vulnerable to a race condition that could be
+      exploited to perform a pre-authentication denial of service. On
+      portable OpenSSH, this vulnerability could theoretically lead to
+      pre-authentication remote code execution if GSSAPI authentication is
+      enabled, but the likelihood of successful exploitation appears remote.
 
   * Read /etc/default/locale as well as /etc/environment (thanks, Raphaël
     Hertzog; closes: #369395).
diff --git a/log.c b/log.c
index c09786ade..07f866230 100644
--- a/log.c
+++ b/log.c
@@ -131,6 +131,18 @@ error(const char *fmt,...)
         va_end(args);
 }
 
+void
+sigdie(const char *fmt,...)
+{
+        va_list args;
+
+        va_start(args, fmt);
+        do_log(SYSLOG_LEVEL_FATAL, fmt, args);
+        va_end(args);
+        _exit(1);
+}
+
+
 /* Log this message (information that usually should go to the log). */
 
 void
diff --git a/log.h b/log.h
index d7170fc22..76012180c 100644
--- a/log.h
+++ b/log.h
@@ -56,6 +56,7 @@ LogLevel log_level_number(char *);
 
 void     fatal(const char *, ...) __dead __attribute__((format(printf, 1, 2)));
 void     error(const char *, ...) __attribute__((format(printf, 1, 2)));
+void     sigdie(const char *, ...) __attribute__((format(printf, 1, 2)));
 void     logit(const char *, ...) __attribute__((format(printf, 1, 2)));
 void     verbose(const char *, ...) __attribute__((format(printf, 1, 2)));
 void     debug(const char *, ...) __attribute__((format(printf, 1, 2)));
diff --git a/session.c b/session.c
index daad03929..3420db57d 100644
--- a/session.c
+++ b/session.c
@@ -2440,7 +2440,7 @@ do_cleanup(Authctxt *authctxt)
                 return;
         called = 1;
 
-        if (authctxt == NULL)
+        if (authctxt == NULL || !authctxt->authenticated)
                 return;
 #ifdef KRB5
         if (options.kerberos_ticket_cleanup &&
diff --git a/sshd.c b/sshd.c
index 85b679d5e..b1776ef45 100644
--- a/sshd.c
+++ b/sshd.c
@@ -310,13 +310,11 @@ main_sigchld_handler(int sig)
 static void
 grace_alarm_handler(int sig)
 {
-        /* XXX no idea how fix this signal handler */
-
         if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
                 kill(pmonitor->m_pid, SIGALRM);
 
         /* Log error and exit. */
-        fatal("Timeout before authentication for %s", get_remote_ipaddr());
+        sigdie("Timeout before authentication for %s", get_remote_ipaddr());
 }
 
 /*
@@ -1797,6 +1795,7 @@ main(int ac, char **av)
          */
         alarm(0);
         signal(SIGALRM, SIG_DFL);
+        authctxt->authenticated = 1;
         if (startup_pipe != -1) {
                 close(startup_pipe);
                 startup_pipe = -1;