- add patch for attempt to free uninitialized pointer in libkrb5

(CVE-2009-0846)
2009-04-07 18:15:12 +00:00 · 2009-04-07 18:15:12 +00:00 · 0d81cc8c03
commit 0d81cc8c03
parent b28fb4b7da
1 changed files with 39 additions and 0 deletions
--- a/krb5-CVE-2009-0846.patch
+++ b/krb5-CVE-2009-0846.patch
@ -0,0 +1,39 @@
+diff --git a/src/lib/krb5/asn.1/asn1_decode.c b/src/lib/krb5/asn.1/asn1_decode.c
+index aa4be32..5f7461d 100644
+--- a/src/lib/krb5/asn.1/asn1_decode.c
+++ b/src/lib/krb5/asn.1/asn1_decode.c
+@@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val)
+ 
+   if(length != 15) return ASN1_BAD_LENGTH;
+   retval = asn1buf_remove_charstring(buf,15,&s);
+  if (retval) return retval;
+   /* Time encoding: YYYYMMDDhhmmssZ */
+   if(s[14] != 'Z') {
+       free(s);
+diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c
+index 0ff9343..1c427d1 100644
+--- a/src/tests/asn.1/krb5_decode_test.c
+++ b/src/tests/asn.1/krb5_decode_test.c
+@@ -485,6 +485,22 @@ int main(argc, argv)
+     ktest_destroy_keyblock(&(ref.subkey));
+     ref.seq_number = 0;
+     decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
+
+    retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40");
+    if (retval) {
+	com_err("krb5_decode_test", retval, "while parsing");
+	exit(1);
+    }
+    retval = decode_krb5_ap_rep_enc_part(&code, &var);
+    if (retval != ASN1_OVERRUN) {
+	printf("ERROR: ");
+    } else {
+	printf("OK: ");
+    }
+    printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n");
+    krb5_free_data_contents(test_context, &code);
+    if (var) krb5_free_ap_rep_enc_part(test_context, var);
+
+     ktest_empty_ap_rep_enc_part(&ref);
+   }
+