openssh: Backport fix for CVE-2015-8325

PAM environment vars must be ignored when UseLogin=yes (From OE-Core rev: 0a06be81cb650def54a4c2059bd728c75954306f) Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Jussi Kukkonen <jussi.kukkonen@intel.com> 2016-05-18 15:11:56 +0300
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-05-19 09:05:19 +0100
commit: 90cb500a7ffb54940c6eedfba38e7a4f97267702 (patch)
tree: c4e95973b29757deec2eef43561853d95e4813b3 /meta/recipes-connectivity
parent: 4d72f506311b81653df703e00c370155e6870cd8 (diff)
download: poky-90cb500a7ffb54940c6eedfba38e7a4f97267702.tar.gz
2 files changed, 40 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch
new file mode 100644
index 0000000000..226389718d
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch
@@ -0,0 +1,39 @@
+From 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Wed, 13 Apr 2016 10:39:57 +1000
+Subject: ignore PAM environment vars when UseLogin=yes
+If PAM is configured to read user-specified environment variables
+and UseLogin=yes in sshd_config, then a hostile local user may
+attack /bin/login via LD_PRELOAD or similar environment variables
+set via PAM.
+CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
+https://anongit.mindrot.org/openssh.git/commit/session.c?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755
+CVE: CVE-2015-8325
+Upstream-Status: Backport
+Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
+---
+ session.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/session.c b/session.c
+index 4859245..4653b09 100644
+--- a/session.c
+++ b/session.c
+@@ -1322,7 +1322,7 @@ do_setup_env(Session *s, const char *shell)
+         * Pull in any environment variables that may have
+         * been set by PAM.
+         */
+-       if (options.use_pam) {
+       if (options.use_pam && !options.use_login) {
+                char **p;
+ 
+                p = fetch_pam_child_environment();
+-- 
+cgit v0.11.2
diff --git a/meta/recipes-connectivity/openssh/openssh_7.2p2.bb b/meta/recipes-connectivity/openssh/openssh_7.2p2.bb
index 173f80a2af..7e047168dc 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.2p2.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.2p2.bb
@@ -21,6 +21,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
           file://volatiles.99_sshd \
           file://add-test-support-for-busybox.patch \
           file://run-ptest \
+           file://CVE-2015-8325.patch \
           "
 PAM_SRC_URI = "file://sshd"
author	Jussi Kukkonen <jussi.kukkonen@intel.com>	2016-05-18 15:11:56 +0300
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-05-19 09:05:19 +0100
commit	90cb500a7ffb54940c6eedfba38e7a4f97267702 (patch)
tree	c4e95973b29757deec2eef43561853d95e4813b3 /meta/recipes-connectivity
parent	4d72f506311b81653df703e00c370155e6870cd8 (diff)
download	poky-90cb500a7ffb54940c6eedfba38e7a4f97267702.tar.gz

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch new file mode 100644 index 0000000000..226389718d --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-8325.patch
@@ -0,0 +1,39 @@
		1	From 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Mon Sep 17 00:00:00 2001
		2	From: Damien Miller <djm@mindrot.org>
		3	Date: Wed, 13 Apr 2016 10:39:57 +1000
		4	Subject: ignore PAM environment vars when UseLogin=yes
		5
		6	If PAM is configured to read user-specified environment variables
		7	and UseLogin=yes in sshd_config, then a hostile local user may
		8	attack /bin/login via LD_PRELOAD or similar environment variables
		9	set via PAM.
		10
		11	CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
		12
		13
		14
		15	https://anongit.mindrot.org/openssh.git/commit/session.c?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755
		16
		17	CVE: CVE-2015-8325
		18	Upstream-Status: Backport
		19	Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
		20	---
		21	session.c \| 2 +-
		22	1 file changed, 1 insertion(+), 1 deletion(-)
		23
		24	diff --git a/session.c b/session.c
		25	index 4859245..4653b09 100644
		26	--- a/session.c
		27	+++ b/session.c
		28	@@ -1322,7 +1322,7 @@ do_setup_env(Session s, const char shell)
		29	* Pull in any environment variables that may have
		30	* been set by PAM.
		31	*/
		32	- if (options.use_pam) {
		33	+ if (options.use_pam && !options.use_login) {
		34	char **p;
		35
		36	p = fetch_pam_child_environment();
		37	--
		38	cgit v0.11.2
		39


diff --git a/meta/recipes-connectivity/openssh/openssh_7.2p2.bb b/meta/recipes-connectivity/openssh/openssh_7.2p2.bb index 173f80a2af..7e047168dc 100644 --- a/meta/recipes-connectivity/openssh/openssh_7.2p2.bb +++ b/meta/recipes-connectivity/openssh/openssh_7.2p2.bb
@@ -21,6 +21,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
21	file://volatiles.99_sshd \	21	file://volatiles.99_sshd \
22	file://add-test-support-for-busybox.patch \	22	file://add-test-support-for-busybox.patch \
23	file://run-ptest \	23	file://run-ptest \
		24	file://CVE-2015-8325.patch \
24	"	25	"
25		26
26	PAM_SRC_URI = "file://sshd"	27	PAM_SRC_URI = "file://sshd"