7 files changed, 97 insertions, 6 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 935f783bc..13b023289 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-12577aa167c76d517bfe78f603fe805f190d8d05
+c0ec3def4bec4afe1cad9e99081e658200b13a02
-12577aa167c76d517bfe78f603fe805f190d8d05
+c0ec3def4bec4afe1cad9e99081e658200b13a02
 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
 openssh_6.9p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 6c851b644..8e8e9d778 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -136,6 +136,14 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium
      world-writable.  Local attackers may be able to write arbitrary
      messages to logged-in users, including terminal escape sequences.
      Reported by Nikolay Edigaryev.
+    - sshd(8): Fixed a privilege separation weakness related to PAM support.
+      Attackers who could successfully compromise the pre-authentication
+      process for remote code execution and who had valid credentials on the
+      host could impersonate other users.  Reported by Moritz Jodeit.
+    - sshd(8): Fixed a use-after-free bug related to PAM support that was
+      reachable by attackers who could compromise the pre-authentication
+      process for remote code execution (closes: #795711).  Also reported by
+      Moritz Jodeit.
  * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the
    GSSAPI key exchange patch.
diff --git a/debian/patches/backport-do-not-resend-username-to-pam.patch b/debian/patches/backport-do-not-resend-username-to-pam.patch
new file mode 100644
index 000000000..00ace37f1
--- /dev/null
+++ b/debian/patches/backport-do-not-resend-username-to-pam.patch
@@ -0,0 +1,43 @@
+From 5b83c6a466b2a7fe6aaf50e082c58fe63592e211 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Tue, 11 Aug 2015 13:33:24 +1000
+Subject: Don't resend username to PAM; it already has it.
+Pointed out by Moritz Jodeit; ok dtucker@
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
+Forwarded: not-needed
+Last-Update: 2015-08-19
+Patch-Name: backport-do-not-resend-username-to-pam.patch
+---
+ monitor.c      | 2 --
+ monitor_wrap.c | 1 -
+ 2 files changed, 3 deletions(-)
+diff --git a/monitor.c b/monitor.c
+index 12ed6fd..870a6b9 100644
+--- a/monitor.c
+++ b/monitor.c
+@@ -1143,9 +1143,7 @@ extern KbdintDevice sshpam_device;
+ int
+ mm_answer_pam_init_ctx(int sock, Buffer *m)
+ {
+-
+        debug3("%s", __func__);
+-       authctxt->user = buffer_get_string(m, NULL);
+        sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
+        sshpam_authok = NULL;
+        buffer_clear(m);
+diff --git a/monitor_wrap.c b/monitor_wrap.c
+index 2a0fe9b..e2fcf75 100644
+--- a/monitor_wrap.c
+++ b/monitor_wrap.c
+@@ -632,7 +632,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
+ 
+        debug3("%s", __func__);
+        buffer_init(&m);
+-       buffer_put_cstring(&m, authctxt->user);
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
+        debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
diff --git a/debian/patches/backport-pam-use-after-free.patch b/debian/patches/backport-pam-use-after-free.patch
new file mode 100644
index 000000000..460654953
--- /dev/null
+++ b/debian/patches/backport-pam-use-after-free.patch
@@ -0,0 +1,39 @@
+From c0ec3def4bec4afe1cad9e99081e658200b13a02 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Tue, 11 Aug 2015 13:34:12 +1000
+Subject: set sshpam_ctxt to NULL after free
+Avoids use-after-free in monitor when privsep child is compromised.
+Reported by Moritz Jodeit; ok dtucker@
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7
+Forwarded: not-needed
+Last-Update: 2015-08-19
+Patch-Name: backport-pam-use-after-free.patch
+---
+ monitor.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/monitor.c b/monitor.c
+index 870a6b9..e8541b4 100644
+--- a/monitor.c
+++ b/monitor.c
+@@ -1225,14 +1225,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
+ int
+ mm_answer_pam_free_ctx(int sock, Buffer *m)
+ {
+       int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
+ 
+        debug3("%s", __func__);
+        (sshpam_device.free_ctx)(sshpam_ctxt);
+       sshpam_ctxt = sshpam_authok = NULL;
+        buffer_clear(m);
+        mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+        auth_method = "keyboard-interactive";
+        auth_submethod = "pam";
+-       return (sshpam_authok == sshpam_ctxt);
+       return r;
+ }
+ #endif
+ 
diff --git a/debian/patches/series b/debian/patches/series
index bee70bc30..1a843eac8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,3 +28,5 @@ gnome-ssh-askpass2-icon.patch
 sigstop.patch
 debian-config.patch
 backport-fix-pty-permissions.patch
+backport-do-not-resend-username-to-pam.patch
+backport-pam-use-after-free.patch
diff --git a/monitor.c b/monitor.c
index 12ed6fd00..e8541b4fa 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1143,9 +1143,7 @@ extern KbdintDevice sshpam_device;
 int
 mm_answer_pam_init_ctx(int sock, Buffer *m)
 {
        debug3("%s", __func__);
-        authctxt->user = buffer_get_string(m, NULL);
        sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
        sshpam_authok = NULL;
        buffer_clear(m);
@@ -1227,14 +1225,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
 int
 mm_answer_pam_free_ctx(int sock, Buffer *m)
 {
+        int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
        debug3("%s", __func__);
        (sshpam_device.free_ctx)(sshpam_ctxt);
+        sshpam_ctxt = sshpam_authok = NULL;
        buffer_clear(m);
        mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
        auth_method = "keyboard-interactive";
        auth_submethod = "pam";
-        return (sshpam_authok == sshpam_ctxt);
+        return r;
 }
 #endif
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 2a0fe9bf6..e2fcf75ff 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -632,7 +632,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
        debug3("%s", __func__);
        buffer_init(&m);
-        buffer_put_cstring(&m, authctxt->user);
        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
        debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);

