diff options
Diffstat (limited to 'meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch')
-rw-r--r-- | meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch new file mode 100644 index 0000000000..588d42d766 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch @@ -0,0 +1,34 @@ +CVE-2015-6564 + + set sshpam_ctxt to NULL after free + + Avoids use-after-free in monitor when privsep child is compromised. + Reported by Moritz Jodeit; ok dtucker@ + +Upstream-Status: Backport +https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Index: openssh-6.7p1/monitor.c +=================================================================== +--- openssh-6.7p1.orig/monitor.c ++++ openssh-6.7p1/monitor.c +@@ -1128,14 +1128,16 @@ mm_answer_pam_respond(int sock, Buffer * + int + mm_answer_pam_free_ctx(int sock, Buffer *m) + { ++ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; + + debug3("%s", __func__); + (sshpam_device.free_ctx)(sshpam_ctxt); ++ sshpam_ctxt = sshpam_authok = NULL; + buffer_clear(m); + mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); + auth_method = "keyboard-interactive"; + auth_submethod = "pam"; +- return (sshpam_authok == sshpam_ctxt); ++ return r; + } + #endif + |