diff options
Diffstat (limited to 'main/openssh/CVE-2015-6564.patch')
| -rw-r--r-- | main/openssh/CVE-2015-6564.patch | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/main/openssh/CVE-2015-6564.patch b/main/openssh/CVE-2015-6564.patch new file mode 100644 index 0000000000..e278dd7414 --- /dev/null +++ b/main/openssh/CVE-2015-6564.patch @@ -0,0 +1,33 @@ +From 5e75f5198769056089fb06c4d738ab0e5abc66f7 Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Tue, 11 Aug 2015 13:34:12 +1000 +Subject: [PATCH] set sshpam_ctxt to NULL after free + +Avoids use-after-free in monitor when privsep child is compromised. +Reported by Moritz Jodeit; ok dtucker@ +--- + monitor.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/monitor.c b/monitor.c +index f1b873d..a914209 100644 +--- a/monitor.c ++++ b/monitor.c +@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m) + int + mm_answer_pam_free_ctx(int sock, Buffer *m) + { ++ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; + + debug3("%s", __func__); + (sshpam_device.free_ctx)(sshpam_ctxt); ++ sshpam_ctxt = sshpam_authok = NULL; + buffer_clear(m); + mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); + auth_method = "keyboard-interactive"; + auth_submethod = "pam"; +- return (sshpam_authok == sshpam_ctxt); ++ return r; + } + #endif + |