diff options
author | Leo Famulari <leo@famulari.name> | 2020-03-31 13:23:12 -0400 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2020-03-31 13:31:57 -0400 |
commit | 653a51cb2862f57c20ebaa9dc1b62616742b55b3 (patch) | |
tree | 7f16458ea60748a64783afe8143235f1826d7374 /gnu/packages/patches | |
parent | 2206805c2cda5099d30e3a53db300827bf774d29 (diff) | |
download | guix-653a51cb2862f57c20ebaa9dc1b62616742b55b3.tar guix-653a51cb2862f57c20ebaa9dc1b62616742b55b3.tar.gz |
gnu: pam-krb5: Fix CVE-2020-10595.
* gnu/packages/patches/pam-krb5-CVE-2020-10595.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/admin.scm (pam-krb5)[source]: Use it.
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/pam-krb5-CVE-2020-10595.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/gnu/packages/patches/pam-krb5-CVE-2020-10595.patch b/gnu/packages/patches/pam-krb5-CVE-2020-10595.patch new file mode 100644 index 0000000000..4ca061230f --- /dev/null +++ b/gnu/packages/patches/pam-krb5-CVE-2020-10595.patch @@ -0,0 +1,42 @@ +Fix CVE-2020-10595: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10595 + +Patch copied from upstream advisory: + +https://seclists.org/oss-sec/2020/q1/128 + +diff --git a/prompting.c b/prompting.c +index e985d95..d81054f 100644 +--- a/prompting.c ++++ b/prompting.c +@@ -314,26 +314,27 @@ pamk5_prompter_krb5(krb5_context context UNUSED, void *data, const char *name, + /* + * Reuse pam_prompts as a starting index and copy the data into the reply + * area of the krb5_prompt structs. + */ + pam_prompts = 0; + if (name != NULL && !args->silent) + pam_prompts++; + if (banner != NULL && !args->silent) + pam_prompts++; + for (i = 0; i < num_prompts; i++, pam_prompts++) { +- size_t len; ++ size_t len, allowed; + + if (resp[pam_prompts].resp == NULL) + goto cleanup; + len = strlen(resp[pam_prompts].resp); +- if (len > prompts[i].reply->length) ++ allowed = prompts[i].reply->length; ++ if (allowed == 0 || len > allowed - 1) + goto cleanup; + + /* + * The trailing nul is not included in length, but other applications + * expect it to be there. Therefore, we copy one more byte than the + * actual length of the password, but set length to just the length of + * the password. + */ + memcpy(prompts[i].reply->data, resp[pam_prompts].resp, len + 1); + prompts[i].reply->length = (unsigned int) len; |