diff options
-rw-r--r-- | debian/.git-dpm | 4 | ||||
-rw-r--r-- | debian/changelog | 1 | ||||
-rw-r--r-- | debian/patches/CVE-2015-8325.patch | 33 | ||||
-rw-r--r-- | debian/patches/series | 1 | ||||
-rw-r--r-- | session.c | 2 |
5 files changed, 38 insertions, 3 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm index 56d701e88..589d66c5c 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm | |||
@@ -1,6 +1,6 @@ | |||
1 | # see git-dpm(1) from git-dpm package | 1 | # see git-dpm(1) from git-dpm package |
2 | d888c9637031a93c13c168a35e99e9aa76c14a9a | 2 | 7f3fb4e5fdddc6600e70ae663c21511fbcf2c64c |
3 | d888c9637031a93c13c168a35e99e9aa76c14a9a | 3 | 7f3fb4e5fdddc6600e70ae663c21511fbcf2c64c |
4 | f0329aac23c61e1a5197d6d57349a63f459bccb0 | 4 | f0329aac23c61e1a5197d6d57349a63f459bccb0 |
5 | f0329aac23c61e1a5197d6d57349a63f459bccb0 | 5 | f0329aac23c61e1a5197d6d57349a63f459bccb0 |
6 | openssh_7.2p2.orig.tar.gz | 6 | openssh_7.2p2.orig.tar.gz |
diff --git a/debian/changelog b/debian/changelog index 6c8010be9..261b42c15 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,6 +1,7 @@ | |||
1 | openssh (1:7.2p2-3) UNRELEASED; urgency=medium | 1 | openssh (1:7.2p2-3) UNRELEASED; urgency=medium |
2 | 2 | ||
3 | * Change all openssh.org references to openssh.com (closes: #819213). | 3 | * Change all openssh.org references to openssh.com (closes: #819213). |
4 | * CVE-2015-8325: Ignore PAM environment vars when UseLogin=yes. | ||
4 | 5 | ||
5 | -- Colin Watson <cjwatson@debian.org> Sun, 03 Apr 2016 18:09:59 +0100 | 6 | -- Colin Watson <cjwatson@debian.org> Sun, 03 Apr 2016 18:09:59 +0100 |
6 | 7 | ||
diff --git a/debian/patches/CVE-2015-8325.patch b/debian/patches/CVE-2015-8325.patch new file mode 100644 index 000000000..de2c33577 --- /dev/null +++ b/debian/patches/CVE-2015-8325.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 7f3fb4e5fdddc6600e70ae663c21511fbcf2c64c Mon Sep 17 00:00:00 2001 | ||
2 | From: Damien Miller <djm@mindrot.org> | ||
3 | Date: Wed, 13 Apr 2016 10:39:57 +1000 | ||
4 | Subject: ignore PAM environment vars when UseLogin=yes | ||
5 | |||
6 | If PAM is configured to read user-specified environment variables | ||
7 | and UseLogin=yes in sshd_config, then a hostile local user may | ||
8 | attack /bin/login via LD_PRELOAD or similar environment variables | ||
9 | set via PAM. | ||
10 | |||
11 | CVE-2015-8325, found by Shayan Sadigh, via Colin Watson | ||
12 | |||
13 | Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755 | ||
14 | Last-Update: 2016-04-13 | ||
15 | |||
16 | Patch-Name: CVE-2015-8325.patch | ||
17 | --- | ||
18 | session.c | 2 +- | ||
19 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/session.c b/session.c | ||
22 | index f246b8a..8ab9814 100644 | ||
23 | --- a/session.c | ||
24 | +++ b/session.c | ||
25 | @@ -1317,7 +1317,7 @@ do_setup_env(Session *s, const char *shell) | ||
26 | * Pull in any environment variables that may have | ||
27 | * been set by PAM. | ||
28 | */ | ||
29 | - if (options.use_pam) { | ||
30 | + if (options.use_pam && !options.use_login) { | ||
31 | char **p; | ||
32 | |||
33 | p = fetch_pam_child_environment(); | ||
diff --git a/debian/patches/series b/debian/patches/series index e5821f627..b5c9fb392 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -25,3 +25,4 @@ gnome-ssh-askpass2-icon.patch | |||
25 | sigstop.patch | 25 | sigstop.patch |
26 | systemd-readiness.patch | 26 | systemd-readiness.patch |
27 | debian-config.patch | 27 | debian-config.patch |
28 | CVE-2015-8325.patch | ||
@@ -1317,7 +1317,7 @@ do_setup_env(Session *s, const char *shell) | |||
1317 | * Pull in any environment variables that may have | 1317 | * Pull in any environment variables that may have |
1318 | * been set by PAM. | 1318 | * been set by PAM. |
1319 | */ | 1319 | */ |
1320 | if (options.use_pam) { | 1320 | if (options.use_pam && !options.use_login) { |
1321 | char **p; | 1321 | char **p; |
1322 | 1322 | ||
1323 | p = fetch_pam_child_environment(); | 1323 | p = fetch_pam_child_environment(); |