gnu/packages/patches/cyrus-sasl-CVE-2013-4122.patch

   1 Fix CVE-2013-4122.
   2
   3 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4122
   4
   5 Patch copied from upstream source repository:
   6 https://github.com/cyrusimap/cyrus-sasl/commit/dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d
   7
   8 From dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d Mon Sep 17 00:00:00 2001
   9 From: mancha <mancha1@hush.com>
  10 Date: Thu, 11 Jul 2013 10:08:07 +0100
  11 Subject: Handle NULL returns from glibc 2.17+ crypt()
  12
  13 Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL
  14 (w/ NULL return) if the salt violates specifications. Additionally,
  15 on FIPS-140 enabled Linux systems, DES/MD5-encrypted passwords
  16 passed to crypt() fail with EPERM (w/ NULL return).
  17
  18 When using glibc's crypt(), check return value to avoid a possible
  19 NULL pointer dereference.
  20
  21 Patch by mancha1@hush.com.
  22 ---
  23  pwcheck/pwcheck_getpwnam.c | 3 ++-
  24  pwcheck/pwcheck_getspnam.c | 4 +++-
  25  saslauthd/auth_getpwent.c  | 4 +++-
  26  saslauthd/auth_shadow.c    | 8 +++-----
  27  4 files changed, 11 insertions(+), 8 deletions(-)
  28
  29 diff --git a/pwcheck/pwcheck_getpwnam.c b/pwcheck/pwcheck_getpwnam.c
  30 index 4b34222..400289c 100644
  31 --- a/pwcheck/pwcheck_getpwnam.c
  32 +++ b/pwcheck/pwcheck_getpwnam.c
  33 @@ -32,6 +32,7 @@ char *userid;
  34  char *password;
  35  {
  36      char* r;
  37 +    char* crpt_passwd;
  38      struct passwd *pwd;
  39
  40      pwd = getpwnam(userid);
  41 @@ -41,7 +42,7 @@ char *password;
  42      else if (pwd->pw_passwd[0] == '*') {
  43         r = "Account disabled";
  44      }
  45 -    else if (strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) != 0) {
  46 +    else if (!(crpt_passwd = crypt(password, pwd->pw_passwd)) || strcmp(pwd->pw_passwd, (const char *)crpt_passwd) != 0) {
  47         r = "Incorrect password";
  48      }
  49      else {
  50 diff --git a/pwcheck/pwcheck_getspnam.c b/pwcheck/pwcheck_getspnam.c
  51 index 2b11286..6d607bb 100644
  52 --- a/pwcheck/pwcheck_getspnam.c
  53 +++ b/pwcheck/pwcheck_getspnam.c
  54 @@ -32,13 +32,15 @@ char *userid;
  55  char *password;
  56  {
  57      struct spwd *pwd;
  58 +    char *crpt_passwd;
  59
  60      pwd = getspnam(userid);
  61      if (!pwd) {
  62         return "Userid not found";
  63      }
  64
  65 -    if (strcmp(pwd->sp_pwdp, crypt(password, pwd->sp_pwdp)) != 0) {
  66 +    crpt_passwd = crypt(password, pwd->sp_pwdp);
  67 +    if (!crpt_passwd || strcmp(pwd->sp_pwdp, (const char *)crpt_passwd) != 0) {
  68         return "Incorrect password";
  69      }
  70      else {
  71 diff --git a/saslauthd/auth_getpwent.c b/saslauthd/auth_getpwent.c
  72 index fc8029d..d4ebe54 100644
  73 --- a/saslauthd/auth_getpwent.c
  74 +++ b/saslauthd/auth_getpwent.c
  75 @@ -77,6 +77,7 @@ auth_getpwent (
  76  {
  77      /* VARIABLES */
  78      struct passwd *pw;                 /* pointer to passwd file entry */
  79 +    char *crpt_passwd;                 /* encrypted password */
  80      int errnum;
  81      /* END VARIABLES */
  82
  83 @@ -105,7 +106,8 @@ auth_getpwent (
  84         }
  85      }
  86
  87 -    if (strcmp(pw->pw_passwd, (const char *)crypt(password, pw->pw_passwd))) {
  88 +    crpt_passwd = crypt(password, pw->pw_passwd);
  89 +    if (!crpt_passwd || strcmp(pw->pw_passwd, (const char *)crpt_passwd)) {
  90         if (flags & VERBOSE) {
  91             syslog(LOG_DEBUG, "DEBUG: auth_getpwent: %s: invalid password", login);
  92         }
  93 diff --git a/saslauthd/auth_shadow.c b/saslauthd/auth_shadow.c
  94 index 677131b..1988afd 100644
  95 --- a/saslauthd/auth_shadow.c
  96 +++ b/saslauthd/auth_shadow.c
  97 @@ -210,8 +210,8 @@ auth_shadow (
  98         RETURN("NO Insufficient permission to access NIS authentication database (saslauthd)");
  99      }
 100
 101 -    cpw = strdup((const char *)crypt(password, sp->sp_pwdp));
 102 -    if (strcmp(sp->sp_pwdp, cpw)) {
 103 +    cpw = crypt(password, sp->sp_pwdp);
 104 +    if (!cpw || strcmp(sp->sp_pwdp, (const char *)cpw)) {
 105         if (flags & VERBOSE) {
 106             /*
 107              * This _should_ reveal the SHADOW_PW_LOCKED prefix to an
 108 @@ -221,10 +221,8 @@ auth_shadow (
 109             syslog(LOG_DEBUG, "DEBUG: auth_shadow: pw mismatch: '%s' != '%s'",
 110                    sp->sp_pwdp, cpw);
 111         }
 112 -       free(cpw);
 113         RETURN("NO Incorrect password");
 114      }
 115 -    free(cpw);
 116
 117      /*
 118       * The following fields will be set to -1 if:
 119 @@ -286,7 +284,7 @@ auth_shadow (
 120         RETURN("NO Invalid username");
 121      }
 122
 123 -    if (strcmp(upw->upw_passwd, crypt(password, upw->upw_passwd)) != 0) {
 124 +    if (!(cpw = crypt(password, upw->upw_passwd)) || (strcmp(upw->upw_passwd, (const char *)cpw) != 0)) {
 125         if (flags & VERBOSE) {
 126             syslog(LOG_DEBUG, "auth_shadow: pw mismatch: %s != %s",
 127                    password, upw->upw_passwd);
 128 --
 129 cgit v0.12
 130