[bug #39040] Fix potential NULL pointer dereference with glibc 2.17+

mancha Wed, 22 May 2013 08:17:36 -0700

URL:
  <http://savannah.nongnu.org/bugs/?39040>


                 Summary: Fix potential NULL pointer dereference with glibc
2.17+
                 Project: Concurrent Versions System
            Submitted by: mancha
            Submitted on: Wed 22 May 2013 03:17:21 PM GMT
                Category: Bug Fix (patch attached)
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
                 Release: 
         Discussion Lock: Any
           Fixed Release: None
   Fixed Feature Release: None

    _______________________________________________________

Details:

Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL (w/ NULL
return) if the salt violates specifications. Additionally, on FIPS-140 enabled
Linux systems, DES/MD5-encrypted passwords passed to crypt() fail with EPERM
(w/ NULL return).

This change can potentially cause a NULL pointer dereference in cvs after
calling crypt() for password verification.

Attached patch, against cvs 1.11.23, fixes.

--mancha



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Wed 22 May 2013 03:17:21 PM GMT  Name: cvs-1.11.23-crypt.diff  Size: 2kB
  By: mancha

<http://savannah.nongnu.org/bugs/download.php?file_id=28140>

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?39040>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/


_______________________________________________
Bug-cvs mailing list
Bug-cvs@nongnu.org
https://lists.nongnu.org/mailman/listinfo/bug-cvs

[bug #39040] Fix potential NULL pointer dereference with glibc 2.17+

Reply via email to