Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-commits
Navigation:
Lists: gentoo-commits: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-commits@g.o
From: "Michael Hammer (mueli)" <mueli@g.o>
Subject: gentoo-x86 commit in app-crypt/mit-krb5/files: CVE-2009-0844+CVE-2009-0847.patch CVE-2009-0846.patch
Date: Wed, 08 Apr 2009 14:29:08 +0000
mueli       09/04/08 14:29:08

  Added:                CVE-2009-0844+CVE-2009-0847.patch
                        CVE-2009-0846.patch
  Log:
  added mit-krb5-1.6.3-r6 - see bug #263398
  (Portage version: 2.1.6.8/cvs/Linux x86_64)

Revision  Changes    Path
1.1                  app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch

file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch?rev=1.1&content-type=text/plain

Index: CVE-2009-0844+CVE-2009-0847.patch
===================================================================
Index: krb5-1.6.3/src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- krb5-1.6.3.orig/src/lib/gssapi/spnego/spnego_mech.c
+++ krb5-1.6.3/src/lib/gssapi/spnego/spnego_mech.c
@@ -1815,7 +1815,8 @@ get_input_token(unsigned char **buff_in,
 		return (NULL);
 
 	input_token->length = gssint_get_der_length(buff_in, buff_length, &bytes);
-	if ((int)input_token->length == -1) {
+	if ((int)input_token->length == -1 ||                                           
+	    input_token->length > buff_length) {                                        
 		free(input_token);
 		return (NULL);
 	}
Index: krb5-1.6.3/src/lib/krb5/asn.1/asn1buf.c
===================================================================
--- krb5-1.6.3.orig/src/lib/krb5/asn.1/asn1buf.c
+++ krb5-1.6.3/src/lib/krb5/asn.1/asn1buf.c
@@ -78,11 +78,11 @@ asn1_error_code asn1buf_wrap_data(asn1bu
 
 asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef)
 {
+  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;                                                       
   subbuf->base = subbuf->next = buf->next;
   if (!indef) {
+      if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;                                
       subbuf->bound = subbuf->base + length - 1;
-      if (subbuf->bound > buf->bound)
-	  return ASN1_OVERRUN;
   } else /* constructed indefinite */
       subbuf->bound = buf->bound;
   return 0;
@@ -200,6 +200,7 @@ asn1_error_code asn1buf_remove_octetstri
 {
   int i;
 
+  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;                                                       
   if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
   if (len == 0) {
       *s = 0;
@@ -218,6 +219,7 @@ asn1_error_code asn1buf_remove_charstrin
 {
   int i;
 
+  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;                                                       
   if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
   if (len == 0) {
       *s = 0;



1.1                  app-crypt/mit-krb5/files/CVE-2009-0846.patch

file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-crypt/mit-krb5/files/CVE-2009-0846.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-crypt/mit-krb5/files/CVE-2009-0846.patch?rev=1.1&content-type=text/plain

Index: CVE-2009-0846.patch
===================================================================
diff --git a/src/lib/krb5/asn.1/asn1_decode.c 
b/src/lib/krb5/asn.1/asn1_decode.c
index aa4be32..5f7461d 100644
--- a/src/lib/krb5/asn.1/asn1_decode.c
+++ b/src/lib/krb5/asn.1/asn1_decode.c
@@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val)
 
   if(length != 15) return ASN1_BAD_LENGTH;
   retval = asn1buf_remove_charstring(buf,15,&s);
+  if (retval) return retval;
   /* Time encoding: YYYYMMDDhhmmssZ */
   if(s[14] != 'Z') {
       free(s);
diff --git a/src/tests/asn.1/krb5_decode_test.c 
b/src/tests/asn.1/krb5_decode_test.c
index 0ff9343..1c427d1 100644
--- a/src/tests/asn.1/krb5_decode_test.c
+++ b/src/tests/asn.1/krb5_decode_test.c
@@ -485,5 +485,21 @@ int main(argc, argv)
     ktest_destroy_keyblock(&(ref.subkey));
     ref.seq_number = 0;
     decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
+
+    retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40");
+    if (retval) {
+       com_err("krb5_decode_test", retval, "while parsing");
+       exit(1);
+    }
+    retval = decode_krb5_ap_rep_enc_part(&code, &var);
+    if (retval != ASN1_OVERRUN) {
+       printf("ERROR: ");
+    } else {
+       printf("OK: ");
+    }
+    printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n");
+    krb5_free_data_contents(test_context, &code);
+    krb5_free_ap_rep_enc_part(test_context, var);
+
     ktest_empty_ap_rep_enc_part(&ref);
   }





Navigation:
Lists: gentoo-commits: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
gentoo-x86 commit in app-crypt/mit-krb5: mit-krb5-1.6.3-r6.ebuild ChangeLog
Next by thread:
devmanual r145 - in trunk: function-reference/install-functions xsl
Previous by date:
gentoo-x86 commit in app-crypt/mit-krb5: mit-krb5-1.6.3-r6.ebuild ChangeLog
Next by date:
devmanual r145 - in trunk: function-reference/install-functions xsl


Updated Sep 21, 2011

Summary: Archive of the gentoo-commits mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.