Package: iceweasel
Version: 3.5.11-1
Severity: normal
Tags: patch
Calculation of length of base64-encoded string in negotiate challenge
is performed before stripping trailing '=' characters.
In most cases this leads to passing extra byte to gss_init_sec_context,
and it causes negotiate auth to fail.
This code is located in function nsHttpNegotiateAuth::GenerateCredentials
from file extensions/auth/nsHttpNegotiateAuth.cpp around notions of bug 230351.
The bug is already fixed in branch 3.6 of firefox and in the iceweasel from
experimental.
A proposed fix is included in the patchset
http://hg.mozilla.org/mozilla-central/rev/275225278550
A related to the patchset firefox bug is 520607, but I do not have a bugzilla
account there to check what this bug is really about.
diff -urN xulrunner-1.9.1.11.orig/extensions/auth/nsHttpNegotiateAuth.cpp xulrunner-1.9.1.11/extensions/auth/nsHttpNegotiateAuth.cpp
--- xulrunner-1.9.1.11.orig/extensions/auth/nsHttpNegotiateAuth.cpp 2010-07-01 12:39:11.000000000 +0400
+++ xulrunner-1.9.1.11/extensions/auth/nsHttpNegotiateAuth.cpp 2010-07-23 09:06:29.000000000 +0400
@@ -257,15 +257,15 @@
challenge++;
len = strlen(challenge);
+ // strip off any padding (see bug 230351)
+ while (challenge[len - 1] == '=')
+ len--;
+
inTokenLen = (len * 3)/4;
inToken = malloc(inTokenLen);
if (!inToken)
return (NS_ERROR_OUT_OF_MEMORY);
- // strip off any padding (see bug 230351)
- while (challenge[len - 1] == '=')
- len--;
-
//
// Decode the response that followed the "Negotiate" token
//
