3 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10595
5 Patch copied from upstream advisory:
7 https://seclists.org/oss-sec/2020/q1/128
9 diff --git a/prompting.c b/prompting.c
10 index e985d95..d81054f 100644
13 @@ -314,26 +314,27 @@ pamk5_prompter_krb5(krb5_context context UNUSED, void *data, const char *name,
15 * Reuse pam_prompts as a starting index and copy the data into the reply
16 * area of the krb5_prompt structs.
19 if (name != NULL && !args->silent)
21 if (banner != NULL && !args->silent)
23 for (i = 0; i < num_prompts; i++, pam_prompts++) {
25 + size_t len, allowed;
27 if (resp[pam_prompts].resp == NULL)
29 len = strlen(resp[pam_prompts].resp);
30 - if (len > prompts[i].reply->length)
31 + allowed = prompts[i].reply->length;
32 + if (allowed == 0 || len > allowed - 1)
36 * The trailing nul is not included in length, but other applications
37 * expect it to be there. Therefore, we copy one more byte than the
38 * actual length of the password, but set length to just the length of
41 memcpy(prompts[i].reply->data, resp[pam_prompts].resp, len + 1);
42 prompts[i].reply->length = (unsigned int) len;