Attachment 635074 Details for Bug 864566 – RHEL-6 backport of the upstream security fixes

[patch] RHEL-6 backport of the upstream security fixes

elinks-CVE-2012-4545.patch (text/plain), 2.91 KB, created by Kamil Dudka on 2012-10-29 15:54:43 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Kamil Dudka

Created: 2012-10-29 15:54:43 UTC

Size: 2.91 KB

patch

obsolete

>From ab8adc351765d28754ba2b8361e7cd9041ecabda Mon Sep 17 00:00:00 2001
>From: Kamil Dudka <kdudka@redhat.com>
>Date: Tue, 9 Oct 2012 13:01:56 +0200
>Subject: [PATCH 1/2] http_negotiate: do not delegate GSSAPI credentials
>
>CVE-2012-4545.  Reported by Marko Myllynen.
>
>Signed-off-by: Kamil Dudka <kdudka@redhat.com>
>---
> src/protocol/http/http_negotiate.c |    2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
>diff --git a/src/protocol/http/http_negotiate.c b/src/protocol/http/http_negotiate.c
>index 470b071..271b443 100644
>--- a/src/protocol/http/http_negotiate.c
>+++ b/src/protocol/http/http_negotiate.c
>@@ -188,7 +188,7 @@ http_negotiate_create_context(struct negotiate *neg)
> 					    &neg->context,
> 					    neg->server_name,
> 					    GSS_C_NO_OID,
>-					    GSS_C_DELEG_FLAG,
>+					    0,
> 					    0,
> 					    GSS_C_NO_CHANNEL_BINDINGS,
> 					    &neg->input_token,
>-- 
>1.7.1
>
>
>From a3477c8f3a4793202cfe1b2a8722b31ad48f15d8 Mon Sep 17 00:00:00 2001
>From: Kalle Olavi Niemitalo <kon@iki.fi>
>Date: Fri, 26 Oct 2012 15:20:32 +0300
>Subject: [PATCH 2/2] http_negotiate: Fix int* vs. size_t* type mismatch
>MIME-Version: 1.0
>Content-Type: text/plain; charset=UTF-8
>Content-Transfer-Encoding: 8bit
>
>http_negotiate_parse_data passed &token->length as the int *outlen
>parameter of base64_decode_bin, which stores an int at that location.
>However, gss_buffer_desc::length is size_t in all implementations that
>I checked: MIT Kerberos Version 5 Release 1.10, libgssglue 0.4, and
>GNU GSS 1.0.2.  This mismatch could cause the build to fail:
>
>.../src/protocol/http/http_negotiate.c: In function âhttp_negotiate_parse_dataâ:
>.../src/protocol/http/http_negotiate.c:173:2: error: passing argument 3 of âbase64_decode_binâ from incompatible pointer type [-Werror]
>In file included from .../src/protocol/http/http_negotiate.c:30:0:
>.../src/util/base64.h:8:16: note: expected âint *â but argument is of type âsize_t *â
>
>On 64-bit big-endian hosts, it might also cause the GSSAPI
>implementation to read too much data from memory and disclose it to
>some network server, or crash ELinks.
>
>Signed-off-by: Kamil Dudka <kdudka@redhat.com>
>---
> src/protocol/http/http_negotiate.c |    4 +++-
> 1 files changed, 3 insertions(+), 1 deletions(-)
>
>diff --git a/src/protocol/http/http_negotiate.c b/src/protocol/http/http_negotiate.c
>index 271b443..aa0f755 100644
>--- a/src/protocol/http/http_negotiate.c
>+++ b/src/protocol/http/http_negotiate.c
>@@ -142,6 +142,7 @@ http_negotiate_parse_data(unsigned char *data, int type,
> {
> 	int len = 0;
> 	unsigned char *end;
>+	int bytelen = 0;
> 
> 	if (data == NULL || *data == '\0')
> 		return 0;
>@@ -170,7 +171,8 @@ http_negotiate_parse_data(unsigned char *data, int type,
> 	if (!len)
> 		return 0;
> 
>-	token->value = (void *) base64_decode_bin(data, len, &token->length);
>+	token->value = (void *) base64_decode_bin(data, len, &bytelen);
>+	token->length = bytelen; /* convert int to size_t */
> 
> 	if (!token->value)
> 		return -1;
>-- 
>1.7.1
>

Flags:

ovasik: review+

Actions: View | Diff

Attachments on bug 864566: 624175 | 632061 | 633270 | 635073 | 635074