diff options
Diffstat (limited to 'meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch')
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch new file mode 100644 index 0000000000..588d42d766 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | CVE-2015-6564 | ||
2 | |||
3 | set sshpam_ctxt to NULL after free | ||
4 | |||
5 | Avoids use-after-free in monitor when privsep child is compromised. | ||
6 | Reported by Moritz Jodeit; ok dtucker@ | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7 | ||
10 | |||
11 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
12 | |||
13 | Index: openssh-6.7p1/monitor.c | ||
14 | =================================================================== | ||
15 | --- openssh-6.7p1.orig/monitor.c | ||
16 | +++ openssh-6.7p1/monitor.c | ||
17 | @@ -1128,14 +1128,16 @@ mm_answer_pam_respond(int sock, Buffer * | ||
18 | int | ||
19 | mm_answer_pam_free_ctx(int sock, Buffer *m) | ||
20 | { | ||
21 | + int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; | ||
22 | |||
23 | debug3("%s", __func__); | ||
24 | (sshpam_device.free_ctx)(sshpam_ctxt); | ||
25 | + sshpam_ctxt = sshpam_authok = NULL; | ||
26 | buffer_clear(m); | ||
27 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); | ||
28 | auth_method = "keyboard-interactive"; | ||
29 | auth_submethod = "pam"; | ||
30 | - return (sshpam_authok == sshpam_ctxt); | ||
31 | + return r; | ||
32 | } | ||
33 | #endif | ||
34 | |||