~ubuntu-branches/ubuntu/dapper/krb5/dapper-security

Viewing changes to debian/patches/cve-2007-3999

Committer: Bazaar Package Importer
Author(s): Kees Cook
Date: 2007-09-06 15:17:40 UTC
Revision ID: james.westby@ubuntu.com-20070906151740-8qxh6qanh6ye7wk5

Tags: 1.4.3-5ubuntu0.6

* SECURITY UPDATE: 32 byte stack overflow in rpcsec_gss.
* src/lib/rpc/svc_auth_gss.c: new upstream changes, patched inline.
* References
MIT-SA-2007-06
CVE-2007-4743

files modified:
debian/changelog

debian/patches/cve-2007-3999

src/lib/rpc/svc_auth_gss.c

Show diffs side-by-side

added added

removed removed

debian/patches/cve-2007-3999

=== src/lib/rpc/svc_auth_gss.c

=== svc_auth_gss.c

==================================================================

--- src/lib/rpc/svc_auth_gss.c (revision 2870)

+++ src/lib/rpc/svc_auth_gss.c (local)

@@ -365,7 +365,7 @@

oa = &msg->rm_call.cb_cred;

--- svc_auth_gss.c (/remote/krb5/branches/etch/krb5/src/lib/rpc) (revision 2875)

+++ svc_auth_gss.c (/k5-etch/krb5/src/lib/rpc) (local)

@@ -355,6 +355,14 @@

memset(rpchdr, 0, sizeof(rpchdr));

/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */

+ oa = &msg->rm_call.cb_cred;

+ if (oa->oa_length > MAX_AUTH_BYTES)

+ return (FALSE);

+ if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +

+ RNDUP(oa->oa_length)))

+ return (FALSE);

buf = (int32_t *)(void *)rpchdr;

IXDR_PUT_LONG(buf, msg->rm_xid);

IXDR_PUT_ENUM(buf, msg->rm_direction);

@@ -362,7 +370,6 @@

IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);

IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);

IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);

- oa = &msg->rm_call.cb_cred;

IXDR_PUT_ENUM(buf, oa->oa_flavor);

IXDR_PUT_LONG(buf, oa->oa_length);

- if (oa->oa_length) {

+ if (oa->oa_length && oa->oa_length <= sizeof(rpchdr)) {

memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);

buf += RNDUP(oa->oa_length) / sizeof(int32_t);

}

if (oa->oa_length) {

Older »