Sorry, I forgot to add the patch.

Thanks, Tobias
diff -urpN libpam-ssh-1.91.0/debian/patches/00list libpam-ssh-1.91.0.new/debian/patches/00list
--- libpam-ssh-1.91.0/debian/patches/00list	2007-08-17 16:31:35.000000000 +0200
+++ libpam-ssh-1.91.0.new/debian/patches/00list	2007-08-17 16:31:01.000000000 +0200
@@ -1,2 +1,3 @@
 01_home_cleanup.dpatch
 02-fix-getpwname.dpatch
+03-cve-2007-0844.dpatch
diff -urpN libpam-ssh-1.91.0/debian/patches/03-cve-2007-0844.dpatch libpam-ssh-1.91.0.new/debian/patches/03-cve-2007-0844.dpatch
--- libpam-ssh-1.91.0/debian/patches/03-cve-2007-0844.dpatch	1970-01-01 01:00:00.000000000 +0100
+++ libpam-ssh-1.91.0.new/debian/patches/03-cve-2007-0844.dpatch	2007-08-16 20:14:42.000000000 +0200
@@ -0,0 +1,90 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 03-cve-2007-0844.dpatch taken from upstream release 1.92
+##
+## DP: Fix CVE-2007-0844
+## DP: (Closes: #410236)
+
+--- libpam-ssh-1.91.0/pam_ssh.c	2004-04-12 15:55:08.000000000 +0200
++++ libpam-ssh-1.92/pam_ssh.c	2007-02-06 19:10:46.000000000 +0100
+@@ -1,5 +1,5 @@
+ /*-
+- * Copyright (c) 1999, 2000, 2001, 2002, 2004 Andrew J. Korty
++ * Copyright (c) 1999-2002, 2004, 2007 Andrew J. Korty
+  * All rights reserved.
+  *
+  * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
+@@ -31,7 +31,7 @@
+  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+  * SUCH DAMAGE.
+  *
+- * $Id: pam_ssh.c,v 1.81 2004/04/12 13:55:08 akorty Exp $
++ * $Id: pam_ssh.c,v 1.83 2007/02/06 18:10:46 akorty Exp $
+  */
+ 
+ /* to get the asprintf() prototype from the glibc headers */
+@@ -196,6 +196,27 @@ ssh_cleanup(pam_handle_t *pamh __unused,
+ 
+ 
+ /*
++ * If the private key's passphrase is blank, only load it if the
++ * *supplied* passphrase is blank and if allow_blank_passphrase is
++ * set.
++ */
++
++static Key *
++key_load_private_maybe(const char *path, const char *passphrase,
++    char **commentp, int allow_blank)
++{
++        Key *key;
++
++        /* try loading the key with a blank passphrase */
++        key = key_load_private(path, "", commentp);
++        if (key)
++                return allow_blank && *passphrase == '\0' ? key : NULL;
++
++        /* the private key's passphrase isn't blank */
++        return key_load_private(path, passphrase, commentp);
++}
++
++/*
+  * Authenticate a user's key by trying to decrypt it with the password
+  * provided.  The key and its comment are then stored for later
+  * retrieval by the session phase.  An increasing index is embedded in
+@@ -205,7 +226,7 @@ ssh_cleanup(pam_handle_t *pamh __unused,
+ 
+ static int
+ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,
+-    const struct passwd *user, const char *pass)
++    const struct passwd *user, const char *pass, int allow_blank)
+ {
+ 	char *comment;		/* private key comment */
+ 	char *data_name;	/* PAM state */
+@@ -230,7 +251,7 @@ auth_via_key(pam_handle_t *pamh, const c
+ 	   success, the user is authenticated. */
+ 
+ 	comment = NULL;
+-	key = key_load_private(path, pass, &comment);
++	key = key_load_private_maybe(path, pass, &comment, allow_blank);
+ 	free(path);
+ 	if (!comment && !(comment = strdup(file))) {
+ 		pam_ssh_log(LOG_CRIT, "out of memory");
+@@ -427,7 +448,7 @@ pam_sm_authenticate(pam_handle_t *pamh, 
+ 		openpam_restore_cred(pamh);
+ 		return retval;
+ 	}
+-	if (!pass || (!allow_blank_passphrase && *pass == '\0')) {
++	if (!pass) {
+ 		openpam_restore_cred(pamh);
+ 		return PAM_AUTH_ERR;
+ 	}
+@@ -451,8 +472,8 @@ pam_sm_authenticate(pam_handle_t *pamh, 
+ 	}
+ 	for (file = strtok(keyfiles, SEP_KEYFILES); file;
+ 	     file = strtok(NULL, SEP_KEYFILES))
+-		if (auth_via_key(pamh, file, dotdir, pwent, pass)
+-		    == PAM_SUCCESS)
++		if (auth_via_key(pamh, file, dotdir, pwent, pass,
++                    allow_blank_passphrase) == PAM_SUCCESS)
+ 			authenticated = 1;
+ 	free(dotdir);
+ 	free(keyfiles);

Attachment: signature.asc
Description: Digital signature



Reply via email to