From d63dc67db737c756711606976cfb8929f7b6acdd Mon Sep 17 00:00:00 2001
From: Tomáš Mráz <tmraz@fedoraproject.org>
Date: Nov 28 2006 21:14:50 +0000
Subject: - improved pam_session patch so it doesn't regress, the patch is necessary

    for the pam_session_close to be called correctly as uid 0

---

diff --git a/openssh-4.3p2-pam-session.patch b/openssh-4.3p2-pam-session.patch
new file mode 100644
index 0000000..2772c81
--- /dev/null
+++ b/openssh-4.3p2-pam-session.patch
@@ -0,0 +1,129 @@
+--- openssh-4.3p2/auth-pam.c.pam-session	2006-11-27 17:39:08.000000000 +0100
++++ openssh-4.3p2/auth-pam.c	2006-11-27 19:31:41.000000000 +0100
+@@ -563,15 +563,17 @@
+ void
+ sshpam_cleanup(void)
+ {
+-	debug("PAM: cleanup");
+-	if (sshpam_handle == NULL)
++	if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
+ 		return;
++	debug("PAM: cleanup");
+ 	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
+ 	if (sshpam_cred_established) {
++		debug("PAM: deleting credentials");
+ 		pam_setcred(sshpam_handle, PAM_DELETE_CRED);
+ 		sshpam_cred_established = 0;
+ 	}
+ 	if (sshpam_session_open) {
++		debug("PAM: closing session");
+ 		pam_close_session(sshpam_handle, PAM_SILENT);
+ 		sshpam_session_open = 0;
+ 	}
+--- openssh-4.3p2/sshd.c.pam-session	2006-11-27 17:29:44.000000000 +0100
++++ openssh-4.3p2/sshd.c	2006-11-28 21:21:52.000000000 +0100
+@@ -1745,7 +1745,21 @@
+ 	audit_event(SSH_AUTH_SUCCESS);
+ #endif
+ 
+-	/*
++#ifdef GSSAPI
++	if (options.gss_authentication) {
++		temporarily_use_uid(authctxt->pw);
++		ssh_gssapi_storecreds();
++		restore_uid();
++	}
++#endif
++#ifdef USE_PAM
++	if (options.use_pam) {
++		do_pam_setcred(1);
++		do_pam_session();
++	}
++#endif
++
++ 	/*
+ 	 * In privilege separation, we fork another child and prepare
+ 	 * file descriptor passing.
+ 	 */
+--- openssh-4.3p2/monitor.c.pam-session	2006-11-27 17:29:44.000000000 +0100
++++ openssh-4.3p2/monitor.c	2006-11-28 14:01:23.000000000 +0100
+@@ -1539,6 +1539,11 @@
+ 	/* The child is terminating */
+ 	session_destroy_all(&mm_session_close);
+ 
++#ifdef USE_PAM
++	if (options.use_pam)
++		sshpam_cleanup();
++#endif
++
+ 	while (waitpid(pmonitor->m_pid, &status, 0) == -1)
+ 		if (errno != EINTR)
+ 			exit(1);
+--- openssh-4.3p2/session.c.pam-session	2006-11-27 17:29:43.000000000 +0100
++++ openssh-4.3p2/session.c	2006-11-28 21:17:56.000000000 +0100
+@@ -395,11 +395,6 @@
+ 
+ 	session_proctitle(s);
+ 
+-#if defined(USE_PAM)
+-	if (options.use_pam && !use_privsep)
+-		do_pam_setcred(1);
+-#endif /* USE_PAM */
+-
+ 	/* Fork the child. */
+ 	if ((pid = fork()) == 0) {
+ 		is_child = 1;
+@@ -530,14 +525,6 @@
+ 	ptyfd = s->ptyfd;
+ 	ttyfd = s->ttyfd;
+ 
+-#if defined(USE_PAM)
+-	if (options.use_pam) {
+-		do_pam_set_tty(s->tty);
+-		if (!use_privsep)
+-			do_pam_setcred(1);
+-	}
+-#endif
+-
+ 	/* Fork the child. */
+ 	if ((pid = fork()) == 0) {
+ 		is_child = 1;
+@@ -1266,16 +1253,8 @@
+ # ifdef __bsdi__
+ 		setpgid(0, 0);
+ # endif
+-#ifdef GSSAPI
+-		if (options.gss_authentication) {
+-			temporarily_use_uid(pw);
+-			ssh_gssapi_storecreds();
+-			restore_uid();
+-		}
+-#endif
+ # ifdef USE_PAM
+ 		if (options.use_pam) {
+-			do_pam_session();
+ 			do_pam_setcred(0);
+ 		}
+ # endif /* USE_PAM */
+@@ -1303,13 +1282,6 @@
+ 			exit(1);
+ 		}
+ 		endgrent();
+-#ifdef GSSAPI
+-		if (options.gss_authentication) {
+-			temporarily_use_uid(pw);
+-			ssh_gssapi_storecreds();
+-			restore_uid();
+-		}
+-#endif
+ # ifdef USE_PAM
+ 		/*
+ 		 * PAM credentials may take the form of supplementary groups.
+@@ -1317,7 +1289,6 @@
+ 		 * Reestablish them here.
+ 		 */
+ 		if (options.use_pam) {
+-			do_pam_session();
+ 			do_pam_setcred(0);
+ 		}
+ # endif /* USE_PAM */
diff --git a/openssh.spec b/openssh.spec
index 64f41d9..deae1a5 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -61,7 +61,7 @@
 Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: 4.3p2
-Release: 12%{?dist}%{?rescue_rel}
+Release: 13%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
@@ -97,6 +97,7 @@ Patch44: openssh-4.3p2-allow-ip-opts.patch
 Patch45: openssh-4.3p2-cve-2006-4924.patch
 Patch46: openssh-3.9p1-cve-2006-5051.patch
 Patch47: openssh-4.3p2-cve-2006-5794.patch
+Patch48: openssh-4.3p2-pam-session.patch
 License: BSD
 Group: Applications/Internet
 BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
@@ -231,6 +232,7 @@ an X11 passphrase dialog for OpenSSH.
 %patch45 -p1 -b .deattack-dos
 %patch46 -p1 -b .sig-no-cleanup
 %patch47 -p1 -b .verify
+%patch48 -p1 -b .pam-sesssion
 
 autoreconf
 
@@ -475,6 +477,10 @@ fi
 %endif
 
 %changelog
+* Tue Nov 28 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-13
+- improved pam_session patch so it doesn't regress, the patch is necessary
+  for the pam_session_close to be called correctly as uid 0
+
 * Fri Nov 10 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-12
 - CVE-2006-5794 - properly detect failed key verify in monitor (#214641)