mirror of
https://git.FreeBSD.org/ports.git
synced 2024-12-24 04:33:24 +00:00
Fix buffer overflow in kadmind4 (remote user can gain root access to
KDC host). Obtained from: Tom Yu <tlyu@mit.edu> on kerberos-announce mailing list, MIT krb5 Security Advisory 2002-002
This commit is contained in:
parent
c70dadd8bf
commit
cf7aca2a64
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=68693
@ -7,6 +7,7 @@
|
||||
|
||||
PORTNAME= krb5
|
||||
PORTVERSION= 1.2.6
|
||||
PORTREVISION= 1
|
||||
CATEGORIES= security
|
||||
.if defined(USA_RESIDENT) && ${USA_RESIDENT} == "NO"
|
||||
MASTER_SITES= http://www.crypto-publish.org/dist/mit-kerberos5/
|
||||
|
@ -0,0 +1,26 @@
|
||||
--- kadmin/v4server/kadm_ser_wrap.c.orig Tue May 23 14:44:50 2000
|
||||
+++ kadmin/v4server/kadm_ser_wrap.c Wed Oct 23 15:15:24 2002
|
||||
@@ -170,14 +170,21 @@
|
||||
u_char *retdat, *tmpdat;
|
||||
int retval, retlen;
|
||||
|
||||
- if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
|
||||
+ if ((*dat_len < KADM_VERSIZE + sizeof(krb5_ui_4))
|
||||
+ || strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
|
||||
errpkt(dat, dat_len, KADM_BAD_VER);
|
||||
return KADM_BAD_VER;
|
||||
}
|
||||
in_len = KADM_VERSIZE;
|
||||
/* get the length */
|
||||
- if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0)
|
||||
+ if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0
|
||||
+ || (r_len > *dat_len - KADM_VERSIZE - sizeof(krb5_ui_4))
|
||||
+ || (*dat_len - r_len - KADM_VERSIZE -
|
||||
+ sizeof(krb5_ui_4) > sizeof(authent.dat))) {
|
||||
+ errpkt(dat, dat_len, KADM_LENGTH_ERROR);
|
||||
return KADM_LENGTH_ERROR;
|
||||
+ }
|
||||
+
|
||||
in_len += retc;
|
||||
authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(krb5_ui_4);
|
||||
memcpy((char *)authent.dat, (char *)(*dat) + in_len, authent.length);
|
@ -7,6 +7,7 @@
|
||||
|
||||
PORTNAME= krb5
|
||||
PORTVERSION= 1.2.6
|
||||
PORTREVISION= 1
|
||||
CATEGORIES= security
|
||||
.if defined(USA_RESIDENT) && ${USA_RESIDENT} == "NO"
|
||||
MASTER_SITES= http://www.crypto-publish.org/dist/mit-kerberos5/
|
||||
|
@ -0,0 +1,26 @@
|
||||
--- kadmin/v4server/kadm_ser_wrap.c.orig Tue May 23 14:44:50 2000
|
||||
+++ kadmin/v4server/kadm_ser_wrap.c Wed Oct 23 15:15:24 2002
|
||||
@@ -170,14 +170,21 @@
|
||||
u_char *retdat, *tmpdat;
|
||||
int retval, retlen;
|
||||
|
||||
- if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
|
||||
+ if ((*dat_len < KADM_VERSIZE + sizeof(krb5_ui_4))
|
||||
+ || strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
|
||||
errpkt(dat, dat_len, KADM_BAD_VER);
|
||||
return KADM_BAD_VER;
|
||||
}
|
||||
in_len = KADM_VERSIZE;
|
||||
/* get the length */
|
||||
- if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0)
|
||||
+ if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0
|
||||
+ || (r_len > *dat_len - KADM_VERSIZE - sizeof(krb5_ui_4))
|
||||
+ || (*dat_len - r_len - KADM_VERSIZE -
|
||||
+ sizeof(krb5_ui_4) > sizeof(authent.dat))) {
|
||||
+ errpkt(dat, dat_len, KADM_LENGTH_ERROR);
|
||||
return KADM_LENGTH_ERROR;
|
||||
+ }
|
||||
+
|
||||
in_len += retc;
|
||||
authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(krb5_ui_4);
