gnu/packages/patches/pam-krb5-CVE-2020-10595.patch

   1 Fix CVE-2020-10595:
   2
   3 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10595
   4
   5 Patch copied from upstream advisory:
   6
   7 https://seclists.org/oss-sec/2020/q1/128
   8
   9 diff --git a/prompting.c b/prompting.c
  10 index e985d95..d81054f 100644
  11 --- a/prompting.c
  12 +++ b/prompting.c
  13 @@ -314,26 +314,27 @@ pamk5_prompter_krb5(krb5_context context UNUSED, void *data, const char *name,
  14      /*
  15       * Reuse pam_prompts as a starting index and copy the data into the reply
  16       * area of the krb5_prompt structs.
  17       */
  18      pam_prompts = 0;
  19      if (name != NULL && !args->silent)
  20          pam_prompts++;
  21      if (banner != NULL && !args->silent)
  22          pam_prompts++;
  23      for (i = 0; i < num_prompts; i++, pam_prompts++) {
  24 -        size_t len;
  25 +        size_t len, allowed;
  26
  27          if (resp[pam_prompts].resp == NULL)
  28              goto cleanup;
  29          len = strlen(resp[pam_prompts].resp);
  30 -        if (len > prompts[i].reply->length)
  31 +        allowed = prompts[i].reply->length;
  32 +        if (allowed == 0 || len > allowed - 1)
  33              goto cleanup;
  34
  35          /*
  36           * The trailing nul is not included in length, but other applications
  37           * expect it to be there.  Therefore, we copy one more byte than the
  38           * actual length of the password, but set length to just the length of
  39           * the password.
  40           */
  41          memcpy(prompts[i].reply->data, resp[pam_prompts].resp, len + 1);
  42          prompts[i].reply->length = (unsigned int) len;