On Sun, Apr 24, 2005 at 03:48:23PM +0200, Moritz Muehlenhoff wrote:
> CAN-2005-0469 describes a buffer overflow in the slc_add_reply()
> function. It has already been fixed in krb5, but is present in
> krb4 as well. I'm not familiar with the krn4 code base, but the
> fix from krb5 seems applicable as well. It's attached, but please
> double check with Security Team, who might have a better fix.
Attached is a full patch for these issues for the woody version of
krb4. A patch for testing/unstable will follow later.
Note that I have not actually tested this package (and I wouldn't
know how to do that), I can only enssure that the patch applies and
that it builds...
Gruesse,
--
Frank Lichtenheld <[EMAIL PROTECTED]>
www: http://www.djpig.de/
diff -Naur krb4-1.1-8.bak/debian/changelog krb4-1.1-8/debian/changelog
--- krb4-1.1-8.bak/debian/changelog 2003-03-20 07:49:04.000000000 +0100
+++ krb4-1.1-8/debian/changelog 2005-05-05 16:34:43.303476192 +0200
@@ -1,3 +1,13 @@
+krb4 (1.1-8-2.4) stable-security; urgency=low
+
+ * Non-maintainer upload.
+ * Backport patches for krb5 for CAN-2005-0469
+ and CAN-2005-0468. Fixes buffer overflows in
+ slc_add_reply() and env_add_opt() in telnet code
+ (Bug#306141)
+
+ -- Frank Lichtenheld <[EMAIL PROTECTED]> Thu, 5 May 2005 16:32:17 +0200
+
krb4 (1.1-8-2.3) stable-security; urgency=high
* Backport of patches from 1.2.1 to 1.2.2
diff -Naur
krb4-1.1-8.bak/debian/patches/024_security_telnet_CAN-2005-0468_CAN-2005-0469_upstream
krb4-1.1-8/debian/patches/024_security_telnet_CAN-2005-0468_CAN-2005-0469_upstream
---
krb4-1.1-8.bak/debian/patches/024_security_telnet_CAN-2005-0468_CAN-2005-0469_upstream
1970-01-01 01:00:00.000000000 +0100
+++
krb4-1.1-8/debian/patches/024_security_telnet_CAN-2005-0468_CAN-2005-0469_upstream
2005-05-05 16:31:18.060677840 +0200
@@ -0,0 +1,64 @@
+--- krb4-1.1/appl/telnet/telnet/telnet.c.orig 2005-05-05 16:25:53.390035280
+0200
++++ krb4-1.1/appl/telnet/telnet/telnet.c 2005-05-05 16:28:49.944194968
+0200
+@@ -1306,6 +1306,8 @@
+ void
+ slc_add_reply(unsigned char func, unsigned char flags, cc_t value)
+ {
++ if ((slc_replyp - slc_reply) + 6 > sizeof(slc_reply))
++ return;
+ if ((*slc_replyp++ = func) == IAC)
+ *slc_replyp++ = IAC;
+ if ((*slc_replyp++ = flags) == IAC)
+@@ -1319,11 +1321,12 @@
+ {
+ int len;
+
+- *slc_replyp++ = IAC;
+- *slc_replyp++ = SE;
+ len = slc_replyp - slc_reply;
+- if (len <= 6)
++ if (len <= 4 || (len + 2 > sizeof(slc_reply)))
+ return;
++ *slc_replyp++ = IAC;
++ *slc_replyp++ = SE;
++ len += 2;
+ if (NETROOM() > len) {
+ ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
+ printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
+@@ -1455,6 +1458,7 @@
+ env_opt_add(unsigned char *ep)
+ {
+ unsigned char *vp, c;
++ unsigned int len, olen, elen;
+
+ if (opt_reply == NULL) /*XXX*/
+ return; /*XXX*/
+@@ -1471,14 +1475,13 @@
+ env_opt_add(ep);
+ return;
+ }
+- vp = env_getvalue(ep);
+- if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
+- strlen((char *)ep) + 6 > opt_replyend)
++ elen = 2 * (vp ? strlen((char *)vp) : 0) +
++ 2 * strlen((char *)ep) + 6;
++ if ((opt_replyend - opt_replyp) < elen)
+ {
+- int len;
+ void *tmp;
+- opt_replyend += OPT_REPLY_SIZE;
+- len = opt_replyend - opt_reply;
++ len = opt_replyend - opt_reply + elen;
++ olen = opt_replyp - opt_reply;
+ tmp = realloc(opt_reply, len);
+ if (tmp == NULL) {
+ /[EMAIL PROTECTED]/ printf("env_opt_add: realloc()
failed!!!\n");
+@@ -1486,7 +1489,7 @@
+ return;
+ }
+ opt_reply = tmp;
+- opt_replyp = opt_reply + len - (opt_replyend - opt_replyp);
++ opt_replyp = opt_reply + olen;
+ opt_replyend = opt_reply + len;
+ }
+ if (opt_welldefined((char *)ep)) {
