cyrus-sasl/patches/cyrus-sasl-2.1.26-CVE-2013-4122.patch

From dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d Mon Sep 17 00:00:00 2001
From: mancha <mancha1@hush.com>
Date: Thu, 11 Jul 2013 09:08:07 +0000
Subject: Handle NULL returns from glibc 2.17+ crypt()

Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL
(w/ NULL return) if the salt violates specifications. Additionally,
on FIPS-140 enabled Linux systems, DES/MD5-encrypted passwords
passed to crypt() fail with EPERM (w/ NULL return).

When using glibc's crypt(), check return value to avoid a possible
NULL pointer dereference.

Patch by mancha1@hush.com.
---
diff --git a/pwcheck/pwcheck_getpwnam.c b/pwcheck/pwcheck_getpwnam.c
index 4b34222..400289c 100644
--- a/pwcheck/pwcheck_getpwnam.c
+++ b/pwcheck/pwcheck_getpwnam.c
@@ -32,6 +32,7 @@ char *userid;
 char *password;
 {
     char* r;
+    char* crpt_passwd;
     struct passwd *pwd;
 
     pwd = getpwnam(userid);
@@ -41,7 +42,7 @@ char *password;
     else if (pwd->pw_passwd[0] == '*') {
 	r = "Account disabled";
     }
-    else if (strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) != 0) {
+    else if (!(crpt_passwd = crypt(password, pwd->pw_passwd)) || strcmp(pwd->pw_passwd, (const char *)crpt_passwd) != 0) {
 	r = "Incorrect password";
     }
     else {
diff --git a/pwcheck/pwcheck_getspnam.c b/pwcheck/pwcheck_getspnam.c
index 2b11286..6d607bb 100644
--- a/pwcheck/pwcheck_getspnam.c
+++ b/pwcheck/pwcheck_getspnam.c
@@ -32,13 +32,15 @@ char *userid;
 char *password;
 {
     struct spwd *pwd;
+    char *crpt_passwd;
 
     pwd = getspnam(userid);
     if (!pwd) {
 	return "Userid not found";
     }
     
-    if (strcmp(pwd->sp_pwdp, crypt(password, pwd->sp_pwdp)) != 0) {
+    crpt_passwd = crypt(password, pwd->sp_pwdp);
+    if (!crpt_passwd || strcmp(pwd->sp_pwdp, (const char *)crpt_passwd) != 0) {
 	return "Incorrect password";
     }
     else {
diff --git a/saslauthd/auth_getpwent.c b/saslauthd/auth_getpwent.c
index fc8029d..d4ebe54 100644
--- a/saslauthd/auth_getpwent.c
+++ b/saslauthd/auth_getpwent.c
@@ -77,6 +77,7 @@ auth_getpwent (
 {
     /* VARIABLES */
     struct passwd *pw;			/* pointer to passwd file entry */
+    char *crpt_passwd;			/* encrypted password */
     int errnum;
     /* END VARIABLES */
   
@@ -105,7 +106,8 @@ auth_getpwent (
 	}
     }
 
-    if (strcmp(pw->pw_passwd, (const char *)crypt(password, pw->pw_passwd))) {
+    crpt_passwd = crypt(password, pw->pw_passwd);
+    if (!crpt_passwd || strcmp(pw->pw_passwd, (const char *)crpt_passwd)) {
 	if (flags & VERBOSE) {
 	    syslog(LOG_DEBUG, "DEBUG: auth_getpwent: %s: invalid password", login);
 	}
diff --git a/saslauthd/auth_shadow.c b/saslauthd/auth_shadow.c
index 677131b..1988afd 100644
--- a/saslauthd/auth_shadow.c
+++ b/saslauthd/auth_shadow.c
@@ -210,8 +210,8 @@ auth_shadow (
 	RETURN("NO Insufficient permission to access NIS authentication database (saslauthd)");
     }
 
-    cpw = strdup((const char *)crypt(password, sp->sp_pwdp));
-    if (strcmp(sp->sp_pwdp, cpw)) {
+    cpw = crypt(password, sp->sp_pwdp);
+    if (!cpw || strcmp(sp->sp_pwdp, (const char *)cpw)) {
 	if (flags & VERBOSE) {
 	    /*
 	     * This _should_ reveal the SHADOW_PW_LOCKED prefix to an
@@ -221,10 +221,8 @@ auth_shadow (
 	    syslog(LOG_DEBUG, "DEBUG: auth_shadow: pw mismatch: '%s' != '%s'",
 		   sp->sp_pwdp, cpw);
 	}
-	free(cpw);
 	RETURN("NO Incorrect password");
     }
-    free(cpw);
 
     /*
      * The following fields will be set to -1 if:
@@ -286,7 +284,7 @@ auth_shadow (
 	RETURN("NO Invalid username");
     }
   
