diff options
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/admin.scm | 1 | ||||
-rw-r--r-- | gnu/packages/patches/pam-krb5-CVE-2020-10595.patch | 42 |
3 files changed, 44 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index eec65c6565..19ab32c0f5 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1269,6 +1269,7 @@ dist_patch_DATA = \ %D%/packages/patches/p7zip-CVE-2016-9296.patch \ %D%/packages/patches/p7zip-CVE-2017-17969.patch \ %D%/packages/patches/p7zip-remove-unused-code.patch \ + %D%/packages/patches/pam-krb5-CVE-2020-10595.patch \ %D%/packages/patches/pam-mount-luks2-support.patch \ %D%/packages/patches/sdl-pango-api_additions.patch \ %D%/packages/patches/sdl-pango-blit_overflow.patch \ diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index 98cb2f90aa..e7f63eb2a9 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -2626,6 +2626,7 @@ shortcut syntax and completion options.") (uri (string-append "https://archives.eyrie.org/software/kerberos/" "pam-krb5-" version ".tar.xz")) + (patches (search-patches "pam-krb5-CVE-2020-10595.patch")) (sha256 (base32 "1qjp8i1s9bz7g6kiqrkzzkxn5pfspa4sy53b6z40fqmdf9przdfb")))) diff --git a/gnu/packages/patches/pam-krb5-CVE-2020-10595.patch b/gnu/packages/patches/pam-krb5-CVE-2020-10595.patch new file mode 100644 index 0000000000..4ca061230f --- /dev/null +++ b/gnu/packages/patches/pam-krb5-CVE-2020-10595.patch @@ -0,0 +1,42 @@ +Fix CVE-2020-10595: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10595 + +Patch copied from upstream advisory: + +https://seclists.org/oss-sec/2020/q1/128 + +diff --git a/prompting.c b/prompting.c +index e985d95..d81054f 100644 +--- a/prompting.c ++++ b/prompting.c +@@ -314,26 +314,27 @@ pamk5_prompter_krb5(krb5_context context UNUSED, void *data, const char *name, + /* + * Reuse pam_prompts as a starting index and copy the data into the reply + * area of the krb5_prompt structs. + */ + pam_prompts = 0; + if (name != NULL && !args->silent) + pam_prompts++; + if (banner != NULL && !args->silent) + pam_prompts++; + for (i = 0; i < num_prompts; i++, pam_prompts++) { +- size_t len; ++ size_t len, allowed; + + if (resp[pam_prompts].resp == NULL) + goto cleanup; + len = strlen(resp[pam_prompts].resp); +- if (len > prompts[i].reply->length) ++ allowed = prompts[i].reply->length; ++ if (allowed == 0 || len > allowed - 1) + goto cleanup; + + /* + * The trailing nul is not included in length, but other applications + * expect it to be there. Therefore, we copy one more byte than the + * actual length of the password, but set length to just the length of + * the password. + */ + memcpy(prompts[i].reply->data, resp[pam_prompts].resp, len + 1); + prompts[i].reply->length = (unsigned int) len; |