doc/website/static/security/patches/SA-15:22/openssh.patch

Index: crypto/openssh/monitor.c
===================================================================
--- crypto/openssh/monitor.c	(revision 286787)
+++ crypto/openssh/monitor.c	(working copy)
@@ -1027,9 +1027,7 @@ extern KbdintDevice sshpam_device;
 int
 mm_answer_pam_init_ctx(int sock, Buffer *m)
 {
-
 	debug3("%s", __func__);
-	authctxt->user = buffer_get_string(m, NULL);
 	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
 	sshpam_authok = NULL;
 	buffer_clear(m);
@@ -1111,14 +1109,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
 int
 mm_answer_pam_free_ctx(int sock, Buffer *m)
 {
+	int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
 
 	debug3("%s", __func__);
 	(sshpam_device.free_ctx)(sshpam_ctxt);
+	sshpam_ctxt = sshpam_authok = NULL;
 	buffer_clear(m);
 	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
 	auth_method = "keyboard-interactive";
 	auth_submethod = "pam";
-	return (sshpam_authok == sshpam_ctxt);
+	return r;
 }
 #endif
 
Index: crypto/openssh/monitor_wrap.c
===================================================================
--- crypto/openssh/monitor_wrap.c	(revision 286787)
+++ crypto/openssh/monitor_wrap.c	(working copy)
@@ -820,7 +820,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
 
 	debug3("%s", __func__);
 	buffer_init(&m);
-	buffer_put_cstring(&m, authctxt->user);
 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
 	debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
 	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
Index: crypto/openssh/mux.c
===================================================================
--- crypto/openssh/mux.c	(revision 286787)
+++ crypto/openssh/mux.c	(working copy)
@@ -635,7 +635,8 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer
 	u_int lport, cport;
 	int i, ret = 0, freefwd = 1;
 
-	fwd.listen_host = fwd.connect_host = NULL;
+	memset(&fwd, 0, sizeof(fwd));
+
 	if (buffer_get_int_ret(&ftype, m) != 0 ||
 	    (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
 	    buffer_get_int_ret(&lport, m) != 0 ||
@@ -785,7 +786,8 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffe
 	int i, listen_port, ret = 0;
 	u_int lport, cport;
 
-	fwd.listen_host = fwd.connect_host = NULL;
+	memset(&fwd, 0, sizeof(fwd));
+
 	if (buffer_get_int_ret(&ftype, m) != 0 ||
 	    (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
 	    buffer_get_int_ret(&lport, m) != 0 ||