- add patch to fix length validation bug in libkrb5 (CVE-2009-0847)

2009-04-07 18:15:43 +00:00 · 2009-04-07 18:15:43 +00:00 · ebb2e9030e
commit ebb2e9030e
parent 0d81cc8c03
1 changed files with 34 additions and 0 deletions
--- a/krb5-CVE-2009-0847.patch
+++ b/krb5-CVE-2009-0847.patch
@ -0,0 +1,34 @@
+diff --git a/src/lib/krb5/asn.1/asn1buf.c b/src/lib/krb5/asn.1/asn1buf.c
+index 8baac24..587cccc 100644
+--- a/src/lib/krb5/asn.1/asn1buf.c
+++ b/src/lib/krb5/asn.1/asn1buf.c
+@@ -78,11 +78,11 @@ asn1_error_code asn1buf_wrap_data(asn1buf *buf, const krb5_data *code)
+ 
+ asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef)
+ {
+  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
+   subbuf->base = subbuf->next = buf->next;
+   if (!indef) {
+      if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;
+       subbuf->bound = subbuf->base + length - 1;
+-      if (subbuf->bound > buf->bound)
+-	  return ASN1_OVERRUN;
+   } else /* constructed indefinite */
+       subbuf->bound = buf->bound;
+   return 0;
+@@ -200,6 +200,7 @@ asn1_error_code asn1buf_remove_octetstring(asn1buf *buf, const unsigned int len,
+ {
+   int i;
+ 
+  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
+   if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
+   if (len == 0) {
+       *s = 0;
+@@ -218,6 +219,7 @@ asn1_error_code asn1buf_remove_charstring(asn1buf *buf, const unsigned int len,
+ {
+   int i;
+ 
+  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
+   if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
+   if (len == 0) {
+       *s = 0;