aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2020-03-31 13:23:12 -0400
committerLeo Famulari <leo@famulari.name>2020-03-31 13:31:57 -0400
commit653a51cb2862f57c20ebaa9dc1b62616742b55b3 (patch)
tree7f16458ea60748a64783afe8143235f1826d7374
parent2206805c2cda5099d30e3a53db300827bf774d29 (diff)
downloadpatches-653a51cb2862f57c20ebaa9dc1b62616742b55b3.tar
patches-653a51cb2862f57c20ebaa9dc1b62616742b55b3.tar.gz
gnu: pam-krb5: Fix CVE-2020-10595.
* gnu/packages/patches/pam-krb5-CVE-2020-10595.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/admin.scm (pam-krb5)[source]: Use it.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/admin.scm1
-rw-r--r--gnu/packages/patches/pam-krb5-CVE-2020-10595.patch42
3 files changed, 44 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index eec65c6565..19ab32c0f5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1269,6 +1269,7 @@ dist_patch_DATA = \
%D%/packages/patches/p7zip-CVE-2016-9296.patch \
%D%/packages/patches/p7zip-CVE-2017-17969.patch \
%D%/packages/patches/p7zip-remove-unused-code.patch \
+ %D%/packages/patches/pam-krb5-CVE-2020-10595.patch \
%D%/packages/patches/pam-mount-luks2-support.patch \
%D%/packages/patches/sdl-pango-api_additions.patch \
%D%/packages/patches/sdl-pango-blit_overflow.patch \
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 98cb2f90aa..e7f63eb2a9 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -2626,6 +2626,7 @@ shortcut syntax and completion options.")
(uri (string-append
"https://archives.eyrie.org/software/kerberos/"
"pam-krb5-" version ".tar.xz"))
+ (patches (search-patches "pam-krb5-CVE-2020-10595.patch"))
(sha256
(base32
"1qjp8i1s9bz7g6kiqrkzzkxn5pfspa4sy53b6z40fqmdf9przdfb"))))
diff --git a/gnu/packages/patches/pam-krb5-CVE-2020-10595.patch b/gnu/packages/patches/pam-krb5-CVE-2020-10595.patch
new file mode 100644
index 0000000000..4ca061230f
--- /dev/null
+++ b/gnu/packages/patches/pam-krb5-CVE-2020-10595.patch
@@ -0,0 +1,42 @@
+Fix CVE-2020-10595:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10595
+
+Patch copied from upstream advisory:
+
+https://seclists.org/oss-sec/2020/q1/128
+
+diff --git a/prompting.c b/prompting.c
+index e985d95..d81054f 100644
+--- a/prompting.c
++++ b/prompting.c
+@@ -314,26 +314,27 @@ pamk5_prompter_krb5(krb5_context context UNUSED, void *data, const char *name,
+ /*
+ * Reuse pam_prompts as a starting index and copy the data into the reply
+ * area of the krb5_prompt structs.
+ */
+ pam_prompts = 0;
+ if (name != NULL && !args->silent)
+ pam_prompts++;
+ if (banner != NULL && !args->silent)
+ pam_prompts++;
+ for (i = 0; i < num_prompts; i++, pam_prompts++) {
+- size_t len;
++ size_t len, allowed;
+
+ if (resp[pam_prompts].resp == NULL)
+ goto cleanup;
+ len = strlen(resp[pam_prompts].resp);
+- if (len > prompts[i].reply->length)
++ allowed = prompts[i].reply->length;
++ if (allowed == 0 || len > allowed - 1)
+ goto cleanup;
+
+ /*
+ * The trailing nul is not included in length, but other applications
+ * expect it to be there. Therefore, we copy one more byte than the
+ * actual length of the password, but set length to just the length of
+ * the password.
+ */
+ memcpy(prompts[i].reply->data, resp[pam_prompts].resp, len + 1);
+ prompts[i].reply->length = (unsigned int) len;