FreeBSD Bugzilla – Attachment 238354 Details for
Bug 267944
free() of uninitialized pointer from kadmind_dispatch() and ret_principal_ent()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
The port patch
0001-security-heimdal-Fix-uninitialized-pointer-dereferen.patch (text/plain), 2.35 KB, created by
Cy Schubert
on 2022-11-26 16:30:54 UTC
(
hide
)
Description:
The port patch
Filename:
MIME Type:
Creator:
Cy Schubert
Created:
2022-11-26 16:30:54 UTC
Size:
2.35 KB
patch
obsolete
>From 0b5ea63ccbcccf7312d272b18b9e8d0271f9ba89 Mon Sep 17 00:00:00 2001 >From: Cy Schubert <cy@FreeBSD.org> >Date: Sat, 26 Nov 2022 08:27:08 -0800 >Subject: [PATCH] security/heimdal: Fix uninitialized pointer dereference > >krb5_ret_preincipal() returns a non-zero return code when >a garbage principal is passed to it. Unfortunately ret_principal_ent() >does not check the return code, with garbage pointing to what would >have been the principal. This results in a segfault when free() is >called. > >PR: 267944, 267972 >Reported by: Robert Morris <rtm@lcs.mit.edu> >MFH: 2022Q4 >--- > security/heimdal/Makefile | 2 +- > .../heimdal/files/patch-lib_kadm5_marshall.c | 31 +++++++++++++++++-- > 2 files changed, 30 insertions(+), 3 deletions(-) > >diff --git a/security/heimdal/Makefile b/security/heimdal/Makefile >index adbb67229a1f..a7eea07a4215 100644 >--- a/security/heimdal/Makefile >+++ b/security/heimdal/Makefile >@@ -1,6 +1,6 @@ > PORTNAME= heimdal > PORTVERSION= 7.8.0 >-PORTREVISION= 6 >+PORTREVISION= 7 > CATEGORIES= security > MASTER_SITES= https://github.com/heimdal/heimdal/releases/download/${DISTNAME}/ > >diff --git a/security/heimdal/files/patch-lib_kadm5_marshall.c b/security/heimdal/files/patch-lib_kadm5_marshall.c >index d44311d5edbf..8e01bbe30354 100644 >--- a/security/heimdal/files/patch-lib_kadm5_marshall.c >+++ b/security/heimdal/files/patch-lib_kadm5_marshall.c >@@ -1,6 +1,33 @@ > --- lib/kadm5/marshall.c.orig 2022-09-15 16:54:19.000000000 -0700 >-+++ lib/kadm5/marshall.c 2022-11-24 08:47:40.099673000 -0800 >-@@ -407,10 +407,40 @@ >++++ lib/kadm5/marshall.c 2022-11-26 08:20:41.302104000 -0800 >+@@ -261,9 +261,9 @@ >+ int i; >+ int32_t tmp; >+ >+- if (mask & KADM5_PRINCIPAL) >+- krb5_ret_principal(sp, &princ->principal); >+- >++ if (mask & KADM5_PRINCIPAL) >++ if (krb5_ret_principal(sp, &princ->principal)) >++ return EINVAL; >+ if (mask & KADM5_PRINC_EXPIRE_TIME) { >+ krb5_ret_int32(sp, &tmp); >+ princ->princ_expire_time = tmp; >+@@ -282,9 +282,10 @@ >+ } >+ if (mask & KADM5_MOD_NAME) { >+ krb5_ret_int32(sp, &tmp); >+- if(tmp) >+- krb5_ret_principal(sp, &princ->mod_name); >+- else >++ if(tmp) { >++ if (krb5_ret_principal(sp, &princ->mod_name)) >++ return EINVAL; >++ } else >+ princ->mod_name = NULL; >+ } >+ if (mask & KADM5_MOD_TIME) { >+@@ -407,10 +408,40 @@ > ret = krb5_ret_int32(sp, &mask); > if (ret) > goto out; >-- >2.38.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=238354">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 267944
:
238276
|
238347
| 238354