diff --git a/debian/.git-dpm b/debian/.git-dpm index 935f783bc..13b023289 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1	# see git-dpm(1) from git-dpm package	1	# see git-dpm(1) from git-dpm package
2	12577aa167c76d517bfe78f603fe805f190d8d05	2	c0ec3def4bec4afe1cad9e99081e658200b13a02
3	12577aa167c76d517bfe78f603fe805f190d8d05	3	c0ec3def4bec4afe1cad9e99081e658200b13a02
4	544df7a04ae5b5c1fc30be7c445ad685d7a02dc9	4	544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
5	544df7a04ae5b5c1fc30be7c445ad685d7a02dc9	5	544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
6	openssh_6.9p1.orig.tar.gz	6	openssh_6.9p1.orig.tar.gz


diff --git a/debian/changelog b/debian/changelog index 6c851b644..8e8e9d778 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -136,6 +136,14 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium
136	world-writable. Local attackers may be able to write arbitrary	136	world-writable. Local attackers may be able to write arbitrary
137	messages to logged-in users, including terminal escape sequences.	137	messages to logged-in users, including terminal escape sequences.
138	Reported by Nikolay Edigaryev.	138	Reported by Nikolay Edigaryev.
		139	- sshd(8): Fixed a privilege separation weakness related to PAM support.
		140	Attackers who could successfully compromise the pre-authentication
		141	process for remote code execution and who had valid credentials on the
		142	host could impersonate other users. Reported by Moritz Jodeit.
		143	- sshd(8): Fixed a use-after-free bug related to PAM support that was
		144	reachable by attackers who could compromise the pre-authentication
		145	process for remote code execution (closes: #795711). Also reported by
		146	Moritz Jodeit.
139	* Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the	147	* Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the
140	GSSAPI key exchange patch.	148	GSSAPI key exchange patch.
141		149


diff --git a/debian/patches/backport-do-not-resend-username-to-pam.patch b/debian/patches/backport-do-not-resend-username-to-pam.patch new file mode 100644 index 000000000..00ace37f1 --- /dev/null +++ b/debian/patches/backport-do-not-resend-username-to-pam.patch
@@ -0,0 +1,43 @@
		1	From 5b83c6a466b2a7fe6aaf50e082c58fe63592e211 Mon Sep 17 00:00:00 2001
		2	From: Damien Miller <djm@mindrot.org>
		3	Date: Tue, 11 Aug 2015 13:33:24 +1000
		4	Subject: Don't resend username to PAM; it already has it.
		5
		6	Pointed out by Moritz Jodeit; ok dtucker@
		7
		8	Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
		9	Forwarded: not-needed
		10	Last-Update: 2015-08-19
		11
		12	Patch-Name: backport-do-not-resend-username-to-pam.patch
		13	---
		14	monitor.c \| 2 --
		15	monitor_wrap.c \| 1 -
		16	2 files changed, 3 deletions(-)
		17
		18	diff --git a/monitor.c b/monitor.c
		19	index 12ed6fd..870a6b9 100644
		20	--- a/monitor.c
		21	+++ b/monitor.c
		22	@@ -1143,9 +1143,7 @@ extern KbdintDevice sshpam_device;
		23	int
		24	mm_answer_pam_init_ctx(int sock, Buffer *m)
		25	{
		26	-
		27	debug3("%s", __func__);
		28	- authctxt->user = buffer_get_string(m, NULL);
		29	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
		30	sshpam_authok = NULL;
		31	buffer_clear(m);
		32	diff --git a/monitor_wrap.c b/monitor_wrap.c
		33	index 2a0fe9b..e2fcf75 100644
		34	--- a/monitor_wrap.c
		35	+++ b/monitor_wrap.c
		36	@@ -632,7 +632,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
		37
		38	debug3("%s", __func__);
		39	buffer_init(&m);
		40	- buffer_put_cstring(&m, authctxt->user);
		41	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
		42	debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
		43	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);


