cyrus-sasl/patches/cyrus-sasl-2.1.26-CVE-2013-4122.patch

From dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d Mon Sep 17 00:00:00 2001
From: mancha <mancha1@hush.com>
Date: Thu, 11 Jul 2013 09:08:07 +0000
Subject: Handle NULL returns from glibc 2.17+ crypt()

Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL
(w/ NULL return) if the salt violates specifications. Additionally,
on FIPS-140 enabled Linux systems, DES/MD5-encrypted passwords
passed to crypt() fail with EPERM (w/ NULL return).

When using glibc's crypt(), check return value to avoid a possible
NULL pointer dereference.

Patch by mancha1@hush.com.
---
diff --git a/pwcheck/pwcheck_getpwnam.c b/pwcheck/pwcheck_getpwnam.c
index 4b34222..400289c 100644
--- a/pwcheck/pwcheck_getpwnam.c
+++ b/pwcheck/pwcheck_getpwnam.c
@@ -32,6 +32,7 @@ char *userid;
 char *password;
 {
     char* r;
+    char* crpt_passwd;
     struct passwd *pwd;
 
     pwd = getpwnam(userid);
@@ -41,7 +42,7 @@ char *password;
     else if (pwd->pw_passwd[0] == '*') {
 	r = "Account disabled";
     }
-    else if (strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) != 0) {
+    else if (!(crpt_passwd = crypt(password, pwd->pw_passwd)) || strcmp(pwd->pw_passwd, (const char *)crpt_passwd) != 0) {
 	r = "Incorrect password";
     }
     else {
diff --git a/pwcheck/pwcheck_getspnam.c b/pwcheck/pwcheck_getspnam.c
index 2b11286..6d607bb 100644
--- a/pwcheck/pwcheck_getspnam.c
+++ b/pwcheck/pwcheck_getspnam.c
@@ -32,13 +32,15 @@ char *userid;
 char *password;
 {
     struct spwd *pwd;
+    char *crpt_passwd;
 
     pwd = getspnam(userid);
     if (!pwd) {
 	return "Userid not found";
     }
     
-    if (strcmp(pwd->sp_pwdp, crypt(password, pwd->sp_pwdp)) != 0) {
+    crpt_passwd = crypt(password, pwd->sp_pwdp);
+    if (!crpt_passwd || strcmp(pwd->sp_pwdp, (const char *)crpt_passwd) != 0) {
 	return "Incorrect password";
     }
     else {
diff --git a/saslauthd/auth_getpwent.c b/saslauthd/auth_getpwent.c
index fc8029d..d4ebe54 100644
--- a/saslauthd/auth_getpwent.c
+++ b/saslauthd/auth_getpwent.c
@@ -77,6 +77,7 @@ auth_getpwent (
 {
     /* VARIABLES */
     struct passwd *pw;			/* pointer to passwd file entry */
+    char *crpt_passwd;			/* encrypted password */
     int errnum;
     /* END VARIABLES */
   
@@ -105,7 +106,8 @@ auth_getpwent (
 	}
     }
 
-    if (strcmp(pw->pw_passwd, (const char *)crypt(password, pw->pw_passwd))) {
+    crpt_passwd = crypt(password, pw->pw_passwd);
+    if (!crpt_passwd || strcmp(pw->pw_passwd, (const char *)crpt_passwd)) {
 	if (flags & VERBOSE) {
 	    syslog(LOG_DEBUG, "DEBUG: auth_getpwent: %s: invalid password", login);
 	}
diff --git a/saslauthd/auth_shadow.c b/saslauthd/auth_shadow.c
index 677131b..1988afd 100644
--- a/saslauthd/auth_shadow.c
+++ b/saslauthd/auth_shadow.c
@@ -210,8 +210,8 @@ auth_shadow (
 	RETURN("NO Insufficient permission to access NIS authentication database (saslauthd)");
     }
 
-    cpw = strdup((const char *)crypt(password, sp->sp_pwdp));
-    if (strcmp(sp->sp_pwdp, cpw)) {
+    cpw = crypt(password, sp->sp_pwdp);
+    if (!cpw || strcmp(sp->sp_pwdp, (const char *)cpw)) {
 	if (flags & VERBOSE) {
 	    /*
 	     * This _should_ reveal the SHADOW_PW_LOCKED prefix to an
@@ -221,10 +221,8 @@ auth_shadow (
 	    syslog(LOG_DEBUG, "DEBUG: auth_shadow: pw mismatch: '%s' != '%s'",
 		   sp->sp_pwdp, cpw);
 	}
-	free(cpw);
 	RETURN("NO Incorrect password");
     }
-    free(cpw);
 
     /*
      * The following fields will be set to -1 if:
@@ -286,7 +284,7 @@ auth_shadow (
 	RETURN("NO Invalid username");
     }
   
