- add patch to fix length validation bug in libkrb5 (CVE-2009-0847)

1 files changed, 34 insertions, 0 deletions

diff --git a/krb5-CVE-2009-0847.patch b/krb5-CVE-2009-0847.patch
new file mode 100644
index 0000000..45b3041
--- /dev/null
+++ b/krb5-CVE-2009-0847.patch
@@ -0,0 +1,34 @@
+diff --git a/src/lib/krb5/asn.1/asn1buf.c b/src/lib/krb5/asn.1/asn1buf.c
+index 8baac24..587cccc 100644
+--- a/src/lib/krb5/asn.1/asn1buf.c
++++ b/src/lib/krb5/asn.1/asn1buf.c
+@@ -78,11 +78,11 @@ asn1_error_code asn1buf_wrap_data(asn1buf *buf, const krb5_data *code)
+ 
+ asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef)
+ {
++  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
+   subbuf->base = subbuf->next = buf->next;
+   if (!indef) {
++      if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;
+       subbuf->bound = subbuf->base + length - 1;
+-      if (subbuf->bound > buf->bound)
+-	  return ASN1_OVERRUN;
+   } else /* constructed indefinite */
+       subbuf->bound = buf->bound;
+   return 0;
+@@ -200,6 +200,7 @@ asn1_error_code asn1buf_remove_octetstring(asn1buf *buf, const unsigned int len,
+ {
+   int i;
+ 
++  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
+   if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
+   if (len == 0) {
+       *s = 0;
+@@ -218,6 +219,7 @@ asn1_error_code asn1buf_remove_charstring(asn1buf *buf, const unsigned int len,
+ {
+   int i;
+ 
++  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
+   if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
+   if (len == 0) {
+       *s = 0;