diff options
Diffstat (limited to 'main/openssh/CVE-2015-6564.patch')
-rw-r--r-- | main/openssh/CVE-2015-6564.patch | 33 |
1 files changed, 0 insertions, 33 deletions
diff --git a/main/openssh/CVE-2015-6564.patch b/main/openssh/CVE-2015-6564.patch deleted file mode 100644 index e278dd7414..0000000000 --- a/main/openssh/CVE-2015-6564.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 5e75f5198769056089fb06c4d738ab0e5abc66f7 Mon Sep 17 00:00:00 2001 -From: Damien Miller <djm@mindrot.org> -Date: Tue, 11 Aug 2015 13:34:12 +1000 -Subject: [PATCH] set sshpam_ctxt to NULL after free - -Avoids use-after-free in monitor when privsep child is compromised. -Reported by Moritz Jodeit; ok dtucker@ ---- - monitor.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/monitor.c b/monitor.c -index f1b873d..a914209 100644 ---- a/monitor.c -+++ b/monitor.c -@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m) - int - mm_answer_pam_free_ctx(int sock, Buffer *m) - { -+ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; - - debug3("%s", __func__); - (sshpam_device.free_ctx)(sshpam_ctxt); -+ sshpam_ctxt = sshpam_authok = NULL; - buffer_clear(m); - mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); - auth_method = "keyboard-interactive"; - auth_submethod = "pam"; -- return (sshpam_authok == sshpam_ctxt); -+ return r; - } - #endif - |