diff options
| author | Marius Bakke <mbakke@fastmail.com> | 2020-04-08 13:00:50 +0200 |
|---|---|---|
| committer | Marius Bakke <mbakke@fastmail.com> | 2020-04-08 13:00:50 +0200 |
| commit | 27783023993f9272ce422868d14529159c4a5218 (patch) | |
| tree | 9013b08aa39e497b1fd8e01a05254278d83f0ff7 /gnu/packages/patches/pam-krb5-CVE-2020-10595.patch | |
| parent | be1e842ad78ac6c52fc7790f4a3ffd716673c111 (diff) | |
| parent | ba6f2bda18ed19fa486a9c3e2c3baea6c66c6867 (diff) | |
Merge branch 'master' into core-updates
Conflicts:
etc/news.scm
gnu/local.mk
gnu/packages/check.scm
gnu/packages/cross-base.scm
gnu/packages/gimp.scm
gnu/packages/java.scm
gnu/packages/mail.scm
gnu/packages/sdl.scm
gnu/packages/texinfo.scm
gnu/packages/tls.scm
gnu/packages/version-control.scm
Diffstat (limited to 'gnu/packages/patches/pam-krb5-CVE-2020-10595.patch')
| -rw-r--r-- | gnu/packages/patches/pam-krb5-CVE-2020-10595.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/gnu/packages/patches/pam-krb5-CVE-2020-10595.patch b/gnu/packages/patches/pam-krb5-CVE-2020-10595.patch new file mode 100644 index 00000000000..4ca061230fa --- /dev/null +++ b/gnu/packages/patches/pam-krb5-CVE-2020-10595.patch @@ -0,0 +1,42 @@ +Fix CVE-2020-10595: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10595 + +Patch copied from upstream advisory: + +https://seclists.org/oss-sec/2020/q1/128 + +diff --git a/prompting.c b/prompting.c +index e985d95..d81054f 100644 +--- a/prompting.c ++++ b/prompting.c +@@ -314,26 +314,27 @@ pamk5_prompter_krb5(krb5_context context UNUSED, void *data, const char *name, + /* + * Reuse pam_prompts as a starting index and copy the data into the reply + * area of the krb5_prompt structs. + */ + pam_prompts = 0; + if (name != NULL && !args->silent) + pam_prompts++; + if (banner != NULL && !args->silent) + pam_prompts++; + for (i = 0; i < num_prompts; i++, pam_prompts++) { +- size_t len; ++ size_t len, allowed; + + if (resp[pam_prompts].resp == NULL) + goto cleanup; + len = strlen(resp[pam_prompts].resp); +- if (len > prompts[i].reply->length) ++ allowed = prompts[i].reply->length; ++ if (allowed == 0 || len > allowed - 1) + goto cleanup; + + /* + * The trailing nul is not included in length, but other applications + * expect it to be there. Therefore, we copy one more byte than the + * actual length of the password, but set length to just the length of + * the password. + */ + memcpy(prompts[i].reply->data, resp[pam_prompts].resp, len + 1); + prompts[i].reply->length = (unsigned int) len; |