CVE-2015-8325

Published: 30 April 2016

The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable.

Priority

Low

CVSS 3 base score: 7.8

Status

Package Release Status
openssh
Launchpad, Ubuntu, Debian
Upstream
Released (1:7.2p2-3)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(1:7.2p2-3)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1:6.6p1-2ubuntu2.7)
Ubuntu 12.04 ESM (Precise Pangolin)
Released (1:5.9p1-5ubuntu1.9)
Patches:
Upstream: https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755

Notes

AuthorNote
tyhicks Ubuntu is not affected in the default configuration since UseLogin is disabled in sshd_config

References