rpms/elinks
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: #891566 - do not delegate GSSAPI credentials (CVE-2012-4545)

Browse Source
This commit is contained in:
Kamil Dudka 2012-10-29 16:34:48 +01:00
parent c4139c8a2d
commit 9a8b4ef04f
2 changed files with 90 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
elinks-CVE-2012-4545.patch Normal file
View File

@ -0,0 +1,82 @@
From ab8adc351765d28754ba2b8361e7cd9041ecabda Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Tue, 9 Oct 2012 13:01:56 +0200
Subject: [PATCH 1/2] http_negotiate: do not delegate GSSAPI credentials
CVE-2012-4545. Reported by Marko Myllynen.
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
src/protocol/http/http_negotiate.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/protocol/http/http_negotiate.c b/src/protocol/http/http_negotiate.c
index 470b071..271b443 100644
--- a/src/protocol/http/http_negotiate.c
+++ b/src/protocol/http/http_negotiate.c
@@ -188,7 +188,7 @@ http_negotiate_create_context(struct negotiate *neg)
&neg->context,
neg->server_name,
GSS_C_NO_OID,
- GSS_C_DELEG_FLAG,
+ 0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
&neg->input_token,
--
1.7.1
From a3477c8f3a4793202cfe1b2a8722b31ad48f15d8 Mon Sep 17 00:00:00 2001
From: Kalle Olavi Niemitalo <kon@iki.fi>
Date: Fri, 26 Oct 2012 15:20:32 +0300
Subject: [PATCH 2/2] http_negotiate: Fix int* vs. size_t* type mismatch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
http_negotiate_parse_data passed &token->length as the int *outlen
parameter of base64_decode_bin, which stores an int at that location.
However, gss_buffer_desc::length is size_t in all implementations that
I checked: MIT Kerberos Version 5 Release 1.10, libgssglue 0.4, and
GNU GSS 1.0.2. This mismatch could cause the build to fail:
.../src/protocol/http/http_negotiate.c: In function http_negotiate_parse_data:
.../src/protocol/http/http_negotiate.c:173:2: error: passing argument 3 of base64_decode_bin from incompatible pointer type [-Werror]
In file included from .../src/protocol/http/http_negotiate.c:30:0:
.../src/util/base64.h:8:16: note: expected int * but argument is of type size_t *
On 64-bit big-endian hosts, it might also cause the GSSAPI
implementation to read too much data from memory and disclose it to
some network server, or crash ELinks.
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
src/protocol/http/http_negotiate.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/src/protocol/http/http_negotiate.c b/src/protocol/http/http_negotiate.c
index 271b443..aa0f755 100644
--- a/src/protocol/http/http_negotiate.c
+++ b/src/protocol/http/http_negotiate.c
@@ -142,6 +142,7 @@ http_negotiate_parse_data(unsigned char *data, int type,
{
int len = 0;
unsigned char *end;
+ int bytelen = 0;
if (data == NULL || *data == '\0')
return 0;
@@ -170,7 +171,8 @@ http_negotiate_parse_data(unsigned char *data, int type,
if (!len)
return 0;
- token->value = (void *) base64_decode_bin(data, len, &token->length);
+ token->value = (void *) base64_decode_bin(data, len, &bytelen);
+ token->length = bytelen; /* convert int to size_t */
if (!token->value)
return -1;
--
1.7.1

9
elinks.spec
View File

@ -1,7 +1,7 @@
Name: elinks Name: elinks
Summary: A text-mode Web browser Summary: A text-mode Web browser
Version: 0.12 Version: 0.12
Release: 0.31.pre5%{?dist} Release: 0.32.pre5%{?dist}
License: GPLv2 License: GPLv2
URL: http://elinks.or.cz URL: http://elinks.or.cz
Group: Applications/Internet Group: Applications/Internet
@ -40,6 +40,7 @@ Patch9: elinks-nss.patch
Patch10: elinks-nss-inc.patch Patch10: elinks-nss-inc.patch
Patch11: elinks-0.12pre5-js185.patch Patch11: elinks-0.12pre5-js185.patch
Patch12: elinks-0.12pre5-ddg-search.patch Patch12: elinks-0.12pre5-ddg-search.patch
Patch13: elinks-CVE-2012-4545.patch
%description %description
Elinks is a text-based Web browser. Elinks does not display any images, Elinks is a text-based Web browser. Elinks does not display any images,
@ -86,6 +87,9 @@ quickly and swiftly displays Web pages.
# add default "ddg" dumb/smart rewrite prefixes for DuckDuckGo (#856348) # add default "ddg" dumb/smart rewrite prefixes for DuckDuckGo (#856348)
%patch12 -p1 %patch12 -p1
# CVE-2012-4545
%patch13 -p1
# remove bogus serial numbers # remove bogus serial numbers
sed -i 's/^# *serial [AM0-9]*$//' acinclude.m4 config/m4/*.m4 sed -i 's/^# *serial [AM0-9]*$//' acinclude.m4 config/m4/*.m4
@ -153,6 +157,9 @@ exit 0
%{_mandir}/man5/* %{_mandir}/man5/*
%changelog %changelog
* Fri Jan 04 2013 Kamil Dudka <kdudka@redhat.com> - 0.12-0.32.pre5
- do not delegate GSSAPI credentials (CVE-2012-4545)
* Mon Oct 08 2012 Kamil Dudka <kdudka@redhat.com> - 0.12-0.31.pre5 * Mon Oct 08 2012 Kamil Dudka <kdudka@redhat.com> - 0.12-0.31.pre5
- add default "ddg" dumb/smart rewrite prefixes for DuckDuckGo (#856348) - add default "ddg" dumb/smart rewrite prefixes for DuckDuckGo (#856348)