Files @ 65865800e5e8
Branch filter:

Location: ohnobinki_overlay/app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch - annotation

65865800e5e8 2.0 KiB text/x-diff Show Source Show as Raw Download as Raw
binki
dev-util/scons: deleted, newer version in Portage
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510
f422522f7510

Index: krb5-1.6.3/src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- krb5-1.6.3.orig/src/lib/gssapi/spnego/spnego_mech.c
+++ krb5-1.6.3/src/lib/gssapi/spnego/spnego_mech.c
@@ -1815,7 +1815,8 @@ get_input_token(unsigned char **buff_in,
 		return (NULL);
 
 	input_token->length = gssint_get_der_length(buff_in, buff_length, &bytes);
-	if ((int)input_token->length == -1) {
+	if ((int)input_token->length == -1 ||                                           
+	    input_token->length > buff_length) {                                        
 		free(input_token);
 		return (NULL);
 	}
Index: krb5-1.6.3/src/lib/krb5/asn.1/asn1buf.c
===================================================================
--- krb5-1.6.3.orig/src/lib/krb5/asn.1/asn1buf.c
+++ krb5-1.6.3/src/lib/krb5/asn.1/asn1buf.c
@@ -78,11 +78,11 @@ asn1_error_code asn1buf_wrap_data(asn1bu
 
 asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef)
 {
+  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;                                                       
   subbuf->base = subbuf->next = buf->next;
   if (!indef) {
+      if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;                                
       subbuf->bound = subbuf->base + length - 1;
-      if (subbuf->bound > buf->bound)
-	  return ASN1_OVERRUN;
   } else /* constructed indefinite */
       subbuf->bound = buf->bound;
   return 0;
@@ -200,6 +200,7 @@ asn1_error_code asn1buf_remove_octetstri
 {
   int i;
 
+  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;                                                       
   if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
   if (len == 0) {
       *s = 0;
@@ -218,6 +219,7 @@ asn1_error_code asn1buf_remove_charstrin
 {
   int i;
 
+  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;                                                       
   if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
   if (len == 0) {
       *s = 0;
Server instance: zserverv-13856 This site is powered by Kallithea, which is © 2010–2021 by various authors & licensed under GPLv3. – Support