1 files changed, 34 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
new file mode 100644
index 0000000000..588d42d766
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
@@ -0,0 +1,34 @@
+CVE-2015-6564
+ set sshpam_ctxt to NULL after free
+ Avoids use-after-free in monitor when privsep child is compromised.
+ Reported by Moritz Jodeit; ok dtucker@
+Upstream-Status: Backport
+https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: openssh-6.7p1/monitor.c
+===================================================================
+--- openssh-6.7p1.orig/monitor.c
+++ openssh-6.7p1/monitor.c
+@@ -1128,14 +1128,16 @@ mm_answer_pam_respond(int sock, Buffer *
+ int
+ mm_answer_pam_free_ctx(int sock, Buffer *m)
+ {
+    int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
+ 
+        debug3("%s", __func__);
+        (sshpam_device.free_ctx)(sshpam_ctxt);
+    sshpam_ctxt = sshpam_authok = NULL;
+        buffer_clear(m);
+        mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+        auth_method = "keyboard-interactive";
+        auth_submethod = "pam";
+-       return (sshpam_authok == sshpam_ctxt);
+       return r;
+ }
+ #endif
+

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch new file mode 100644 index 0000000000..588d42d766 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
@@ -0,0 +1,34 @@
	1	CVE-2015-6564
	2
	3	set sshpam_ctxt to NULL after free
	4
	5	Avoids use-after-free in monitor when privsep child is compromised.
	6	Reported by Moritz Jodeit; ok dtucker@
	7
	8	Upstream-Status: Backport
	9	https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7
	10
	11	Signed-off-by: Armin Kuster <akuster@mvista.com>
	12
	13	Index: openssh-6.7p1/monitor.c
	14	===================================================================
	15	--- openssh-6.7p1.orig/monitor.c
	16	+++ openssh-6.7p1/monitor.c
	17	@@ -1128,14 +1128,16 @@ mm_answer_pam_respond(int sock, Buffer *
	18	int
	19	mm_answer_pam_free_ctx(int sock, Buffer *m)
	20	{
	21	+ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
	22
	23	debug3("%s", __func__);
	24	(sshpam_device.free_ctx)(sshpam_ctxt);
	25	+ sshpam_ctxt = sshpam_authok = NULL;
	26	buffer_clear(m);
	27	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
	28	auth_method = "keyboard-interactive";
	29	auth_submethod = "pam";
	30	- return (sshpam_authok == sshpam_ctxt);
	31	+ return r;
	32	}
	33	#endif
	34