File openssh-6.6p1-pam_privsep_auth_uaf.patch of Package openssh.10219

# HG changeset patch
# Parent  dd91f77c3ad6ff6ab693c1dab38213b247ac9295
Prevent possible use-after-free in PAM authentication monitor when
privilege separation child gets compromised.

CVE-2015-6564
bsc#943006

diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c
--- a/openssh-6.6p1/monitor.c
+++ b/openssh-6.6p1/monitor.c
@@ -1150,24 +1150,26 @@ mm_answer_pam_respond(int sock, Buffer *
 	if (ret == 0)
 		sshpam_authok = sshpam_ctxt;
 	return (0);
 }
 
 int
 mm_answer_pam_free_ctx(int sock, Buffer *m)
 {
+	int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
 
 	debug3("%s", __func__);
 	(sshpam_device.free_ctx)(sshpam_ctxt);
+	sshpam_ctxt = sshpam_authok = NULL;
 	buffer_clear(m);
 	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
 	auth_method = "keyboard-interactive";
 	auth_submethod = "pam";
-	return (sshpam_authok == sshpam_ctxt);
+	return r;
 }
 #endif
 
 int
 mm_answer_keyallowed(int sock, Buffer *m)
 {
 	Key *key;
 	char *cuser, *chost;
openSUSE Build Service is sponsored by