A signal handler in sshd(8) calls a function that is not async-signal-safe.

laffer1 · laffer1 · commit 00adcc7a9437 · 2024-07-01T09:50:10.000-04:00
The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)'s privileged code, which is not sandboxed and runs with full root privileges. This issue is a regression of CVE-2006-5051 originally reported by Mark Dowd and accidentally reintroduced in OpenSSH 8.5p1. Obtained from: OpenSSH/FreeBSD
diff --git a/crypto/openssh/log.c b/crypto/openssh/log.c
@@ -451,12 +451,14 @@ void
 sshsigdie(const char *file, const char *func, int line, int showfunc,
     LogLevel level, const char *suffix, const char *fmt, ...)
 {
+#if 0
 	va_list args;
 
 	va_start(args, fmt);
 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
 	    suffix, fmt, args);
 	va_end(args);
+#endif
 	_exit(1);
 }
 
diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h
@@ -5,4 +5,4 @@
 #define SSH_PORTABLE	"p2"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
 
-#define SSH_VERSION_MIDNIGHTBSD	"MidnightBSD-20231226"
+#define SSH_VERSION_MIDNIGHTBSD	"MidnightBSD-20240701"

Original file line number	Diff line number	Diff line change
`@@ -451,12 +451,14 @@ void`
`451`	`451`	`sshsigdie(const char file, const char func, int line, int showfunc,`
`452`	`452`	`LogLevel level, const char suffix, const char fmt, ...)`
`453`	`453`	`{`
	`454`	`+#if 0`
`454`	`455`	`va_list args;`
`455`	`456`
`456`	`457`	`va_start(args, fmt);`
`457`	`458`	`sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,`
`458`	`459`	`suffix, fmt, args);`
`459`	`460`	`va_end(args);`
	`461`	`+#endif`
`460`	`462`	`_exit(1);`
`461`	`463`	`}`
`462`	`464`