Attachment 856182 Details for Bug 1056767 – upstream patch to correct the flaw

[patch] upstream patch to correct the flaw

zarafa-CVE-2014-0037.patch (text/plain), 1.15 KB, created by Vincent Danen on 2014-01-27 18:28:23 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Vincent Danen

Created: 2014-01-27 18:28:23 UTC

Size: 1.15 KB

patch

obsolete

>Index: provider/libserver/ECSession.cpp
>===================================================================
>diff -u -N -r41872 -r42919
>--- provider/libserver/ECSession.cpp	(.../ECSession.cpp)	(revision 41872)
>+++ provider/libserver/ECSession.cpp	(.../ECSession.cpp)	(revision 42919)
>@@ -846,6 +846,13 @@
> {
> 	ECRESULT er = erSuccess;
> 	
>+	if (!lpszName)
>+	{
>+		// Commandment 2: Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end.
>+		m_lpSessionManager->GetLogger()->Log(EC_LOGLEVEL_FATAL, "Invalid argument lpszName in call to ECAuthSession::ValidateUserLogon()");
>+		er = ZARAFA_E_INVALID_PARAMETER;
>+		goto exit;
>+	}
> 	// SYSTEM can't login with user/pass
> 	if(stricmp(lpszName, ZARAFA_ACCOUNT_SYSTEM) == 0) {
> 		er = ZARAFA_E_NO_ACCESS;
>@@ -888,6 +895,12 @@
> 	char			*localAdminUsers = NULL;
> #endif
> 
>+	if (!lpszName)
>+	{
>+		m_lpSessionManager->GetLogger()->Log(EC_LOGLEVEL_FATAL, "Invalid argument lpszName in call to ECAuthSession::ValidateUserSocket()");
>+		er = ZARAFA_E_INVALID_PARAMETER;
>+		goto exit;
>+	}
> 	p = m_lpSessionManager->GetConfig()->GetSetting("allow_local_users");
> 	if (p && !stricmp(p, "yes")) {
> 		allowLocalUsers = true;

Actions: View | Diff

Attachments on bug 1056767: 854977 | 854979 | 856182