Resolves: #891566 - do not delegate GSSAPI credentials (CVE-2012-4545)

2012-10-29 16:34:48 +01:00 · 2012-10-29 16:34:48 +01:00 · 9a8b4ef04f
commit 9a8b4ef04f
parent c4139c8a2d
2 changed files with 90 additions and 1 deletions
--- a/elinks-CVE-2012-4545.patch
+++ b/elinks-CVE-2012-4545.patch
@ -0,0 +1,82 @@
+From ab8adc351765d28754ba2b8361e7cd9041ecabda Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 9 Oct 2012 13:01:56 +0200
+Subject: [PATCH 1/2] http_negotiate: do not delegate GSSAPI credentials
+
+CVE-2012-4545.  Reported by Marko Myllynen.
+
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/protocol/http/http_negotiate.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/src/protocol/http/http_negotiate.c b/src/protocol/http/http_negotiate.c
+index 470b071..271b443 100644
+--- a/src/protocol/http/http_negotiate.c
+++ b/src/protocol/http/http_negotiate.c
+@@ -188,7 +188,7 @@ http_negotiate_create_context(struct negotiate *neg)
+ 					    &neg->context,
+ 					    neg->server_name,
+ 					    GSS_C_NO_OID,
+-					    GSS_C_DELEG_FLAG,
+					    0,
+ 					    0,
+ 					    GSS_C_NO_CHANNEL_BINDINGS,
+ 					    &neg->input_token,
+-- 
+1.7.1
+
+
+From a3477c8f3a4793202cfe1b2a8722b31ad48f15d8 Mon Sep 17 00:00:00 2001
+From: Kalle Olavi Niemitalo <kon@iki.fi>
+Date: Fri, 26 Oct 2012 15:20:32 +0300
+Subject: [PATCH 2/2] http_negotiate: Fix int* vs. size_t* type mismatch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+http_negotiate_parse_data passed &token->length as the int *outlen
+parameter of base64_decode_bin, which stores an int at that location.
+However, gss_buffer_desc::length is size_t in all implementations that
+I checked: MIT Kerberos Version 5 Release 1.10, libgssglue 0.4, and
+GNU GSS 1.0.2.  This mismatch could cause the build to fail:
+
+.../src/protocol/http/http_negotiate.c: In function ‘http_negotiate_parse_data’:
+.../src/protocol/http/http_negotiate.c:173:2: error: passing argument 3 of ‘base64_decode_bin’ from incompatible pointer type [-Werror]
+In file included from .../src/protocol/http/http_negotiate.c:30:0:
+.../src/util/base64.h:8:16: note: expected ‘int *’ but argument is of type ‘size_t *’
+
+On 64-bit big-endian hosts, it might also cause the GSSAPI
+implementation to read too much data from memory and disclose it to
+some network server, or crash ELinks.
+
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/protocol/http/http_negotiate.c |    4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+diff --git a/src/protocol/http/http_negotiate.c b/src/protocol/http/http_negotiate.c
+index 271b443..aa0f755 100644
+--- a/src/protocol/http/http_negotiate.c
+++ b/src/protocol/http/http_negotiate.c
+@@ -142,6 +142,7 @@ http_negotiate_parse_data(unsigned char *data, int type,
+ {
+ 	int len = 0;
+ 	unsigned char *end;
+	int bytelen = 0;
+ 
+ 	if (data == NULL || *data == '\0')
+ 		return 0;
+@@ -170,7 +171,8 @@ http_negotiate_parse_data(unsigned char *data, int type,
+ 	if (!len)
+ 		return 0;
+ 
+-	token->value = (void *) base64_decode_bin(data, len, &token->length);
+	token->value = (void *) base64_decode_bin(data, len, &bytelen);
+	token->length = bytelen; /* convert int to size_t */
+ 
+ 	if (!token->value)
+ 		return -1;
+-- 
+1.7.1
+
--- a/elinks.spec
+++ b/elinks.spec
@ -1,7 +1,7 @@
 Name:      elinks
 Summary:   A text-mode Web browser
 Version:   0.12
-Release:   0.31.pre5%{?dist}
+Release:   0.32.pre5%{?dist}
 License:   GPLv2
 URL:       http://elinks.or.cz
 Group:     Applications/Internet
@ -40,6 +40,7 @@ Patch9: elinks-nss.patch
 Patch10: elinks-nss-inc.patch
 Patch11: elinks-0.12pre5-js185.patch
 Patch12: elinks-0.12pre5-ddg-search.patch
+Patch13: elinks-CVE-2012-4545.patch

 %description
 Elinks is a text-based Web browser. Elinks does not display any images,
@ -86,6 +87,9 @@ quickly and swiftly displays Web pages.
 # add default "ddg" dumb/smart rewrite prefixes for DuckDuckGo (#856348)
 %patch12 -p1

+# CVE-2012-4545
+%patch13 -p1
+
 # remove bogus serial numbers
 sed -i 's/^# *serial [AM0-9]*$//' acinclude.m4 config/m4/*.m4

@ -153,6 +157,9 @@ exit 0
 %{_mandir}/man5/*

 %changelog
+* Fri Jan 04 2013 Kamil Dudka <kdudka@redhat.com> - 0.12-0.32.pre5
+- do not delegate GSSAPI credentials (CVE-2012-4545)
+
 * Mon Oct 08 2012 Kamil Dudka <kdudka@redhat.com> - 0.12-0.31.pre5
 - add default "ddg" dumb/smart rewrite prefixes for DuckDuckGo (#856348)