added mit-krb5-1.6.3-r6 - see bug #263398

Package-Manager: portage-2.1.6.8/cvs/Linux x86_64
author: Michael Hammer <mueli@gentoo.org> 2009-04-08 14:29:10 +0000
committer: Michael Hammer <mueli@gentoo.org> 2009-04-08 14:29:10 +0000
commit: 3d7d71b851b6af586940fec2cbba3958d9ed1eba (patch)
tree: fb6309a5db6a039e950f8e529d03e0e083d794d9 /app-crypt/mit-krb5/files
parent: Stable on amd64, bug #264897 (diff)
download: historical-3d7d71b851b6af586940fec2cbba3958d9ed1eba.tar.gz
historical-3d7d71b851b6af586940fec2cbba3958d9ed1eba.tar.bz2
historical-3d7d71b851b6af586940fec2cbba3958d9ed1eba.zip
2 files changed, 88 insertions, 0 deletions
diff --git a/app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch b/app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch
new file mode 100644
index 000000000000..310963c2390a
--- /dev/null
+++ b/app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch
@@ -0,0 +1,48 @@
+Index: krb5-1.6.3/src/lib/gssapi/spnego/spnego_mech.c
+===================================================================
+--- krb5-1.6.3.orig/src/lib/gssapi/spnego/spnego_mech.c
++++ krb5-1.6.3/src/lib/gssapi/spnego/spnego_mech.c
+@@ -1815,7 +1815,8 @@ get_input_token(unsigned char **buff_in,
+ 		return (NULL);
+ 
+ 	input_token->length = gssint_get_der_length(buff_in, buff_length, &bytes);
+-	if ((int)input_token->length == -1) {
++	if ((int)input_token->length == -1 ||                                           
++	    input_token->length > buff_length) {                                        
+ 		free(input_token);
+ 		return (NULL);
+ 	}
+Index: krb5-1.6.3/src/lib/krb5/asn.1/asn1buf.c
+===================================================================
+--- krb5-1.6.3.orig/src/lib/krb5/asn.1/asn1buf.c
++++ krb5-1.6.3/src/lib/krb5/asn.1/asn1buf.c
+@@ -78,11 +78,11 @@ asn1_error_code asn1buf_wrap_data(asn1bu
+ 
+ asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef)
+ {
++  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;                                                       
+   subbuf->base = subbuf->next = buf->next;
+   if (!indef) {
++      if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;                                
+       subbuf->bound = subbuf->base + length - 1;
+-      if (subbuf->bound > buf->bound)
+-	  return ASN1_OVERRUN;
+   } else /* constructed indefinite */
+       subbuf->bound = buf->bound;
+   return 0;
+@@ -200,6 +200,7 @@ asn1_error_code asn1buf_remove_octetstri
+ {
+   int i;
+ 
++  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;                                                       
+   if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
+   if (len == 0) {
+       *s = 0;
+@@ -218,6 +219,7 @@ asn1_error_code asn1buf_remove_charstrin
+ {
+   int i;
+ 
++  if (buf->next > buf->bound + 1) return ASN1_OVERRUN;                                                       
+   if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
+   if (len == 0) {
+       *s = 0;
diff --git a/app-crypt/mit-krb5/files/CVE-2009-0846.patch b/app-crypt/mit-krb5/files/CVE-2009-0846.patch
new file mode 100644
index 000000000000..efbb9af889ee
--- /dev/null
+++ b/app-crypt/mit-krb5/files/CVE-2009-0846.patch
@@ -0,0 +1,40 @@
+diff --git a/src/lib/krb5/asn.1/asn1_decode.c 
+b/src/lib/krb5/asn.1/asn1_decode.c
+index aa4be32..5f7461d 100644
+--- a/src/lib/krb5/asn.1/asn1_decode.c
++++ b/src/lib/krb5/asn.1/asn1_decode.c
+@@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val)
+ 
+   if(length != 15) return ASN1_BAD_LENGTH;
+   retval = asn1buf_remove_charstring(buf,15,&s);
++  if (retval) return retval;
+   /* Time encoding: YYYYMMDDhhmmssZ */
+   if(s[14] != 'Z') {
+       free(s);
+diff --git a/src/tests/asn.1/krb5_decode_test.c 
+b/src/tests/asn.1/krb5_decode_test.c
+index 0ff9343..1c427d1 100644
+--- a/src/tests/asn.1/krb5_decode_test.c
++++ b/src/tests/asn.1/krb5_decode_test.c
+@@ -485,5 +485,21 @@ int main(argc, argv)
+     ktest_destroy_keyblock(&(ref.subkey));
+     ref.seq_number = 0;
+     decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
++
++    retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40");
++    if (retval) {
++       com_err("krb5_decode_test", retval, "while parsing");
++       exit(1);
++    }
++    retval = decode_krb5_ap_rep_enc_part(&code, &var);
++    if (retval != ASN1_OVERRUN) {
++       printf("ERROR: ");
++    } else {
++       printf("OK: ");
++    }
++    printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n");
++    krb5_free_data_contents(test_context, &code);
++    krb5_free_ap_rep_enc_part(test_context, var);
++
+     ktest_empty_ap_rep_enc_part(&ref);
+   }
author	Michael Hammer <mueli@gentoo.org>	2009-04-08 14:29:10 +0000
committer	Michael Hammer <mueli@gentoo.org>	2009-04-08 14:29:10 +0000
commit	3d7d71b851b6af586940fec2cbba3958d9ed1eba (patch)
tree	fb6309a5db6a039e950f8e529d03e0e083d794d9 /app-crypt/mit-krb5/files
parent	Stable on amd64, bug #264897 (diff)
download	historical-3d7d71b851b6af586940fec2cbba3958d9ed1eba.tar.gz historical-3d7d71b851b6af586940fec2cbba3958d9ed1eba.tar.bz2 historical-3d7d71b851b6af586940fec2cbba3958d9ed1eba.zip