46 lines
1.7 KiB
Diff
46 lines
1.7 KiB
Diff
From b04cb88462863d762093760ffcfe1946200e30f5 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
|
Date: Thu, 7 Jan 2021 10:44:46 +0100
|
|
Subject: [PATCH] Fix off-by-one bug in ISC SPNEGO implementation
|
|
|
|
The ISC SPNEGO implementation is based on mod_auth_kerb code. When
|
|
CVE-2006-5989 was disclosed, the relevant fix was not applied to the
|
|
BIND 9 codebase, making the latter vulnerable to the aforementioned flaw
|
|
when "tkey-gssapi-keytab" or "tkey-gssapi-credential" is set in
|
|
named.conf.
|
|
|
|
The original description of CVE-2006-5989 was:
|
|
|
|
Off-by-one error in the der_get_oid function in mod_auth_kerb 5.0
|
|
allows remote attackers to cause a denial of service (crash) via a
|
|
crafted Kerberos message that triggers a heap-based buffer overflow
|
|
in the component array.
|
|
|
|
Later research revealed that this flaw also theoretically enables remote
|
|
code execution, though achieving the latter in real-world conditions is
|
|
currently deemed very difficult.
|
|
|
|
This vulnerability was responsibly reported as ZDI-CAN-12302 ("ISC BIND
|
|
TKEY Query Heap-based Buffer Overflow Remote Code Execution
|
|
Vulnerability") by Trend Micro Zero Day Initiative.
|
|
---
|
|
lib/dns/spnego.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
|
|
index e61d1c600f..753dc8049f 100644
|
|
--- a/lib/dns/spnego.c
|
|
+++ b/lib/dns/spnego.c
|
|
@@ -848,7 +848,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
|
|
return (ASN1_OVERRUN);
|
|
}
|
|
|
|
- data->components = malloc(len * sizeof(*data->components));
|
|
+ data->components = malloc((len + 1) * sizeof(*data->components));
|
|
if (data->components == NULL) {
|
|
return (ENOMEM);
|
|
}
|
|
--
|
|
2.26.2
|
|
|