~ubuntu-branches/ubuntu/gutsy/libpam-ssh/gutsy

Viewing changes to debian/patches/03_fix-CVE-2007-0844.dpatch

Committer: Bazaar Package Importer
Author(s): Nico Golde
Date: 2007-08-30 16:55:51 UTC
Revision ID: james.westby@ubuntu.com-20070830165551-ewxabvdssy87x3oe

Tags: 1.91.0-9.2

http://bugs.debian.org/410236

* Non-maintainer upload by testing security team.
* Include 03_fix-CVE-2007-0844 to fix authentication bypass if
allow_blank_passphrase is enabled (CVE-2007-0844) (Closes: #410236).
* Included 04_fix_syslogh_inclusion.dpatch to fix missing inclusion
of syslog headers which lead to FTBFS.

files added:
debian/patches/03_fix-CVE-2007-0844.dpatch

debian/patches/04_fix_syslogh_inclusion.dpatch

files modified:
debian/changelog

debian/patches/00list

Show diffs side-by-side

added added

removed removed

debian/patches/03_fix-CVE-2007-0844.dpatch

#! /bin/sh /usr/share/dpatch/dpatch-run

## 03-cve-2007-0844.dpatch taken from upstream release 1.92

## DP: Fix CVE-2007-0844

## DP: (Closes: #410236)

--- libpam-ssh-1.91.0/pam_ssh.c 2004-04-12 15:55:08.000000000 +0200

+++ libpam-ssh-1.92/pam_ssh.c 2007-02-06 19:10:46.000000000 +0100

@@ -1,5 +1,5 @@

/*-

@@ -31,7 +31,7 @@

* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

* SUCH DAMAGE.

- * $Id: pam_ssh.c,v 1.81 2004/04/12 13:55:08 akorty Exp $

+ * $Id: pam_ssh.c,v 1.83 2007/02/06 18:10:46 akorty Exp $

/* to get the asprintf() prototype from the glibc headers */

@@ -196,6 +196,27 @@ ssh_cleanup(pam_handle_t *pamh __unused,

+ * If the private key's passphrase is blank, only load it if the

+ * *supplied* passphrase is blank and if allow_blank_passphrase is

+ * set.

+ */

+static Key *

+key_load_private_maybe(const char *path, const char *passphrase,

+ char **commentp, int allow_blank)

+ Key *key;

+ /* try loading the key with a blank passphrase */

+ key = key_load_private(path, "", commentp);

+ if (key)

+ return allow_blank && *passphrase == '\0' ? key : NULL;

+ /* the private key's passphrase isn't blank */

+ return key_load_private(path, passphrase, commentp);

+/*

* Authenticate a user's key by trying to decrypt it with the password

* provided. The key and its comment are then stored for later

* retrieval by the session phase. An increasing index is embedded in

@@ -205,7 +226,7 @@ ssh_cleanup(pam_handle_t *pamh __unused,

static int

auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,

- const struct passwd *user, const char *pass)

+ const struct passwd *user, const char *pass, int allow_blank)

{

char *comment; /* private key comment */

char *data_name; /* PAM state */

@@ -230,7 +251,7 @@ auth_via_key(pam_handle_t *pamh, const c

success, the user is authenticated. */

comment = NULL;

- key = key_load_private(path, pass, &comment);

+ key = key_load_private_maybe(path, pass, &comment, allow_blank);

free(path);

if (!comment && !(comment = strdup(file))) {

pam_ssh_log(LOG_CRIT, "out of memory");

@@ -427,7 +448,7 @@ pam_sm_authenticate(pam_handle_t *pamh,

openpam_restore_cred(pamh);

return retval;

}

- if (!pass || (!allow_blank_passphrase && *pass == '\0')) {

+ if (!pass) {

openpam_restore_cred(pamh);

return PAM_AUTH_ERR;

}

@@ -451,8 +472,8 @@ pam_sm_authenticate(pam_handle_t *pamh,

}

for (file = strtok(keyfiles, SEP_KEYFILES); file;

file = strtok(NULL, SEP_KEYFILES))

- if (auth_via_key(pamh, file, dotdir, pwent, pass)

- == PAM_SUCCESS)

+ if (auth_via_key(pamh, file, dotdir, pwent, pass,

+ allow_blank_passphrase) == PAM_SUCCESS)

authenticated = 1;

free(dotdir);

free(keyfiles);

Older »