me
/
guix
Archived
1
0
Fork 0
Code

gnu: pam-krb5: Fix CVE-2020-10595. 

* gnu/packages/patches/pam-krb5-CVE-2020-10595.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/admin.scm (pam-krb5)[source]: Use it.
master
Leo Famulari 2020-03-31 13:23:12 -04:00
parent 2206805c2c
commit 653a51cb28
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
3 changed files with 44 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
gnu/local.mk
View File

@ -1269,6 +1269,7 @@ dist_patch_DATA = \
%D%/packages/patches/p7zip-CVE-2016-9296.patch \ %D%/packages/patches/p7zip-CVE-2016-9296.patch \
%D%/packages/patches/p7zip-CVE-2017-17969.patch \ %D%/packages/patches/p7zip-CVE-2017-17969.patch \
%D%/packages/patches/p7zip-remove-unused-code.patch \ %D%/packages/patches/p7zip-remove-unused-code.patch \
%D%/packages/patches/pam-krb5-CVE-2020-10595.patch \
%D%/packages/patches/pam-mount-luks2-support.patch \ %D%/packages/patches/pam-mount-luks2-support.patch \
%D%/packages/patches/sdl-pango-api_additions.patch \ %D%/packages/patches/sdl-pango-api_additions.patch \
%D%/packages/patches/sdl-pango-blit_overflow.patch \ %D%/packages/patches/sdl-pango-blit_overflow.patch \

1
gnu/packages/admin.scm
View File

@ -2626,6 +2626,7 @@ shortcut syntax and completion options.")
(uri (string-append (uri (string-append
"https://archives.eyrie.org/software/kerberos/" "https://archives.eyrie.org/software/kerberos/"
"pam-krb5-" version ".tar.xz")) "pam-krb5-" version ".tar.xz"))
(patches (search-patches "pam-krb5-CVE-2020-10595.patch"))
(sha256 (sha256
(base32 (base32
"1qjp8i1s9bz7g6kiqrkzzkxn5pfspa4sy53b6z40fqmdf9przdfb")))) "1qjp8i1s9bz7g6kiqrkzzkxn5pfspa4sy53b6z40fqmdf9przdfb"))))

42
gnu/packages/patches/pam-krb5-CVE-2020-10595.patch 100644
View File

@ -0,0 +1,42 @@
Fix CVE-2020-10595:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10595
Patch copied from upstream advisory:
https://seclists.org/oss-sec/2020/q1/128
diff --git a/prompting.c b/prompting.c
index e985d95..d81054f 100644
--- a/prompting.c
+++ b/prompting.c
@@ -314,26 +314,27 @@ pamk5_prompter_krb5(krb5_context context UNUSED, void *data, const char *name,
/*
* Reuse pam_prompts as a starting index and copy the data into the reply
* area of the krb5_prompt structs.
*/
pam_prompts = 0;
if (name != NULL && !args->silent)
pam_prompts++;
if (banner != NULL && !args->silent)
pam_prompts++;
for (i = 0; i < num_prompts; i++, pam_prompts++) {
- size_t len;
+ size_t len, allowed;
if (resp[pam_prompts].resp == NULL)
goto cleanup;
len = strlen(resp[pam_prompts].resp);
- if (len > prompts[i].reply->length)
+ allowed = prompts[i].reply->length;
+ if (allowed == 0 || len > allowed - 1)
goto cleanup;
/*
* The trailing nul is not included in length, but other applications
* expect it to be there. Therefore, we copy one more byte than the
* actual length of the password, but set length to just the length of
* the password.
*/
memcpy(prompts[i].reply->data, resp[pam_prompts].resp, len + 1);
prompts[i].reply->length = (unsigned int) len;