83 lines
2.9 KiB
Diff
83 lines
2.9 KiB
Diff
From ab8adc351765d28754ba2b8361e7cd9041ecabda Mon Sep 17 00:00:00 2001
|
||
From: Kamil Dudka <kdudka@redhat.com>
|
||
Date: Tue, 9 Oct 2012 13:01:56 +0200
|
||
Subject: [PATCH 1/2] http_negotiate: do not delegate GSSAPI credentials
|
||
|
||
CVE-2012-4545. Reported by Marko Myllynen.
|
||
|
||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||
---
|
||
src/protocol/http/http_negotiate.c | 2 +-
|
||
1 files changed, 1 insertions(+), 1 deletions(-)
|
||
|
||
diff --git a/src/protocol/http/http_negotiate.c b/src/protocol/http/http_negotiate.c
|
||
index 470b071..271b443 100644
|
||
--- a/src/protocol/http/http_negotiate.c
|
||
+++ b/src/protocol/http/http_negotiate.c
|
||
@@ -188,7 +188,7 @@ http_negotiate_create_context(struct negotiate *neg)
|
||
&neg->context,
|
||
neg->server_name,
|
||
GSS_C_NO_OID,
|
||
- GSS_C_DELEG_FLAG,
|
||
+ 0,
|
||
0,
|
||
GSS_C_NO_CHANNEL_BINDINGS,
|
||
&neg->input_token,
|
||
--
|
||
1.7.1
|
||
|
||
|
||
From a3477c8f3a4793202cfe1b2a8722b31ad48f15d8 Mon Sep 17 00:00:00 2001
|
||
From: Kalle Olavi Niemitalo <kon@iki.fi>
|
||
Date: Fri, 26 Oct 2012 15:20:32 +0300
|
||
Subject: [PATCH 2/2] http_negotiate: Fix int* vs. size_t* type mismatch
|
||
MIME-Version: 1.0
|
||
Content-Type: text/plain; charset=UTF-8
|
||
Content-Transfer-Encoding: 8bit
|
||
|
||
http_negotiate_parse_data passed &token->length as the int *outlen
|
||
parameter of base64_decode_bin, which stores an int at that location.
|
||
However, gss_buffer_desc::length is size_t in all implementations that
|
||
I checked: MIT Kerberos Version 5 Release 1.10, libgssglue 0.4, and
|
||
GNU GSS 1.0.2. This mismatch could cause the build to fail:
|
||
|
||
.../src/protocol/http/http_negotiate.c: In function ‘http_negotiate_parse_data’:
|
||
.../src/protocol/http/http_negotiate.c:173:2: error: passing argument 3 of ‘base64_decode_bin’ from incompatible pointer type [-Werror]
|
||
In file included from .../src/protocol/http/http_negotiate.c:30:0:
|
||
.../src/util/base64.h:8:16: note: expected ‘int *’ but argument is of type ‘size_t *’
|
||
|
||
On 64-bit big-endian hosts, it might also cause the GSSAPI
|
||
implementation to read too much data from memory and disclose it to
|
||
some network server, or crash ELinks.
|
||
|
||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||
---
|
||
src/protocol/http/http_negotiate.c | 4 +++-
|
||
1 files changed, 3 insertions(+), 1 deletions(-)
|
||
|
||
diff --git a/src/protocol/http/http_negotiate.c b/src/protocol/http/http_negotiate.c
|
||
index 271b443..aa0f755 100644
|
||
--- a/src/protocol/http/http_negotiate.c
|
||
+++ b/src/protocol/http/http_negotiate.c
|
||
@@ -142,6 +142,7 @@ http_negotiate_parse_data(unsigned char *data, int type,
|
||
{
|
||
int len = 0;
|
||
unsigned char *end;
|
||
+ int bytelen = 0;
|
||
|
||
if (data == NULL || *data == '\0')
|
||
return 0;
|
||
@@ -170,7 +171,8 @@ http_negotiate_parse_data(unsigned char *data, int type,
|
||
if (!len)
|
||
return 0;
|
||
|
||
- token->value = (void *) base64_decode_bin(data, len, &token->length);
|
||
+ token->value = (void *) base64_decode_bin(data, len, &bytelen);
|
||
+ token->length = bytelen; /* convert int to size_t */
|
||
|
||
if (!token->value)
|
||
return -1;
|
||
--
|
||
1.7.1
|
||
|