From 0ea48ddd5e714779d7cdafd14f76fa2e96cc70f9 Mon Sep 17 00:00:00 2001 From: Christian Neukirchen Date: Mon, 6 Jun 2016 13:34:27 +0200 Subject: [PATCH] openssh: security fix for CVE-2015-8325. > Subject: ignore PAM environment vars when UseLogin=yes > > If PAM is configured to read user-specified environment variables > and UseLogin=yes in sshd_config, then a hostile local user may > attack /bin/login via LD_PRELOAD or similar environment variables > set via PAM. > > CVE-2015-8325, found by Shayan Sadigh, via Colin Watson --- srcpkgs/openssh/patches/CVE-2015-8325.patch | 22 +++++++++++++++++++++ srcpkgs/openssh/template | 2 +- 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 srcpkgs/openssh/patches/CVE-2015-8325.patch diff --git a/srcpkgs/openssh/patches/CVE-2015-8325.patch b/srcpkgs/openssh/patches/CVE-2015-8325.patch new file mode 100644 index 00000000000..8c735451bd2 --- /dev/null +++ b/srcpkgs/openssh/patches/CVE-2015-8325.patch @@ -0,0 +1,22 @@ +From: Damien Miller +Date: Wed, 13 Apr 2016 10:39:57 +1000 +Subject: ignore PAM environment vars when UseLogin=yes + +If PAM is configured to read user-specified environment variables +and UseLogin=yes in sshd_config, then a hostile local user may +attack /bin/login via LD_PRELOAD or similar environment variables +set via PAM. + +CVE-2015-8325, found by Shayan Sadigh, via Colin Watson + +--- session.c ++++ session.c +@@ -1322,7 +1322,7 @@ do_setup_env(Session *s, const char *shell) + * Pull in any environment variables that may have + * been set by PAM. + */ +- if (options.use_pam) { ++ if (options.use_pam && !options.use_login) { + char **p; + + p = fetch_pam_child_environment(); diff --git a/srcpkgs/openssh/template b/srcpkgs/openssh/template index 5646cf503b8..ccd3456c79a 100644 --- a/srcpkgs/openssh/template +++ b/srcpkgs/openssh/template @@ -1,7 +1,7 @@ # Template file for 'openssh' pkgname=openssh version=7.2p2 -revision=2 +revision=3 build_style=gnu-configure configure_args="--datadir=/usr/share/openssh --sysconfdir=/etc/ssh --without-selinux --with-privsep-user=nobody