diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2015-08-26 11:28:34 +0200 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2015-08-26 11:28:34 +0200 |
| commit | 26c30cf5be4151eee04678ad118d056de0601833 (patch) | |
| tree | 15197d4f861c9056c026546a41d12ed33a16df75 /main/openssh/CVE-2015-6564.patch | |
| parent | fd2d5633fcea1fb35f3b67dfe1c51aebcac3696f (diff) | |
| download | aports-26c30cf5be4151eee04678ad118d056de0601833.tar.bz2 aports-26c30cf5be4151eee04678ad118d056de0601833.tar.xz | |
main/openssh: security fixes from upstream
ref #4578
CVE-2015-6563:
sshd(8): Portable OpenSSH only: Fixed a privilege separation
weakness related to PAM support. Attackers who could successfully
compromise the pre-authentication process for remote code
execution and who had valid credentials on the host could
impersonate other users. Reported by Moritz Jodeit.
CVE-2015-6564:
sshd(8): Portable OpenSSH only: Fixed a use-after-free bug related to
PAM support that was reachable by attackers who could compromise the
pre-authentication process for remote code execution. Also reported by
Moritz Jodeit.
CVE-2015-6565:
sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-
writable. Local attackers may be able to write arbitrary messages
to logged-in users, including terminal escape sequences.
Reported by Nikolay Edigaryev.
Diffstat (limited to 'main/openssh/CVE-2015-6564.patch')
| -rw-r--r-- | main/openssh/CVE-2015-6564.patch | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/main/openssh/CVE-2015-6564.patch b/main/openssh/CVE-2015-6564.patch new file mode 100644 index 0000000000..e278dd7414 --- /dev/null +++ b/main/openssh/CVE-2015-6564.patch @@ -0,0 +1,33 @@ +From 5e75f5198769056089fb06c4d738ab0e5abc66f7 Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Tue, 11 Aug 2015 13:34:12 +1000 +Subject: [PATCH] set sshpam_ctxt to NULL after free + +Avoids use-after-free in monitor when privsep child is compromised. +Reported by Moritz Jodeit; ok dtucker@ +--- + monitor.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/monitor.c b/monitor.c +index f1b873d..a914209 100644 +--- a/monitor.c ++++ b/monitor.c +@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m) + int + mm_answer_pam_free_ctx(int sock, Buffer *m) + { ++ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; + + debug3("%s", __func__); + (sshpam_device.free_ctx)(sshpam_ctxt); ++ sshpam_ctxt = sshpam_authok = NULL; + buffer_clear(m); + mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); + auth_method = "keyboard-interactive"; + auth_submethod = "pam"; +- return (sshpam_authok == sshpam_ctxt); ++ return r; + } + #endif + |