summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--auth.h1
-rw-r--r--debian/changelog6
-rw-r--r--log.c12
-rw-r--r--log.h1
-rw-r--r--session.c2
-rw-r--r--sshd.c5
6 files changed, 23 insertions, 4 deletions
diff --git a/auth.h b/auth.h
index 267e7b022..e76cf871a 100644
--- a/auth.h
+++ b/auth.h
@@ -49,6 +49,7 @@ typedef struct KbdintDevice KbdintDevice;
49 49
50struct Authctxt { 50struct Authctxt {
51 int success; 51 int success;
52 int authenticated; /* authenticated and alarms cancelled */
52 int postponed; /* authentication needs another step */ 53 int postponed; /* authentication needs another step */
53 int valid; /* user exists and is allowed to login */ 54 int valid; /* user exists and is allowed to login */
54 int attempt; 55 int attempt;
diff --git a/debian/changelog b/debian/changelog
index 705a61580..6007a9d7b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,12 @@ openssh (1:4.3p2-4) UNRELEASED; urgency=high
5 - CVE-2006-4924: Fix a pre-authentication denial of service found by 5 - CVE-2006-4924: Fix a pre-authentication denial of service found by
6 Tavis Ormandy, that would cause sshd(8) to spin until the login grace 6 Tavis Ormandy, that would cause sshd(8) to spin until the login grace
7 time expired (closes: #389995). 7 time expired (closes: #389995).
8 - CVE-2006-5051: Fix an unsafe signal hander reported by Mark Dowd. The
9 signal handler was vulnerable to a race condition that could be
10 exploited to perform a pre-authentication denial of service. On
11 portable OpenSSH, this vulnerability could theoretically lead to
12 pre-authentication remote code execution if GSSAPI authentication is
13 enabled, but the likelihood of successful exploitation appears remote.
8 14
9 * Read /etc/default/locale as well as /etc/environment (thanks, Raphaël 15 * Read /etc/default/locale as well as /etc/environment (thanks, Raphaël
10 Hertzog; closes: #369395). 16 Hertzog; closes: #369395).
diff --git a/log.c b/log.c
index c09786ade..07f866230 100644
--- a/log.c
+++ b/log.c
@@ -131,6 +131,18 @@ error(const char *fmt,...)
131 va_end(args); 131 va_end(args);
132} 132}
133 133
134void
135sigdie(const char *fmt,...)
136{
137 va_list args;
138
139 va_start(args, fmt);
140 do_log(SYSLOG_LEVEL_FATAL, fmt, args);
141 va_end(args);
142 _exit(1);
143}
144
145
134/* Log this message (information that usually should go to the log). */ 146/* Log this message (information that usually should go to the log). */
135 147
136void 148void
diff --git a/log.h b/log.h
index d7170fc22..76012180c 100644
--- a/log.h
+++ b/log.h
@@ -56,6 +56,7 @@ LogLevel log_level_number(char *);
56 56
57void fatal(const char *, ...) __dead __attribute__((format(printf, 1, 2))); 57void fatal(const char *, ...) __dead __attribute__((format(printf, 1, 2)));
58void error(const char *, ...) __attribute__((format(printf, 1, 2))); 58void error(const char *, ...) __attribute__((format(printf, 1, 2)));
59void sigdie(const char *, ...) __attribute__((format(printf, 1, 2)));
59void logit(const char *, ...) __attribute__((format(printf, 1, 2))); 60void logit(const char *, ...) __attribute__((format(printf, 1, 2)));
60void verbose(const char *, ...) __attribute__((format(printf, 1, 2))); 61void verbose(const char *, ...) __attribute__((format(printf, 1, 2)));
61void debug(const char *, ...) __attribute__((format(printf, 1, 2))); 62void debug(const char *, ...) __attribute__((format(printf, 1, 2)));
diff --git a/session.c b/session.c
index daad03929..3420db57d 100644
--- a/session.c
+++ b/session.c
@@ -2440,7 +2440,7 @@ do_cleanup(Authctxt *authctxt)
2440 return; 2440 return;
2441 called = 1; 2441 called = 1;
2442 2442
2443 if (authctxt == NULL) 2443 if (authctxt == NULL || !authctxt->authenticated)
2444 return; 2444 return;
2445#ifdef KRB5 2445#ifdef KRB5
2446 if (options.kerberos_ticket_cleanup && 2446 if (options.kerberos_ticket_cleanup &&
diff --git a/sshd.c b/sshd.c
index 85b679d5e..b1776ef45 100644
--- a/sshd.c
+++ b/sshd.c
@@ -310,13 +310,11 @@ main_sigchld_handler(int sig)
310static void 310static void
311grace_alarm_handler(int sig) 311grace_alarm_handler(int sig)
312{ 312{
313 /* XXX no idea how fix this signal handler */
314
315 if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0) 313 if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
316 kill(pmonitor->m_pid, SIGALRM); 314 kill(pmonitor->m_pid, SIGALRM);
317 315
318 /* Log error and exit. */ 316 /* Log error and exit. */
319 fatal("Timeout before authentication for %s", get_remote_ipaddr()); 317 sigdie("Timeout before authentication for %s", get_remote_ipaddr());
320} 318}
321 319
322/* 320/*
@@ -1797,6 +1795,7 @@ main(int ac, char **av)
1797 */ 1795 */
1798 alarm(0); 1796 alarm(0);
1799 signal(SIGALRM, SIG_DFL); 1797 signal(SIGALRM, SIG_DFL);
1798 authctxt->authenticated = 1;
1800 if (startup_pipe != -1) { 1799 if (startup_pipe != -1) {
1801 close(startup_pipe); 1800 close(startup_pipe);
1802 startup_pipe = -1; 1801 startup_pipe = -1;