diff --git a/debian/patches/backport-pam-use-after-free.patch b/debian/patches/backport-pam-use-after-free.patch new file mode 100644 index 000000000..460654953 --- /dev/null +++ b/debian/patches/backport-pam-use-after-free.patch
@@ -0,0 +1,39 @@
		1	From c0ec3def4bec4afe1cad9e99081e658200b13a02 Mon Sep 17 00:00:00 2001
		2	From: Damien Miller <djm@mindrot.org>
		3	Date: Tue, 11 Aug 2015 13:34:12 +1000
		4	Subject: set sshpam_ctxt to NULL after free
		5
		6	Avoids use-after-free in monitor when privsep child is compromised.
		7	Reported by Moritz Jodeit; ok dtucker@
		8
		9	Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7
		10	Forwarded: not-needed
		11	Last-Update: 2015-08-19
		12
		13	Patch-Name: backport-pam-use-after-free.patch
		14	---
		15	monitor.c \| 4 +++-
		16	1 file changed, 3 insertions(+), 1 deletion(-)
		17
		18	diff --git a/monitor.c b/monitor.c
		19	index 870a6b9..e8541b4 100644
		20	--- a/monitor.c
		21	+++ b/monitor.c
		22	@@ -1225,14 +1225,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
		23	int
		24	mm_answer_pam_free_ctx(int sock, Buffer *m)
		25	{
		26	+ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
		27
		28	debug3("%s", __func__);
		29	(sshpam_device.free_ctx)(sshpam_ctxt);
		30	+ sshpam_ctxt = sshpam_authok = NULL;
		31	buffer_clear(m);
		32	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
		33	auth_method = "keyboard-interactive";
		34	auth_submethod = "pam";
		35	- return (sshpam_authok == sshpam_ctxt);
		36	+ return r;
		37	}
		38	#endif
		39


diff --git a/debian/patches/series b/debian/patches/series index bee70bc30..1a843eac8 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -28,3 +28,5 @@ gnome-ssh-askpass2-icon.patch
28	sigstop.patch	28	sigstop.patch
29	debian-config.patch	29	debian-config.patch
30	backport-fix-pty-permissions.patch	30	backport-fix-pty-permissions.patch
		31	backport-do-not-resend-username-to-pam.patch
		32	backport-pam-use-after-free.patch


diff --git a/monitor.c b/monitor.c index 12ed6fd00..e8541b4fa 100644 --- a/monitor.c +++ b/monitor.c
@@ -1143,9 +1143,7 @@ extern KbdintDevice sshpam_device;
1143	int	1143	int
1144	mm_answer_pam_init_ctx(int sock, Buffer *m)	1144	mm_answer_pam_init_ctx(int sock, Buffer *m)
1145	{	1145	{
1146
1147	debug3("%s", __func__);	1146	debug3("%s", __func__);
1148	authctxt->user = buffer_get_string(m, NULL);
1149	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);	1147	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
1150	sshpam_authok = NULL;	1148	sshpam_authok = NULL;
1151	buffer_clear(m);	1149	buffer_clear(m);
@@ -1227,14 +1225,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
1227	int	1225	int
1228	mm_answer_pam_free_ctx(int sock, Buffer *m)	1226	mm_answer_pam_free_ctx(int sock, Buffer *m)
1229	{	1227	{
		1228	int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
1230		1229
1231	debug3("%s", __func__);	1230	debug3("%s", __func__);
1232	(sshpam_device.free_ctx)(sshpam_ctxt);	1231	(sshpam_device.free_ctx)(sshpam_ctxt);
		1232	sshpam_ctxt = sshpam_authok = NULL;
1233	buffer_clear(m);	1233	buffer_clear(m);
1234	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);	1234	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
1235	auth_method = "keyboard-interactive";	1235	auth_method = "keyboard-interactive";
1236	auth_submethod = "pam";	1236	auth_submethod = "pam";
1237	return (sshpam_authok == sshpam_ctxt);	1237	return r;
1238	}	1238	}
1239	#endif	1239	#endif
1240		1240


diff --git a/monitor_wrap.c b/monitor_wrap.c index 2a0fe9bf6..e2fcf75ff 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c
@@ -632,7 +632,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
632		632
633	debug3("%s", __func__);	633	debug3("%s", __func__);
634	buffer_init(&m);	634	buffer_init(&m);
635	buffer_put_cstring(&m, authctxt->user);
636	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);	635	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
637	debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);	636	debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
638	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);	637	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);