guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

branch master updated: gnu: pam-krb5: Fix CVE-2020-10595.


From: guix-commits
Subject: branch master updated: gnu: pam-krb5: Fix CVE-2020-10595.
Date: Tue, 31 Mar 2020 13:33:29 -0400

This is an automated email from the git hooks/post-receive script.

lfam pushed a commit to branch master
in repository guix.

The following commit(s) were added to refs/heads/master by this push:
     new 653a51c  gnu: pam-krb5: Fix CVE-2020-10595.
653a51c is described below

commit 653a51cb2862f57c20ebaa9dc1b62616742b55b3
Author: Leo Famulari <address@hidden>
AuthorDate: Tue Mar 31 13:23:12 2020 -0400

    gnu: pam-krb5: Fix CVE-2020-10595.
    
    * gnu/packages/patches/pam-krb5-CVE-2020-10595.patch: New file.
    * gnu/local.mk (dist_patch_DATA): Add it.
    * gnu/packages/admin.scm (pam-krb5)[source]: Use it.
---
 gnu/local.mk                                       |  1 +
 gnu/packages/admin.scm                             |  1 +
 gnu/packages/patches/pam-krb5-CVE-2020-10595.patch | 42 ++++++++++++++++++++++
 3 files changed, 44 insertions(+)

diff --git a/gnu/local.mk b/gnu/local.mk
index eec65c6..19ab32c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1269,6 +1269,7 @@ dist_patch_DATA =                                         
\
   %D%/packages/patches/p7zip-CVE-2016-9296.patch               \
   %D%/packages/patches/p7zip-CVE-2017-17969.patch              \
   %D%/packages/patches/p7zip-remove-unused-code.patch          \
+  %D%/packages/patches/pam-krb5-CVE-2020-10595.patch           \
   %D%/packages/patches/pam-mount-luks2-support.patch           \
   %D%/packages/patches/sdl-pango-api_additions.patch           \
   %D%/packages/patches/sdl-pango-blit_overflow.patch           \
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 98cb2f9..e7f63eb 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -2626,6 +2626,7 @@ shortcut syntax and completion options.")
               (uri (string-append
                     "https://archives.eyrie.org/software/kerberos/";
                     "pam-krb5-" version ".tar.xz"))
+              (patches (search-patches "pam-krb5-CVE-2020-10595.patch"))
               (sha256
                (base32
                 "1qjp8i1s9bz7g6kiqrkzzkxn5pfspa4sy53b6z40fqmdf9przdfb"))))
diff --git a/gnu/packages/patches/pam-krb5-CVE-2020-10595.patch 
b/gnu/packages/patches/pam-krb5-CVE-2020-10595.patch
new file mode 100644
index 0000000..4ca0612
--- /dev/null
+++ b/gnu/packages/patches/pam-krb5-CVE-2020-10595.patch
@@ -0,0 +1,42 @@
+Fix CVE-2020-10595:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10595
+
+Patch copied from upstream advisory:
+
+https://seclists.org/oss-sec/2020/q1/128
+
+diff --git a/prompting.c b/prompting.c
+index e985d95..d81054f 100644
+--- a/prompting.c
++++ b/prompting.c
+@@ -314,26 +314,27 @@ pamk5_prompter_krb5(krb5_context context UNUSED, void 
*data, const char *name,
+     /*
+      * Reuse pam_prompts as a starting index and copy the data into the reply
+      * area of the krb5_prompt structs.
+      */
+     pam_prompts = 0;
+     if (name != NULL && !args->silent)
+         pam_prompts++;
+     if (banner != NULL && !args->silent)
+         pam_prompts++;
+     for (i = 0; i < num_prompts; i++, pam_prompts++) {
+-        size_t len;
++        size_t len, allowed;
+
+         if (resp[pam_prompts].resp == NULL)
+             goto cleanup;
+         len = strlen(resp[pam_prompts].resp);
+-        if (len > prompts[i].reply->length)
++        allowed = prompts[i].reply->length;
++        if (allowed == 0 || len > allowed - 1)
+             goto cleanup;
+
+         /*
+          * The trailing nul is not included in length, but other applications
+          * expect it to be there.  Therefore, we copy one more byte than the
+          * actual length of the password, but set length to just the length of
+          * the password.
+          */
+         memcpy(prompts[i].reply->data, resp[pam_prompts].resp, len + 1);
+         prompts[i].reply->length = (unsigned int) len;



reply via email to

[Prev in Thread] Current Thread [Next in Thread]