Sorry, I forgot to add the patch. Thanks, Tobias
diff -urpN libpam-ssh-1.91.0/debian/patches/00list libpam-ssh-1.91.0.new/debian/patches/00list
--- libpam-ssh-1.91.0/debian/patches/00list 2007-08-17 16:31:35.000000000 +0200
+++ libpam-ssh-1.91.0.new/debian/patches/00list 2007-08-17 16:31:01.000000000 +0200
@@ -1,2 +1,3 @@
01_home_cleanup.dpatch
02-fix-getpwname.dpatch
+03-cve-2007-0844.dpatch
diff -urpN libpam-ssh-1.91.0/debian/patches/03-cve-2007-0844.dpatch libpam-ssh-1.91.0.new/debian/patches/03-cve-2007-0844.dpatch
--- libpam-ssh-1.91.0/debian/patches/03-cve-2007-0844.dpatch 1970-01-01 01:00:00.000000000 +0100
+++ libpam-ssh-1.91.0.new/debian/patches/03-cve-2007-0844.dpatch 2007-08-16 20:14:42.000000000 +0200
@@ -0,0 +1,90 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 03-cve-2007-0844.dpatch taken from upstream release 1.92
+##
+## DP: Fix CVE-2007-0844
+## DP: (Closes: #410236)
+
+--- libpam-ssh-1.91.0/pam_ssh.c 2004-04-12 15:55:08.000000000 +0200
++++ libpam-ssh-1.92/pam_ssh.c 2007-02-06 19:10:46.000000000 +0100
+@@ -1,5 +1,5 @@
+ /*-
+- * Copyright (c) 1999, 2000, 2001, 2002, 2004 Andrew J. Korty
++ * Copyright (c) 1999-2002, 2004, 2007 Andrew J. Korty
+ * All rights reserved.
+ *
+ * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
+@@ -31,7 +31,7 @@
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+- * $Id: pam_ssh.c,v 1.81 2004/04/12 13:55:08 akorty Exp $
++ * $Id: pam_ssh.c,v 1.83 2007/02/06 18:10:46 akorty Exp $
+ */
+
+ /* to get the asprintf() prototype from the glibc headers */
+@@ -196,6 +196,27 @@ ssh_cleanup(pam_handle_t *pamh __unused,
+
+
+ /*
++ * If the private key's passphrase is blank, only load it if the
++ * *supplied* passphrase is blank and if allow_blank_passphrase is
++ * set.
++ */
++
++static Key *
++key_load_private_maybe(const char *path, const char *passphrase,
++ char **commentp, int allow_blank)
++{
++ Key *key;
++
++ /* try loading the key with a blank passphrase */
++ key = key_load_private(path, "", commentp);
++ if (key)
++ return allow_blank && *passphrase == '\0' ? key : NULL;
++
++ /* the private key's passphrase isn't blank */
++ return key_load_private(path, passphrase, commentp);
++}
++
++/*
+ * Authenticate a user's key by trying to decrypt it with the password
+ * provided. The key and its comment are then stored for later
+ * retrieval by the session phase. An increasing index is embedded in
+@@ -205,7 +226,7 @@ ssh_cleanup(pam_handle_t *pamh __unused,
+
+ static int
+ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,
+- const struct passwd *user, const char *pass)
++ const struct passwd *user, const char *pass, int allow_blank)
+ {
+ char *comment; /* private key comment */
+ char *data_name; /* PAM state */
+@@ -230,7 +251,7 @@ auth_via_key(pam_handle_t *pamh, const c
+ success, the user is authenticated. */
+
+ comment = NULL;
+- key = key_load_private(path, pass, &comment);
++ key = key_load_private_maybe(path, pass, &comment, allow_blank);
+ free(path);
+ if (!comment && !(comment = strdup(file))) {
+ pam_ssh_log(LOG_CRIT, "out of memory");
+@@ -427,7 +448,7 @@ pam_sm_authenticate(pam_handle_t *pamh,
+ openpam_restore_cred(pamh);
+ return retval;
+ }
+- if (!pass || (!allow_blank_passphrase && *pass == '\0')) {
++ if (!pass) {
+ openpam_restore_cred(pamh);
+ return PAM_AUTH_ERR;
+ }
+@@ -451,8 +472,8 @@ pam_sm_authenticate(pam_handle_t *pamh,
+ }
+ for (file = strtok(keyfiles, SEP_KEYFILES); file;
+ file = strtok(NULL, SEP_KEYFILES))
+- if (auth_via_key(pamh, file, dotdir, pwent, pass)
+- == PAM_SUCCESS)
++ if (auth_via_key(pamh, file, dotdir, pwent, pass,
++ allow_blank_passphrase) == PAM_SUCCESS)
+ authenticated = 1;
+ free(dotdir);
+ free(keyfiles);
signature.asc
Description: Digital signature