-    if (strcmp(upw->upw_passwd, crypt(password, upw->upw_passwd)) != 0) {
+    if (!(cpw = crypt(password, upw->upw_passwd)) || (strcmp(upw->upw_passwd, (const char *)cpw) != 0)) {
 	if (flags & VERBOSE) {
 	    syslog(LOG_DEBUG, "auth_shadow: pw mismatch: %s != %s",
 		   password, upw->upw_passwd);
--
cgit v0.9.2
1	From dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d Mon Sep 17 00:00:00 2001
2	From: mancha <mancha1@hush.com>
3	Date: Thu, 11 Jul 2013 09:08:07 +0000
4	Subject: Handle NULL returns from glibc 2.17+ crypt()
5
6	Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL
7	(w/ NULL return) if the salt violates specifications. Additionally,
8	on FIPS-140 enabled Linux systems, DES/MD5-encrypted passwords
9	passed to crypt() fail with EPERM (w/ NULL return).
10
11	When using glibc's crypt(), check return value to avoid a possible
12	NULL pointer dereference.
13
14	Patch by mancha1@hush.com.
15	---
16	diff --git a/pwcheck/pwcheck_getpwnam.c b/pwcheck/pwcheck_getpwnam.c
17	index 4b34222..400289c 100644
18	--- a/pwcheck/pwcheck_getpwnam.c
19	+++ b/pwcheck/pwcheck_getpwnam.c
20	@@ -32,6 +32,7 @@ char *userid;
21	char *password;
22	{
23	char* r;
24	+ char* crpt_passwd;
25	struct passwd *pwd;
26
27	pwd = getpwnam(userid);
28	@@ -41,7 +42,7 @@ char *password;
29	else if (pwd->pw_passwd[0] == '*') {
30	r = "Account disabled";
31	}
32	- else if (strcmp(pwd->pw_passwd, crypt(password, pwd->pw_passwd)) != 0) {
33	+ else if (!(crpt_passwd = crypt(password, pwd->pw_passwd)) \|\| strcmp(pwd->pw_passwd, (const char *)crpt_passwd) != 0) {
34	r = "Incorrect password";
35	}
36	else {
37	diff --git a/pwcheck/pwcheck_getspnam.c b/pwcheck/pwcheck_getspnam.c
38	index 2b11286..6d607bb 100644
39	--- a/pwcheck/pwcheck_getspnam.c
40	+++ b/pwcheck/pwcheck_getspnam.c
41	@@ -32,13 +32,15 @@ char *userid;
42	char *password;
43	{
44	struct spwd *pwd;
45	+ char *crpt_passwd;
46
47	pwd = getspnam(userid);
48	if (!pwd) {
49	return "Userid not found";
50	}
51
52	- if (strcmp(pwd->sp_pwdp, crypt(password, pwd->sp_pwdp)) != 0) {
53	+ crpt_passwd = crypt(password, pwd->sp_pwdp);
54	+ if (!crpt_passwd \|\| strcmp(pwd->sp_pwdp, (const char *)crpt_passwd) != 0) {
55	return "Incorrect password";
56	}
57	else {
58	diff --git a/saslauthd/auth_getpwent.c b/saslauthd/auth_getpwent.c
59	index fc8029d..d4ebe54 100644
60	--- a/saslauthd/auth_getpwent.c
61	+++ b/saslauthd/auth_getpwent.c
62	@@ -77,6 +77,7 @@ auth_getpwent (
63	{
64	/* VARIABLES */
65	struct passwd pw; / pointer to passwd file entry */
66	+ char crpt_passwd; / encrypted password */
67	int errnum;
68	/* END VARIABLES */
69
70	@@ -105,7 +106,8 @@ auth_getpwent (
71	}
72	}
73
74	- if (strcmp(pw->pw_passwd, (const char *)crypt(password, pw->pw_passwd))) {
75	+ crpt_passwd = crypt(password, pw->pw_passwd);
76	+ if (!crpt_passwd \|\| strcmp(pw->pw_passwd, (const char *)crpt_passwd)) {
77	if (flags & VERBOSE) {
78	syslog(LOG_DEBUG, "DEBUG: auth_getpwent: %s: invalid password", login);
79	}
80	diff --git a/saslauthd/auth_shadow.c b/saslauthd/auth_shadow.c
81	index 677131b..1988afd 100644
82	--- a/saslauthd/auth_shadow.c
83	+++ b/saslauthd/auth_shadow.c
84	@@ -210,8 +210,8 @@ auth_shadow (
85	RETURN("NO Insufficient permission to access NIS authentication database (saslauthd)");
86	}
87
88	- cpw = strdup((const char *)crypt(password, sp->sp_pwdp));
89	- if (strcmp(sp->sp_pwdp, cpw)) {
90	+ cpw = crypt(password, sp->sp_pwdp);
91	+ if (!cpw \|\| strcmp(sp->sp_pwdp, (const char *)cpw)) {
92	if (flags & VERBOSE) {
93	/*
94	* This _should_ reveal the SHADOW_PW_LOCKED prefix to an
95	@@ -221,10 +221,8 @@ auth_shadow (
96	syslog(LOG_DEBUG, "DEBUG: auth_shadow: pw mismatch: '%s' != '%s'",
97	sp->sp_pwdp, cpw);
98	}
99	- free(cpw);
100	RETURN("NO Incorrect password");
101	}
102	- free(cpw);
103
104	/*
105	* The following fields will be set to -1 if:
106	@@ -286,7 +284,7 @@ auth_shadow (
107	RETURN("NO Invalid username");
108	}
109
110	- if (strcmp(upw->upw_passwd, crypt(password, upw->upw_passwd)) != 0) {
111	+ if (!(cpw = crypt(password, upw->upw_passwd)) \|\| (strcmp(upw->upw_passwd, (const char *)cpw) != 0)) {
112	if (flags & VERBOSE) {
113	syslog(LOG_DEBUG, "auth_shadow: pw mismatch: %s != %s",
114	password, upw->upw_passwd);
115	--
116	cgit v0.9.2