meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

CVE-2015-6564

 set sshpam_ctxt to NULL after free

 Avoids use-after-free in monitor when privsep child is compromised.
 Reported by Moritz Jodeit; ok dtucker@

Upstream-Status: Backport
https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7

Signed-off-by: Armin Kuster <akuster@mvista.com>

Index: openssh-6.7p1/monitor.c
===================================================================
--- openssh-6.7p1.orig/monitor.c
+++ openssh-6.7p1/monitor.c
@@ -1128,14 +1128,16 @@ mm_answer_pam_respond(int sock, Buffer *
 int
 mm_answer_pam_free_ctx(int sock, Buffer *m)
 {
+    int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
 
 	debug3("%s", __func__);
 	(sshpam_device.free_ctx)(sshpam_ctxt);
+    sshpam_ctxt = sshpam_authok = NULL;
 	buffer_clear(m);
 	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
 	auth_method = "keyboard-interactive";
 	auth_submethod = "pam";
-	return (sshpam_authok == sshpam_ctxt);
+	return r;
 }
 #endif