1 files changed, 35 insertions, 0 deletions

diff --git a/debian/patches/CVE-2021-41617-1.patch b/debian/patches/CVE-2021-41617-1.patch
new file mode 100644
index 0000000..7d89b7e
--- /dev/null
+++ b/debian/patches/CVE-2021-41617-1.patch
@@ -0,0 +1,35 @@
+From ad2748dee50e4c0040f6efda5eff4a34e4eb5b85 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sun, 26 Sep 2021 14:01:03 +0000
+Subject: upstream: need initgroups() before setresgid(); reported by anton@,
+
+ok deraadt@
+
+OpenBSD-Commit-ID: 6aa003ee658b316960d94078f2a16edbc25087ce
+
+Bug-Debian: https://bugs.debian.org/995130
+Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=f3cbe43e28fe71427d41cfe3a17125b972710455
+Last-Update: 2023-12-19
+
+Patch-Name: CVE-2021-41617-1.patch
+---
+ auth.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/auth.c b/auth.c
+index 4152d9c44..32870851b 100644
+--- a/auth.c
++++ b/auth.c
+@@ -853,6 +853,12 @@ subprocess(const char *tag, struct passwd *pw, const char *command,
+ 		}
+ 		closefrom(STDERR_FILENO + 1);
+ 
++		if (geteuid() == 0 &&
++		    initgroups(pw->pw_name, pw->pw_gid) == -1) {
++			error("%s: initgroups(%s, %u): %s", tag,
++			    pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
++			_exit(1);
++		}
+ 		/* Don't use permanently_set_uid() here to avoid fatal() */
+ 		if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
+ 			error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,