Contents of /trunk/cyrus-sasl/patches/cyrus-sasl-2.1.26-CVE-2013-4122.patch
Parent Directory | Revision Log
Revision 2412 -
(show annotations)
(download)
Mon Mar 3 14:45:58 2014 UTC (10 years, 6 months ago) by niro
File size: 3836 byte(s)
Mon Mar 3 14:45:58 2014 UTC (10 years, 6 months ago) by niro
File size: 3836 byte(s)
-patches for cyrus-sasl-2.1.26
1 | From dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d Mon Sep 17 00:00:00 2001 |
2 | From: mancha <mancha1@hush.com> |
3 | Date: Thu, 11 Jul 2013 09:08:07 +0000 |
4 | Subject: Handle NULL returns from glibc 2.17+ crypt() |
5 | |
6 | Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL |
7 | (w/ NULL return) if the salt violates specifications. Additionally, |
8 | on FIPS-140 enabled Linux systems, DES/MD5-encrypted passwords |
9 | passed to crypt() fail with EPERM (w/ NULL return). |
10 | |
11 | When using glibc's crypt(), check return value to avoid a possible |
12 | NULL pointer dereference. |
13 | |
14 | Patch by mancha1@hush.com. |
15 | --- |
16 | diff --git a/pwcheck/pwcheck_getpwnam.c b/pwcheck/pwcheck_getpwnam.c |
17 | index 4b34222..400289c 100644 |
18 | --- a/pwcheck/pwcheck_getpwnam.c |
19 | +++ b/pwcheck/pwcheck_getpwnam.c |
20 | @@ -32,6 +32,7 @@ char *userid; |
21 | char *password; |
22 | { |
23 | char* r; |
24 | + char* crpt_passwd; |
25 | struct passwd *pwd; |
26 | |
27 | pwd = getpwnam(userid); |
28 | @@ -41,7 +42,7 @@ char *password; |
29 | else if (pwd->pw_passwd[0] == '*') { |
30 | r = "Account disabled"; |
31 | } |
32 | - else if (strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) != 0) { |
33 | + else if (!(crpt_passwd = crypt(password, pwd->pw_passwd)) || strcmp(pwd->pw_passwd, (const char *)crpt_passwd) != 0) { |
34 | r = "Incorrect password"; |
35 | } |
36 | else { |
37 | diff --git a/pwcheck/pwcheck_getspnam.c b/pwcheck/pwcheck_getspnam.c |
38 | index 2b11286..6d607bb 100644 |
39 | --- a/pwcheck/pwcheck_getspnam.c |
40 | +++ b/pwcheck/pwcheck_getspnam.c |
41 | @@ -32,13 +32,15 @@ char *userid; |
42 | char *password; |
43 | { |
44 | struct spwd *pwd; |
45 | + char *crpt_passwd; |
46 | |
47 | pwd = getspnam(userid); |
48 | if (!pwd) { |
49 | return "Userid not found"; |
50 | } |
51 | |
52 | - if (strcmp(pwd->sp_pwdp, crypt(password, pwd->sp_pwdp)) != 0) { |
53 | + crpt_passwd = crypt(password, pwd->sp_pwdp); |
54 | + if (!crpt_passwd || strcmp(pwd->sp_pwdp, (const char *)crpt_passwd) != 0) { |
55 | return "Incorrect password"; |
56 | } |
57 | else { |
58 | diff --git a/saslauthd/auth_getpwent.c b/saslauthd/auth_getpwent.c |
59 | index fc8029d..d4ebe54 100644 |
60 | --- a/saslauthd/auth_getpwent.c |
61 | +++ b/saslauthd/auth_getpwent.c |
62 | @@ -77,6 +77,7 @@ auth_getpwent ( |
63 | { |
64 | /* VARIABLES */ |
65 | struct passwd *pw; /* pointer to passwd file entry */ |
66 | + char *crpt_passwd; /* encrypted password */ |
67 | int errnum; |
68 | /* END VARIABLES */ |
69 | |
70 | @@ -105,7 +106,8 @@ auth_getpwent ( |
71 | } |
72 | } |
73 | |
74 | - if (strcmp(pw->pw_passwd, (const char *)crypt(password, pw->pw_passwd))) { |
75 | + crpt_passwd = crypt(password, pw->pw_passwd); |
76 | + if (!crpt_passwd || strcmp(pw->pw_passwd, (const char *)crpt_passwd)) { |
77 | if (flags & VERBOSE) { |
78 | syslog(LOG_DEBUG, "DEBUG: auth_getpwent: %s: invalid password", login); |
79 | } |
80 | diff --git a/saslauthd/auth_shadow.c b/saslauthd/auth_shadow.c |
81 | index 677131b..1988afd 100644 |
82 | --- a/saslauthd/auth_shadow.c |
83 | +++ b/saslauthd/auth_shadow.c |
84 | @@ -210,8 +210,8 @@ auth_shadow ( |
85 | RETURN("NO Insufficient permission to access NIS authentication database (saslauthd)"); |
86 | } |
87 | |
88 | - cpw = strdup((const char *)crypt(password, sp->sp_pwdp)); |
89 | - if (strcmp(sp->sp_pwdp, cpw)) { |
90 | + cpw = crypt(password, sp->sp_pwdp); |
91 | + if (!cpw || strcmp(sp->sp_pwdp, (const char *)cpw)) { |
92 | if (flags & VERBOSE) { |
93 | /* |
94 | * This _should_ reveal the SHADOW_PW_LOCKED prefix to an |
95 | @@ -221,10 +221,8 @@ auth_shadow ( |
96 | syslog(LOG_DEBUG, "DEBUG: auth_shadow: pw mismatch: '%s' != '%s'", |
97 | sp->sp_pwdp, cpw); |
98 | } |
99 | - free(cpw); |
100 | RETURN("NO Incorrect password"); |
101 | } |
102 | - free(cpw); |
103 | |
104 | /* |
105 | * The following fields will be set to -1 if: |
106 | @@ -286,7 +284,7 @@ auth_shadow ( |
107 | RETURN("NO Invalid username"); |
108 | } |
109 | |
110 | - if (strcmp(upw->upw_passwd, crypt(password, upw->upw_passwd)) != 0) { |
111 | + if (!(cpw = crypt(password, upw->upw_passwd)) || (strcmp(upw->upw_passwd, (const char *)cpw) != 0)) { |
112 | if (flags & VERBOSE) { |
113 | syslog(LOG_DEBUG, "auth_shadow: pw mismatch: %s != %s", |
114 | password, upw->upw_passwd); |
115 | -- |
116 | cgit v0.9.2 |