diff options
| author | Nalin Dahyabhai <nalin@fedoraproject.org> | 2005-03-28 18:25:19 +0000 |
|---|---|---|
| committer | Nalin Dahyabhai <nalin@fedoraproject.org> | 2005-03-28 18:25:19 +0000 |
| commit | 9142032a6f818cfe3e6b4286256e191bcf69363f (patch) | |
| tree | 4291882d3e502da5f0f7c4467968bb5fffa46048 | |
| parent | fe186e59d96d8005c4d3e23d5924881a6fe47426 (diff) | |
| download | krb5-9142032a6f818cfe3e6b4286256e191bcf69363f.tar.gz krb5-9142032a6f818cfe3e6b4286256e191bcf69363f.tar.xz krb5-9142032a6f818cfe3e6b4286256e191bcf69363f.zip | |
- add draft fix from Tom Yu for slc_add_reply() buffer overflowkrb5-1_4-3
(CAN-2005-0469)
- add draft fix from Tom Yu for env_opt_add() buffer overflow
(CAN-2005-0468)
will need to re-roll if the draft fix isn't the same as the final one *
| -rw-r--r-- | krb5-MITKRB5SA-2005-001.patch | 95 | ||||
| -rw-r--r-- | krb5.spec | 15 |
2 files changed, 107 insertions, 3 deletions
diff --git a/krb5-MITKRB5SA-2005-001.patch b/krb5-MITKRB5SA-2005-001.patch new file mode 100644 index 0000000..cc40c4c --- /dev/null +++ b/krb5-MITKRB5SA-2005-001.patch @@ -0,0 +1,95 @@ +Index: telnet.c +=================================================================== +RCS file: /cvs/krbdev/krb5/src/appl/telnet/telnet/telnet.c,v +retrieving revision 5.18 +diff -c -r5.18 telnet.c +*** telnet.c 15 Nov 2002 20:21:35 -0000 5.18 +- --- telnet.c 15 Mar 2005 18:59:32 -0000 +*************** +*** 1475,1480 **** +- --- 1475,1482 ---- + unsigned char flags; + cc_t value; + { ++ if ((slc_replyp - slc_reply) + 6 > sizeof(slc_reply)) ++ return; + if ((*slc_replyp++ = func) == IAC) + *slc_replyp++ = IAC; + if ((*slc_replyp++ = flags) == IAC) +*************** +*** 1488,1498 **** + { + register int len; + +- - *slc_replyp++ = IAC; +- - *slc_replyp++ = SE; + len = slc_replyp - slc_reply; +! if (len <= 6) + return; + if (NETROOM() > len) { + ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply); + printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2); +- --- 1490,1501 ---- + { + register int len; + + len = slc_replyp - slc_reply; +! if (len <= 4 || (len + 2 > sizeof(slc_reply))) + return; ++ *slc_replyp++ = IAC; ++ *slc_replyp++ = SE; ++ len += 2; + if (NETROOM() > len) { + ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply); + printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2); +*************** +*** 1645,1650 **** +- --- 1648,1654 ---- + register unsigned char *ep; + { + register unsigned char *vp, c; ++ unsigned int len, olen, elen; + + if (opt_reply == NULL) /*XXX*/ + return; /*XXX*/ +*************** +*** 1662,1680 **** + return; + } + vp = env_getvalue(ep); +! if (opt_replyp + (vp ? strlen((char *)vp) : 0) + +! strlen((char *)ep) + 6 > opt_replyend) + { +! register unsigned int len; +! opt_replyend += OPT_REPLY_SIZE; +! len = opt_replyend - opt_reply; + opt_reply = (unsigned char *)realloc(opt_reply, len); + if (opt_reply == NULL) { + /*@*/ printf("env_opt_add: realloc() failed!!!\n"); + opt_reply = opt_replyp = opt_replyend = NULL; + return; + } +! opt_replyp = opt_reply + len - (opt_replyend - opt_replyp); + opt_replyend = opt_reply + len; + } + if (opt_welldefined((char *) ep)) +- --- 1666,1684 ---- + return; + } + vp = env_getvalue(ep); +! elen = 2 * (vp ? strlen((char *)vp) : 0) + +! 2 * strlen((char *)ep) + 6; +! if ((opt_replyend - opt_replyp) < elen) + { +! len = opt_replyend - opt_reply + elen; +! olen = opt_replyp - opt_reply; + opt_reply = (unsigned char *)realloc(opt_reply, len); + if (opt_reply == NULL) { + /*@*/ printf("env_opt_add: realloc() failed!!!\n"); + opt_reply = opt_replyp = opt_replyend = NULL; + return; + } +! opt_replyp = opt_reply + olen; + opt_replyend = opt_reply + len; + } + if (opt_welldefined((char *) ep)) @@ -7,7 +7,7 @@ Summary: The Kerberos network authentication system. Name: krb5 Version: 1.4 -Release: 2 +Release: 3 # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.4/krb5-1.4-signed.tar Source0: krb5-%{version}.tar.gz @@ -59,8 +59,8 @@ Patch27: krb5-1.3.3-rcp-sendlarge.patch Patch28: krb5-1.3.5-gethostbyname_r.patch Patch29: krb5-1.3.5-kprop-mktemp.patch Patch30: krb5-1.3.4-send-pr-tempfile.patch -Patch31: krb5-1.3.5-krsh-deadlock.patch Patch32: krb5-1.4-ncurses.patch +Patch33: krb5-MITKRB5SA-2005-001.patch License: MIT, freely distributable. URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries @@ -126,6 +126,13 @@ workstation. %changelog # - XXX krb5_init_ets is gone now, what to do? +* Wed Mar 23 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4-3 +- drop krshd patch for now + +* Thu Mar 17 2005 Nalin Dahyabhai <nalin@redhat.com> +- add draft fix from Tom Yu for slc_add_reply() buffer overflow (CAN-2005-0469) +- add draft fix from Tom Yu for env_opt_add() buffer overflow (CAN-2005-0468) + * Wed Mar 16 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4-2 - don't include <term.h> into the telnet client when we're not using curses @@ -807,8 +814,10 @@ workstation. %patch28 -p1 -b .gethostbyname_r %patch29 -p1 -b .kprop-mktemp %patch30 -p1 -b .send-pr-tempfile -%patch31 -p1 -b .krsh-deadlock %patch32 -p1 -b .ncurses +pushd src/appl/telnet/telnet +%patch33 -p0 -b .MITKRB5SA-2005-001 +popd cp src/krb524/README README.krb524 find . -type f -name "*.info-dir" -exec rm -fv "{}" ";" gzip doc/*.ps |