guix-devel/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch

Copied from Fedora.
http://pkgs.fedoraproject.org/cgit/rpms/krb5.git/tree/krb5-CVE-2015-8629.patch?h=f22

From df17a1224a3406f57477bcd372c61e04c0e5a5bb Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 8 Jan 2016 12:45:25 -0500
Subject: [PATCH 1/3] Verify decoded kadmin C strings [CVE-2015-8629]

In xdr_nullstring(), check that the decoded string is terminated with
a zero byte and does not contain any internal zero bytes.

CVE-2015-8629:

In all versions of MIT krb5, an authenticated attacker can cause
kadmind to read beyond the end of allocated memory by sending a string
without a terminating zero byte.  Information leakage may be possible
for an attacker with permission to modify the database.

    CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C

ticket: 8341 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup
---
 src/lib/kadm5/kadm_rpc_xdr.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
index 2bef858..ba67084 100644
--- a/src/lib/kadm5/kadm_rpc_xdr.c
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
@@ -64,7 +64,14 @@ bool_t xdr_nullstring(XDR *xdrs, char **objp)
 		    return FALSE;
 	       }
 	  }
-	  return (xdr_opaque(xdrs, *objp, size));
+	  if (!xdr_opaque(xdrs, *objp, size))
+		  return FALSE;
+	  /* Check that the unmarshalled bytes are a C string. */
+	  if ((*objp)[size - 1] != '\0')
+		  return FALSE;
+	  if (memchr(*objp, '\0', size - 1) != NULL)
+		  return FALSE;
+	  return TRUE;
 
      case XDR_ENCODE:
 	  if (size != 0)
-- 
2.7.0.rc3
gnu: mit-krb5: Update to 1.13.3; add fixes for CVE-2015-{8629,8630,8631}. * gnu/packages/patches/mit-krb5-CVE-2015-2695-pt1.patch, gnu/packages/patches/mit-krb5-CVE-2015-2695-pt2.patch, gnu/packages/patches/mit-krb5-CVE-2015-2696.patch, gnu/packages/patches/mit-krb5-CVE-2015-2697.patch, gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch, gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch: Delete files. * gnu/packages/patches/mit-krb5-CVE-2015-8629.patch, gnu/packages/patches/mit-krb5-CVE-2015-8630.patch, gnu/packages/patches/mit-krb5-CVE-2015-8631.patch, gnu/packages/patches/mit-krb5-init-context-null-spnego.patch: New files. * gnu-system.am (dist_patch_DATA): Adjust accordingly. * gnu/packages/mit-krb5.scm (mit-krb5): Update to 1.13.3. [source]: Update URI to download conventional .tar.gz file. Add patches. [native-inputs]: Remove old patches-as-inputs. [arguments]: Remove hacks needed to cope with the older unconventional tarball that contained an inner source tarball and signature: Remove #:modules argument, and the custom 'unpack' and 'apply-patches' phases. 2016-02-04 08:02:20 +01:00			`Copied from Fedora.`
			`http://pkgs.fedoraproject.org/cgit/rpms/krb5.git/tree/krb5-CVE-2015-8629.patch?h=f22`

			`From df17a1224a3406f57477bcd372c61e04c0e5a5bb Mon Sep 17 00:00:00 2001`
			`From: Greg Hudson <ghudson@mit.edu>`
			`Date: Fri, 8 Jan 2016 12:45:25 -0500`
			`Subject: [PATCH 1/3] Verify decoded kadmin C strings [CVE-2015-8629]`

			`In xdr_nullstring(), check that the decoded string is terminated with`
			`a zero byte and does not contain any internal zero bytes.`

			`CVE-2015-8629:`

			`In all versions of MIT krb5, an authenticated attacker can cause`
			`kadmind to read beyond the end of allocated memory by sending a string`
			`without a terminating zero byte. Information leakage may be possible`
			`for an attacker with permission to modify the database.`

			`CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C`

			`ticket: 8341 (new)`
			`target_version: 1.14-next`
			`target_version: 1.13-next`
			`tags: pullup`
			`---`
			`src/lib/kadm5/kadm_rpc_xdr.c \| 9 ++++++++-`
			`1 file changed, 8 insertions(+), 1 deletion(-)`

			`diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c`
			`index 2bef858..ba67084 100644`
			`--- a/src/lib/kadm5/kadm_rpc_xdr.c`
			`+++ b/src/lib/kadm5/kadm_rpc_xdr.c`
			`@@ -64,7 +64,14 @@ bool_t xdr_nullstring(XDR xdrs, char *objp)`
			`return FALSE;`
			`}`
			`}`
			`- return (xdr_opaque(xdrs, *objp, size));`
			`+ if (!xdr_opaque(xdrs, *objp, size))`
			`+ return FALSE;`
			`+ /* Check that the unmarshalled bytes are a C string. */`
			`+ if ((*objp)[size - 1] != '\0')`
			`+ return FALSE;`
			`+ if (memchr(*objp, '\0', size - 1) != NULL)`
			`+ return FALSE;`
			`+ return TRUE;`

			`case XDR_ENCODE:`
			`if (size != 0)`
			`--`
			`2.7.0.rc3`