- add draft fix from Tom Yu for slc_add_reply() buffer overflow
(CAN-2005-0469)
- add draft fix from Tom Yu for env_opt_add() buffer overflow
(CAN-2005-0468)
will need to re-roll if the draft fix isn't the same as the final one *
This commit is contained in:
Nalin Dahyabhai
parent
fe186e59d9
commit
9142032a6f
95
krb5-MITKRB5SA-2005-001.patch
Normal file
95
krb5-MITKRB5SA-2005-001.patch
Normal file
@ -0,0 +1,95 @@
|
||||
Index: telnet.c
|
||||
===================================================================
|
||||
RCS file: /cvs/krbdev/krb5/src/appl/telnet/telnet/telnet.c,v
|
||||
retrieving revision 5.18
|
||||
diff -c -r5.18 telnet.c
|
||||
*** telnet.c 15 Nov 2002 20:21:35 -0000 5.18
|
||||
- --- telnet.c 15 Mar 2005 18:59:32 -0000
|
||||
***************
|
||||
*** 1475,1480 ****
|
||||
- --- 1475,1482 ----
|
||||
unsigned char flags;
|
||||
cc_t value;
|
||||
{
|
||||
+ if ((slc_replyp - slc_reply) + 6 > sizeof(slc_reply))
|
||||
+ return;
|
||||
if ((*slc_replyp++ = func) == IAC)
|
||||
*slc_replyp++ = IAC;
|
||||
if ((*slc_replyp++ = flags) == IAC)
|
||||
***************
|
||||
*** 1488,1498 ****
|
||||
{
|
||||
register int len;
|
||||
|
||||
- - *slc_replyp++ = IAC;
|
||||
- - *slc_replyp++ = SE;
|
||||
len = slc_replyp - slc_reply;
|
||||
! if (len <= 6)
|
||||
return;
|
||||
if (NETROOM() > len) {
|
||||
ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
|
||||
printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
|
||||
- --- 1490,1501 ----
|
||||
{
|
||||
register int len;
|
||||
|
||||
len = slc_replyp - slc_reply;
|
||||
! if (len <= 4 || (len + 2 > sizeof(slc_reply)))
|
||||
return;
|
||||
+ *slc_replyp++ = IAC;
|
||||
+ *slc_replyp++ = SE;
|
||||
+ len += 2;
|
||||
if (NETROOM() > len) {
|
||||
ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
|
||||
printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
|
||||
***************
|
||||
*** 1645,1650 ****
|
||||
- --- 1648,1654 ----
|
||||
register unsigned char *ep;
|
||||
{
|
||||
register unsigned char *vp, c;
|
||||
+ unsigned int len, olen, elen;
|
||||
|
||||
if (opt_reply == NULL) /*XXX*/
|
||||
return; /*XXX*/
|
||||
***************
|
||||
*** 1662,1680 ****
|
||||
return;
|
||||
}
|
||||
vp = env_getvalue(ep);
|
||||
! if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
|
||||
! strlen((char *)ep) + 6 > opt_replyend)
|
||||
{
|
||||
! register unsigned int len;
|
||||
! opt_replyend += OPT_REPLY_SIZE;
|
||||
! len = opt_replyend - opt_reply;
|
||||
opt_reply = (unsigned char *)realloc(opt_reply, len);
|
||||
if (opt_reply == NULL) {
|
||||
/*@*/ printf("env_opt_add: realloc() failed!!!\n");
|
||||
opt_reply = opt_replyp = opt_replyend = NULL;
|
||||
return;
|
||||
}
|
||||
! opt_replyp = opt_reply + len - (opt_replyend - opt_replyp);
|
||||
opt_replyend = opt_reply + len;
|
||||
}
|
||||
if (opt_welldefined((char *) ep))
|
||||
- --- 1666,1684 ----
|
||||
return;
|
||||
}
|
||||
vp = env_getvalue(ep);
|
||||
! elen = 2 * (vp ? strlen((char *)vp) : 0) +
|
||||
! 2 * strlen((char *)ep) + 6;
|
||||
! if ((opt_replyend - opt_replyp) < elen)
|
||||
{
|
||||
! len = opt_replyend - opt_reply + elen;
|
||||
! olen = opt_replyp - opt_reply;
|
||||
opt_reply = (unsigned char *)realloc(opt_reply, len);
|
||||
if (opt_reply == NULL) {
|
||||
/*@*/ printf("env_opt_add: realloc() failed!!!\n");
|
||||
opt_reply = opt_replyp = opt_replyend = NULL;
|
||||
return;
|
||||
}
|
||||
! opt_replyp = opt_reply + olen;
|
||||
opt_replyend = opt_reply + len;
|
||||
}
|
||||
if (opt_welldefined((char *) ep))
|
||||
15
krb5.spec
15
krb5.spec
@ -7,7 +7,7 @@
|
||||
Summary: The Kerberos network authentication system.
|
||||
Name: krb5
|
||||
Version: 1.4
|
||||
Release: 2
|
||||
Release: 3
|
||||
# Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||
# http://web.mit.edu/kerberos/dist/krb5/1.4/krb5-1.4-signed.tar
|
||||
Source0: krb5-%{version}.tar.gz
|
||||
@ -59,8 +59,8 @@ Patch27: krb5-1.3.3-rcp-sendlarge.patch
|
||||
Patch28: krb5-1.3.5-gethostbyname_r.patch
|
||||
Patch29: krb5-1.3.5-kprop-mktemp.patch
|
||||
Patch30: krb5-1.3.4-send-pr-tempfile.patch
|
||||
Patch31: krb5-1.3.5-krsh-deadlock.patch
|
||||
Patch32: krb5-1.4-ncurses.patch
|
||||
Patch33: krb5-MITKRB5SA-2005-001.patch
|
||||
License: MIT, freely distributable.
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
Group: System Environment/Libraries
|
||||
@ -126,6 +126,13 @@ workstation.
|
||||
|
||||
%changelog
|
||||
# - XXX krb5_init_ets is gone now, what to do?
|
||||
* Wed Mar 23 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4-3
|
||||
- drop krshd patch for now
|
||||
|
||||
* Thu Mar 17 2005 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- add draft fix from Tom Yu for slc_add_reply() buffer overflow (CAN-2005-0469)
|
||||
- add draft fix from Tom Yu for env_opt_add() buffer overflow (CAN-2005-0468)
|
||||
|
||||
* Wed Mar 16 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4-2
|
||||
- don't include <term.h> into the telnet client when we're not using curses
|
||||
|
||||
@ -807,8 +814,10 @@ workstation.
|
||||
%patch28 -p1 -b .gethostbyname_r
|
||||
%patch29 -p1 -b .kprop-mktemp
|
||||
%patch30 -p1 -b .send-pr-tempfile
|
||||
%patch31 -p1 -b .krsh-deadlock
|
||||
%patch32 -p1 -b .ncurses
|
||||
pushd src/appl/telnet/telnet
|
||||
%patch33 -p0 -b .MITKRB5SA-2005-001
|
||||
popd
|
||||
cp src/krb524/README README.krb524
|
||||
find . -type f -name "*.info-dir" -exec rm -fv "{}" ";"
|
||||
gzip doc/*.ps
|
||||
|
||||
Loading…
Reference in New Issue
Block a user