|
||||
memcpy((char *)authent.dat, (char *)(*dat) + in_len, authent.length);
|
@ -7,6 +7,7 @@
|
||||
|
||||
PORTNAME= krb5
|
||||
PORTVERSION= 1.2.6
|
||||
PORTREVISION= 1
|
||||
CATEGORIES= security
|
||||
.if defined(USA_RESIDENT) && ${USA_RESIDENT} == "NO"
|
||||
MASTER_SITES= http://www.crypto-publish.org/dist/mit-kerberos5/
|
||||
|
@ -0,0 +1,26 @@
|
||||
--- kadmin/v4server/kadm_ser_wrap.c.orig Tue May 23 14:44:50 2000
|
||||
+++ kadmin/v4server/kadm_ser_wrap.c Wed Oct 23 15:15:24 2002
|
||||
@@ -170,14 +170,21 @@
|
||||
u_char *retdat, *tmpdat;
|
||||
int retval, retlen;
|
||||
|
||||
- if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
|
||||
+ if ((*dat_len < KADM_VERSIZE + sizeof(krb5_ui_4))
|
||||
+ || strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
|
||||
errpkt(dat, dat_len, KADM_BAD_VER);
|
||||
return KADM_BAD_VER;
|
||||
}
|
||||
in_len = KADM_VERSIZE;
|
||||
/* get the length */
|
||||
- if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0)
|
||||
+ if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0
|
||||
+ || (r_len > *dat_len - KADM_VERSIZE - sizeof(krb5_ui_4))
|
||||
+ || (*dat_len - r_len - KADM_VERSIZE -
|
||||
+ sizeof(krb5_ui_4) > sizeof(authent.dat))) {
|
||||
+ errpkt(dat, dat_len, KADM_LENGTH_ERROR);
|
||||
return KADM_LENGTH_ERROR;
|
||||
+ }
|
||||
+
|
||||
in_len += retc;
|
||||
authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(krb5_ui_4);
|
||||
memcpy((char *)authent.dat, (char *)(*dat) + in_len, authent.length);
|
@ -7,6 +7,7 @@
|
||||
|
||||
PORTNAME= krb5
|
||||
PORTVERSION= 1.2.6
|
||||
PORTREVISION= 1
|
||||
CATEGORIES= security
|
||||
.if defined(USA_RESIDENT) && ${USA_RESIDENT} == "NO"
|
||||
MASTER_SITES= http://www.crypto-publish.org/dist/mit-kerberos5/
|
||||
|
26
security/krb5/files/patch-kadmin::v4server::kadm_ser_wrap.c
Normal file
26
security/krb5/files/patch-kadmin::v4server::kadm_ser_wrap.c
Normal file
@ -0,0 +1,26 @@
|
||||
--- kadmin/v4server/kadm_ser_wrap.c.orig Tue May 23 14:44:50 2000
|
||||
+++ kadmin/v4server/kadm_ser_wrap.c Wed Oct 23 15:15:24 2002
|
||||
@@ -170,14 +170,21 @@
|
||||
u_char *retdat, *tmpdat;
|
||||
int retval, retlen;
|
||||
|
||||
- if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
|
||||
+ if ((*dat_len < KADM_VERSIZE + sizeof(krb5_ui_4))
|
||||
+ || strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
|
||||
errpkt(dat, dat_len, KADM_BAD_VER);
|
||||
return KADM_BAD_VER;
|
||||
}
|
||||
in_len = KADM_VERSIZE;
|
||||
/* get the length */
|
||||
- if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0)
|
||||
+ if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0
|
||||
+ || (r_len > *dat_len - KADM_VERSIZE - sizeof(krb5_ui_4))
|
||||
+ || (*dat_len - r_len - KADM_VERSIZE -
|
||||
+ sizeof(krb5_ui_4) > sizeof(authent.dat))) {
|
||||
+ errpkt(dat, dat_len, KADM_LENGTH_ERROR);
|
||||
return KADM_LENGTH_ERROR;
|
||||
+ }
|
||||
+
|
||||
in_len += retc;
|
||||
authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(krb5_ui_4);
|
||||
memcpy((char *)authent.dat, (char *)(*dat) + in_len, authent.length);
|
Loading…
Reference in New Issue
Block a user