OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 02-Jul-2004 18:13:53
Branch: OPENPKG_2_0_SOLID Handle: -NONE-
Modified files: (Branch: OPENPKG_2_0_SOLID)
openpkg-src/kerberos kerberos.patch kerberos.spec
Log:
apply patch from MIT krb5 Security Advisory 2004-001; CAN-2004-0523
Summary:
Revision Changes Path
1.9.2.1 +173 -0 openpkg-src/kerberos/kerberos.patch
1.44.2.2 +1 -1 openpkg-src/kerberos/kerberos.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/kerberos/kerberos.patch
============================================================================
$ cvs diff -u -r1.9 -r1.9.2.1 kerberos.patch
--- openpkg-src/kerberos/kerberos.patch 16 Feb 2004 20:37:46 -0000 1.9
+++ openpkg-src/kerberos/kerberos.patch 2 Jul 2004 16:13:52 -0000 1.9.2.1
@@ -240,3 +240,176 @@
#endif
case EAI_NONAME:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0523
+ Multiple buffer overflows in krb5_aname_to_localname for MIT
+ Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to
+ execute arbitrary code as root.
+
+ESB-2004.0378 -- MIT krb5 Security Advisory 2004-001, 02 June 2004
+ buffer overflows in krb5_aname_to_localname
+
+Index: krb5-1.3.1/src/lib/krb5/os/an_to_ln.c
+--- krb5-1.3.1/src/lib/krb5/os/an_to_ln.c.orig 2002-09-03 21:29:34 +0200
++++ krb5-1.3.1/src/lib/krb5/os/an_to_ln.c 2004-07-02 16:46:37 +0200
+@@ -270,9 +270,14 @@
+ * If no regcomp() then just return the input string verbatim in the output
+ * string.
+ */
+-static void
++#define use_bytes(x) \
++ out_used += (x); \
++ if (out_used > MAX_FORMAT_BUFFER) goto mem_err
++
++static int
+ do_replacement(char *regexp, char *repl, int doall, char *in, char *out)
+ {
++ size_t out_used = 0;
+ #if HAVE_REGCOMP
+ regex_t match_exp;
+ regmatch_t match_match;
+@@ -287,17 +292,22 @@
+ do {
+ if (!regexec(&match_exp, cp, 1, &match_match, 0)) {
+ if (match_match.rm_so) {
++ use_bytes(match_match.rm_so);
+ strncpy(op, cp, match_match.rm_so);
+ op += match_match.rm_so;
+ }
++ use_bytes(strlen(repl));
+ strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out));
+ op += strlen(op);
+ cp += match_match.rm_eo;
+- if (!doall)
++ if (!doall) {
++ use_bytes(strlen(cp));
+ strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
++ }
+ matched = 1;
+ }
+ else {
++ use_bytes(strlen(cp));
+ strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
+ matched = 0;
+ }
+@@ -322,17 +332,21 @@
+ sdispl = (size_t) (loc1 - cp);
+ edispl = (size_t) (loc2 - cp);
+ if (sdispl) {
++ use_bytes(sdispl);
+ strncpy(op, cp, sdispl);
+ op += sdispl;
+ }
++ use_bytes(strlen(repl));
+ strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out));
+ op += strlen(repl);
+ cp += edispl;
+ if (!doall)
++ use_bytes(strlen(cp));
+ strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
+ matched = 1;
+ }
+ else {
++ use_bytes(strlen(cp));
+ strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
+ matched = 0;
+ }
+@@ -340,7 +354,15 @@
+ #else /* HAVE_REGEXP_H */
+ memcpy(out, in, MAX_FORMAT_BUFFER);
+ #endif /* HAVE_REGCOMP */
++ return 1;
++ mem_err:
++#ifdef HAVE_REGCMP
++ regfree(&match_exp);
++#endif
++ return 0;
++
+ }
++#undef use_bytes
+
+ /*
+ * aname_replacer() - Perform the specified substitutions on the input
+@@ -412,7 +434,12 @@
+
+ /* Do the replacemenbt */
+ memset(out, '\0', MAX_FORMAT_BUFFER);
+- do_replacement(rule, repl, doglobal, in, out);
++ if (!do_replacement(rule, repl, doglobal, in, out)) {
++ free(rule);
++ free(repl);
++ kret = KRB5_LNAME_NOTRANS;
++ break;
++ }
+ free(rule);
+ free(repl);
+
+@@ -459,6 +486,7 @@
+ char *fprincname;
+ char *selstring = 0;
+ int num_comps, compind;
++ size_t selstring_used;
+ char *cout;
+ krb5_data *datap;
+ char *outstring;
+@@ -479,6 +507,7 @@
+ */
+ current = strchr(current, ':');
+ selstring = (char *) malloc(MAX_FORMAT_BUFFER);
++ selstring_used = 0;
+ if (current && selstring) {
+ current++;
+ cout = selstring;
+@@ -497,6 +526,14 @@
+ aname,
+ compind-1))
+ ) {
++ if ((datap->length < MAX_FORMAT_BUFFER)
++ && (selstring_used+datap->length
++ < MAX_FORMAT_BUFFER)) {
++ selstring_used += datap->length;
++ } else {
++ kret = ENOMEM;
++ goto errout;
++ }
+ strncpy(cout,
+ datap->data,
+ (unsigned) datap->length);
+@@ -527,7 +564,7 @@
+ else
+ kret = KRB5_CONFIG_BADFORMAT;
+
+- if (kret)
++ errout: if (kret)
+ free(selstring);
+ }
+ }
+@@ -643,7 +680,7 @@
+ const char *hierarchy[5];
+ char **mapping_values;
+ int i, nvalid;
+- char *cp;
++ char *cp, *s;
+ char *typep, *argp;
+ unsigned int lnsize;
+
+@@ -677,11 +714,14 @@
+
+ /* Just use the last one. */
+ /* Trim the value. */
+- cp = &mapping_values[nvalid-1]
+- [strlen(mapping_values[nvalid-1])];
+- while (isspace((int) (*cp))) cp--;
+- cp++;
+- *cp = '\0';
++ s = mapping_values[nvalid-1];
++ cp = s + strlen(s);
++ while (cp > s) {
++ cp--;
++ if (!isspace((int)(*cp)))
++ break;
++ *cp = '\0';
++ }
+
+ /* Copy out the value if there's enough room */
+ if (strlen(mapping_values[nvalid-1])+1 <= (size_t) lnsize)
+
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/kerberos/kerberos.spec
============================================================================
$ cvs diff -u -r1.44.2.1 -r1.44.2.2 kerberos.spec
--- openpkg-src/kerberos/kerberos.spec 18 Feb 2004 14:49:41 -0000
1.44.2.1
+++ openpkg-src/kerberos/kerberos.spec 2 Jul 2004 16:13:52 -0000
1.44.2.2
@@ -34,7 +34,7 @@
Group: Cryptography
License: MIT
Version: 1.3.1
-Release: 2.0.0
+Release: 2.0.1
# package options
%option with_fsl yes
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
