revision 1.124
date: 2008/07/09 10:54:05;  author: djm;  state: Exp;  lines: +1 -1
 - (djm) [auth1.c] Fix format string vulnerability in protocol 1 PAM
   account check failure path. The vulnerable format buffer is supplied
   from PAM and should not contain attacker-supplied data.

Index: openssh-4.7p1/auth1.c
===================================================================
--- openssh-4.7p1.orig/auth1.c
+++ openssh-4.7p1/auth1.c
@@ -351,7 +351,7 @@ do_authloop(Authctxt *authctxt)
 					msg[len] = '\0';
 			else
 				msg = "Access denied.";
-			packet_disconnect(msg);
+			packet_disconnect("%s", msg);
 		}
 #endif