-    if (strcmp(upw->upw_passwd, crypt(password, upw->upw_passwd)) != 0) {
+    if (!(cpw = crypt(password, upw->upw_passwd)) || (strcmp(upw->upw_passwd, (const char *)cpw) != 0)) {
 	if (flags & VERBOSE) {
 	    syslog(LOG_DEBUG, "auth_shadow: pw mismatch: %s != %s",
 		   password, upw->upw_passwd);
--
cgit v0.9.2
1	niro	2412	From dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d Mon Sep 17 00:00:00 2001
2			From: mancha <mancha1@hush.com>
3			Date: Thu, 11 Jul 2013 09:08:07 +0000
4			Subject: Handle NULL returns from glibc 2.17+ crypt()
5
6			Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL
7			(w/ NULL return) if the salt violates specifications. Additionally,
8			on FIPS-140 enabled Linux systems, DES/MD5-encrypted passwords
9			passed to crypt() fail with EPERM (w/ NULL return).
10
11			When using glibc's crypt(), check return value to avoid a possible
12			NULL pointer dereference.
13
14			Patch by mancha1@hush.com.
15			---
16			diff --git a/pwcheck/pwcheck_getpwnam.c b/pwcheck/pwcheck_getpwnam.c
17			index 4b34222..400289c 100644
18			--- a/pwcheck/pwcheck_getpwnam.c
19			+++ b/pwcheck/pwcheck_getpwnam.c
20			@@ -32,6 +32,7 @@ char *userid;
21			char *password;
22			{
23			char* r;
24			+ char* crpt_passwd;
25			struct passwd *pwd;
26
27			pwd = getpwnam(userid);
28			@@ -41,7 +42,7 @@ char *password;
29			else if (pwd->pw_passwd[0] == '*') {
30			r = "Account disabled";
31			}
32			- else if (strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) != 0) {
33			+ else if (!(crpt_passwd = crypt(password, pwd->pw_passwd)) \|\| strcmp(pwd->pw_passwd, (const char *)crpt_passwd) != 0) {
34			r = "Incorrect password";
35			}
36			else {
37			diff --git a/pwcheck/pwcheck_getspnam.c b/pwcheck/pwcheck_getspnam.c
38			index 2b11286..6d607bb 100644
39			--- a/pwcheck/pwcheck_getspnam.c
40			+++ b/pwcheck/pwcheck_getspnam.c
41			@@ -32,13 +32,15 @@ char *userid;
42			char *password;
43			{
44			struct spwd *pwd;
45			+ char *crpt_passwd;
46
47			pwd = getspnam(userid);
48			if (!pwd) {
49			return "Userid not found";
50			}
51
52			- if (strcmp(pwd->sp_pwdp, crypt(password, pwd->sp_pwdp)) != 0) {
53			+ crpt_passwd = crypt(password, pwd->sp_pwdp);
54			+ if (!crpt_passwd \|\| strcmp(pwd->sp_pwdp, (const char *)crpt_passwd) != 0) {
55			return "Incorrect password";
56			}
57			else {
58			diff --git a/saslauthd/auth_getpwent.c b/saslauthd/auth_getpwent.c
59			index fc8029d..d4ebe54 100644
60			--- a/saslauthd/auth_getpwent.c
61			+++ b/saslauthd/auth_getpwent.c
62			@@ -77,6 +77,7 @@ auth_getpwent (
63			{
64			/* VARIABLES */
65			struct passwd pw; / pointer to passwd file entry */
66			+ char crpt_passwd; / encrypted password */
67			int errnum;
68			/* END VARIABLES */
69
70			@@ -105,7 +106,8 @@ auth_getpwent (
71			}
72			}
73
74			- if (strcmp(pw->pw_passwd, (const char *)crypt(password, pw->pw_passwd))) {
75			+ crpt_passwd = crypt(password, pw->pw_passwd);
76			+ if (!crpt_passwd \|\| strcmp(pw->pw_passwd, (const char *)crpt_passwd)) {
77			if (flags & VERBOSE) {
78			syslog(LOG_DEBUG, "DEBUG: auth_getpwent: %s: invalid password", login);
79			}
80			diff --git a/saslauthd/auth_shadow.c b/saslauthd/auth_shadow.c
81			index 677131b..1988afd 100644
82			--- a/saslauthd/auth_shadow.c
83			+++ b/saslauthd/auth_shadow.c
84			@@ -210,8 +210,8 @@ auth_shadow (
85			RETURN("NO Insufficient permission to access NIS authentication database (saslauthd)");
86			}
87
88			- cpw = strdup((const char *)crypt(password, sp->sp_pwdp));
89			- if (strcmp(sp->sp_pwdp, cpw)) {
90			+ cpw = crypt(password, sp->sp_pwdp);
91			+ if (!cpw \|\| strcmp(sp->sp_pwdp, (const char *)cpw)) {
92			if (flags & VERBOSE) {
93			/*
94			* This _should_ reveal the SHADOW_PW_LOCKED prefix to an
95			@@ -221,10 +221,8 @@ auth_shadow (
96			syslog(LOG_DEBUG, "DEBUG: auth_shadow: pw mismatch: '%s' != '%s'",
97			sp->sp_pwdp, cpw);
98			}
99			- free(cpw);
100			RETURN("NO Incorrect password");
101			}
102			- free(cpw);
103
104			/*
105			* The following fields will be set to -1 if:
106			@@ -286,7 +284,7 @@ auth_shadow (
107			RETURN("NO Invalid username");
108			}
109
110			- if (strcmp(upw->upw_passwd, crypt(password, upw->upw_passwd)) != 0) {
111			+ if (!(cpw = crypt(password, upw->upw_passwd)) \|\| (strcmp(upw->upw_passwd, (const char *)cpw) != 0)) {
112			if (flags & VERBOSE) {
113			syslog(LOG_DEBUG, "auth_shadow: pw mismatch: %s != %s",
114			password, upw->upw_passwd);
115			--
116			cgit v0.9.2