From 9a8b4ef04f750dccbbdb4203e0fd8af2ed3d61c4 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 29 Oct 2012 16:34:48 +0100 Subject: [PATCH] Resolves: #891566 - do not delegate GSSAPI credentials (CVE-2012-4545) --- elinks-CVE-2012-4545.patch | 82 ++++++++++++++++++++++++++++++++++++++ elinks.spec | 9 ++++- 2 files changed, 90 insertions(+), 1 deletion(-) create mode 100644 elinks-CVE-2012-4545.patch diff --git a/elinks-CVE-2012-4545.patch b/elinks-CVE-2012-4545.patch new file mode 100644 index 0000000..2c872d6 --- /dev/null +++ b/elinks-CVE-2012-4545.patch @@ -0,0 +1,82 @@ +From ab8adc351765d28754ba2b8361e7cd9041ecabda Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 9 Oct 2012 13:01:56 +0200 +Subject: [PATCH 1/2] http_negotiate: do not delegate GSSAPI credentials + +CVE-2012-4545. Reported by Marko Myllynen. + +Signed-off-by: Kamil Dudka +--- + src/protocol/http/http_negotiate.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/src/protocol/http/http_negotiate.c b/src/protocol/http/http_negotiate.c +index 470b071..271b443 100644 +--- a/src/protocol/http/http_negotiate.c ++++ b/src/protocol/http/http_negotiate.c +@@ -188,7 +188,7 @@ http_negotiate_create_context(struct negotiate *neg) + &neg->context, + neg->server_name, + GSS_C_NO_OID, +- GSS_C_DELEG_FLAG, ++ 0, + 0, + GSS_C_NO_CHANNEL_BINDINGS, + &neg->input_token, +-- +1.7.1 + + +From a3477c8f3a4793202cfe1b2a8722b31ad48f15d8 Mon Sep 17 00:00:00 2001 +From: Kalle Olavi Niemitalo +Date: Fri, 26 Oct 2012 15:20:32 +0300 +Subject: [PATCH 2/2] http_negotiate: Fix int* vs. size_t* type mismatch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +http_negotiate_parse_data passed &token->length as the int *outlen +parameter of base64_decode_bin, which stores an int at that location. +However, gss_buffer_desc::length is size_t in all implementations that +I checked: MIT Kerberos Version 5 Release 1.10, libgssglue 0.4, and +GNU GSS 1.0.2. This mismatch could cause the build to fail: + +.../src/protocol/http/http_negotiate.c: In function ‘http_negotiate_parse_data’: +.../src/protocol/http/http_negotiate.c:173:2: error: passing argument 3 of ‘base64_decode_bin’ from incompatible pointer type [-Werror] +In file included from .../src/protocol/http/http_negotiate.c:30:0: +.../src/util/base64.h:8:16: note: expected ‘int *’ but argument is of type ‘size_t *’ + +On 64-bit big-endian hosts, it might also cause the GSSAPI +implementation to read too much data from memory and disclose it to +some network server, or crash ELinks. + +Signed-off-by: Kamil Dudka +--- + src/protocol/http/http_negotiate.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +diff --git a/src/protocol/http/http_negotiate.c b/src/protocol/http/http_negotiate.c +index 271b443..aa0f755 100644 +--- a/src/protocol/http/http_negotiate.c ++++ b/src/protocol/http/http_negotiate.c +@@ -142,6 +142,7 @@ http_negotiate_parse_data(unsigned char *data, int type, + { + int len = 0; + unsigned char *end; ++ int bytelen = 0; + + if (data == NULL || *data == '\0') + return 0; +@@ -170,7 +171,8 @@ http_negotiate_parse_data(unsigned char *data, int type, + if (!len) + return 0; + +- token->value = (void *) base64_decode_bin(data, len, &token->length); ++ token->value = (void *) base64_decode_bin(data, len, &bytelen); ++ token->length = bytelen; /* convert int to size_t */ + + if (!token->value) + return -1; +-- +1.7.1 + diff --git a/elinks.spec b/elinks.spec index f70b9c5..d06d131 100644 --- a/elinks.spec +++ b/elinks.spec @@ -1,7 +1,7 @@ Name: elinks Summary: A text-mode Web browser Version: 0.12 -Release: 0.31.pre5%{?dist} +Release: 0.32.pre5%{?dist} License: GPLv2 URL: http://elinks.or.cz Group: Applications/Internet @@ -40,6 +40,7 @@ Patch9: elinks-nss.patch Patch10: elinks-nss-inc.patch Patch11: elinks-0.12pre5-js185.patch Patch12: elinks-0.12pre5-ddg-search.patch +Patch13: elinks-CVE-2012-4545.patch %description Elinks is a text-based Web browser. Elinks does not display any images, @@ -86,6 +87,9 @@ quickly and swiftly displays Web pages. # add default "ddg" dumb/smart rewrite prefixes for DuckDuckGo (#856348) %patch12 -p1 +# CVE-2012-4545 +%patch13 -p1 + # remove bogus serial numbers sed -i 's/^# *serial [AM0-9]*$//' acinclude.m4 config/m4/*.m4 @@ -153,6 +157,9 @@ exit 0 %{_mandir}/man5/* %changelog +* Fri Jan 04 2013 Kamil Dudka - 0.12-0.32.pre5 +- do not delegate GSSAPI credentials (CVE-2012-4545) + * Mon Oct 08 2012 Kamil Dudka - 0.12-0.31.pre5 - add default "ddg" dumb/smart rewrite prefixes for DuckDuckGo (#856348)