diff options
author | Nalin Dahyabhai <nalin@fedoraproject.org> | 2009-04-07 18:15:43 +0000 |
---|---|---|
committer | Nalin Dahyabhai <nalin@fedoraproject.org> | 2009-04-07 18:15:43 +0000 |
commit | bc37108874fd61e1abf35d018264267bc233390b (patch) | |
tree | 335039b3b2941fbc7c251af489d5a4a6a5288230 | |
parent | ff6e692aa0aff2034f4a956703a3112bd2047410 (diff) | |
download | krb5-bc37108874fd61e1abf35d018264267bc233390b.tar.gz krb5-bc37108874fd61e1abf35d018264267bc233390b.tar.xz krb5-bc37108874fd61e1abf35d018264267bc233390b.zip |
- add patch to fix length validation bug in libkrb5 (CVE-2009-0847)
-rw-r--r-- | krb5-CVE-2009-0847.patch | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/krb5-CVE-2009-0847.patch b/krb5-CVE-2009-0847.patch new file mode 100644 index 0000000..45b3041 --- /dev/null +++ b/krb5-CVE-2009-0847.patch @@ -0,0 +1,34 @@ +diff --git a/src/lib/krb5/asn.1/asn1buf.c b/src/lib/krb5/asn.1/asn1buf.c +index 8baac24..587cccc 100644 +--- a/src/lib/krb5/asn.1/asn1buf.c ++++ b/src/lib/krb5/asn.1/asn1buf.c +@@ -78,11 +78,11 @@ asn1_error_code asn1buf_wrap_data(asn1buf *buf, const krb5_data *code) + + asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef) + { ++ if (buf->next > buf->bound + 1) return ASN1_OVERRUN; + subbuf->base = subbuf->next = buf->next; + if (!indef) { ++ if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN; + subbuf->bound = subbuf->base + length - 1; +- if (subbuf->bound > buf->bound) +- return ASN1_OVERRUN; + } else /* constructed indefinite */ + subbuf->bound = buf->bound; + return 0; +@@ -200,6 +200,7 @@ asn1_error_code asn1buf_remove_octetstring(asn1buf *buf, const unsigned int len, + { + int i; + ++ if (buf->next > buf->bound + 1) return ASN1_OVERRUN; + if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN; + if (len == 0) { + *s = 0; +@@ -218,6 +219,7 @@ asn1_error_code asn1buf_remove_charstring(asn1buf *buf, const unsigned int len, + { + int i; + ++ if (buf->next > buf->bound + 1) return ASN1_OVERRUN; + if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN; + if (len == 0) { + *s = 0; |