File openssh-6.6p1-ignore_PAM_with_UseLogin.patch of Package openssh.10219

# HG changeset patch
# Parent  e069c98c247ddc6573d136678054cf2c82aee4db

Do not import PAM environment variables when using login, since it may have
security implications.

CVE-2015-8325
bsc#975865

Backport of upstream commit 85bdcd7c92fe7ff133bbc4e10a65c91810f88755

diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c
--- a/openssh-6.6p1/session.c
+++ b/openssh-6.6p1/session.c
@@ -1347,17 +1347,17 @@ do_setup_env(Session *s, const char *she
 		child_set_env(&env, &envsize, "KRB5CCNAME",
 		    s->authctxt->krb5_ccname);
 #endif
 #ifdef USE_PAM
 	/*
 	 * Pull in any environment variables that may have
 	 * been set by PAM.
 	 */
-	if (options.use_pam) {
+	if (options.use_pam && !options.use_login) {
 		char **p;
 
 		p = fetch_pam_child_environment();
 		copy_environment(p, &env, &envsize);
 		free_pam_environment(p);
 
 		p = fetch_pam_environment();
 		copy_environment(p, &env, &envsize);
openSUSE Build Service is sponsored by