diff options
Diffstat (limited to 'gnu/packages/patches/pam-krb5-CVE-2020-10595.patch')
-rw-r--r-- | gnu/packages/patches/pam-krb5-CVE-2020-10595.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/gnu/packages/patches/pam-krb5-CVE-2020-10595.patch b/gnu/packages/patches/pam-krb5-CVE-2020-10595.patch new file mode 100644 index 0000000000..4ca061230f --- /dev/null +++ b/gnu/packages/patches/pam-krb5-CVE-2020-10595.patch @@ -0,0 +1,42 @@ +Fix CVE-2020-10595: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10595 + +Patch copied from upstream advisory: + +https://seclists.org/oss-sec/2020/q1/128 + +diff --git a/prompting.c b/prompting.c +index e985d95..d81054f 100644 +--- a/prompting.c ++++ b/prompting.c +@@ -314,26 +314,27 @@ pamk5_prompter_krb5(krb5_context context UNUSED, void *data, const char *name, + /* + * Reuse pam_prompts as a starting index and copy the data into the reply + * area of the krb5_prompt structs. + */ + pam_prompts = 0; + if (name != NULL && !args->silent) + pam_prompts++; + if (banner != NULL && !args->silent) + pam_prompts++; + for (i = 0; i < num_prompts; i++, pam_prompts++) { +- size_t len; ++ size_t len, allowed; + + if (resp[pam_prompts].resp == NULL) + goto cleanup; + len = strlen(resp[pam_prompts].resp); +- if (len > prompts[i].reply->length) ++ allowed = prompts[i].reply->length; ++ if (allowed == 0 || len > allowed - 1) + goto cleanup; + + /* + * The trailing nul is not included in length, but other applications + * expect it to be there. Therefore, we copy one more byte than the + * actual length of the password, but set length to just the length of + * the password. + */ + memcpy(prompts[i].reply->data, resp[pam_prompts].resp, len + 1); + prompts[i].reply->length = (unsigned int) len; |