diff options
author | Armin Kuster <akuster@mvista.com> | 2015-09-08 17:22:26 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-09-18 19:22:24 +0100 |
commit | c18dff0871ae65b9743d48cc3735f24816ed74af (patch) | |
tree | 6f41c9abf64bdd5cfe2daa49485efa2eefba7320 /meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch | |
parent | ab7f4c1a6d41b80d4e0c0c5ca3d6c94acd82ae1b (diff) | |
download | poky-c18dff0871ae65b9743d48cc3735f24816ed74af.tar.gz |
openssh: CVE-2015-6563 CVE-2015-6564 CVE-2015-6565
three security fixes.
CVE-2015-6563 (Low) openssh: Privilege separation weakness related to PAM support
CVE-2015-6564 (medium) openssh: Use-after-free bug related to PAM support
CVE-2015-6565 (High) openssh: Incorrectly set TTYs to be world-writable
(From OE-Core rev: 259df232b513367a0a18b17e3e377260a770288f)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch')
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch new file mode 100644 index 0000000000..588d42d766 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | CVE-2015-6564 | ||
2 | |||
3 | set sshpam_ctxt to NULL after free | ||
4 | |||
5 | Avoids use-after-free in monitor when privsep child is compromised. | ||
6 | Reported by Moritz Jodeit; ok dtucker@ | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7 | ||
10 | |||
11 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
12 | |||
13 | Index: openssh-6.7p1/monitor.c | ||
14 | =================================================================== | ||
15 | --- openssh-6.7p1.orig/monitor.c | ||
16 | +++ openssh-6.7p1/monitor.c | ||
17 | @@ -1128,14 +1128,16 @@ mm_answer_pam_respond(int sock, Buffer * | ||
18 | int | ||
19 | mm_answer_pam_free_ctx(int sock, Buffer *m) | ||
20 | { | ||
21 | + int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; | ||
22 | |||
23 | debug3("%s", __func__); | ||
24 | (sshpam_device.free_ctx)(sshpam_ctxt); | ||
25 | + sshpam_ctxt = sshpam_authok = NULL; | ||
26 | buffer_clear(m); | ||
27 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); | ||
28 | auth_method = "keyboard-interactive"; | ||
29 | auth_submethod = "pam"; | ||
30 | - return (sshpam_authok == sshpam_ctxt); | ||
31 | + return r; | ||
32 | } | ||
33 | #endif | ||
34 | |||