diff options
| author |   Ulrich Müller <ulm@gentoo.org> | 2023-03-16 22:23:30 +0100 |
|---|---|---|
| committer | Ulrich Müller <ulm@gentoo.org> | 2023-03-16 22:23:30 +0100 |
| commit | acaacf18749b4b2d89b89d56009262e40f53a76f (patch) | |
| tree | 655942f1fc776f83fc2e9d42094107175c676d0f | |
| parent | motif: Fix vulnerabilities in lib/Xm (diff) | |
| download | ulm-skey-1.1.5-patches-7.tar.gz ulm-skey-1.1.5-patches-7.tar.bz2 ulm-skey-1.1.5-patches-7.zip | |
skey: Fix length check in skeylogin.cHEADskey-1.1.5-patches-7master
Signed-off-by: Ulrich Müller <ulm@gentoo.org>
| -rw-r--r-- | patchsets/skey/1.1.5/16_all_skeylogin-len-check.patch | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/patchsets/skey/1.1.5/16_all_skeylogin-len-check.patch b/patchsets/skey/1.1.5/16_all_skeylogin-len-check.patch new file mode 100644 index 0000000..7db9d0e --- /dev/null +++ b/patchsets/skey/1.1.5/16_all_skeylogin-len-check.patch @@ -0,0 +1,24 @@ +From OpenBSD. + +Author: millert <millert@openbsd.org> +Date: Wed, 15 Mar 2023 17:01:35 +0000 + + Fix the length check when computing a fake challenge for users not in + the S/Key database. If the system hostname is longer than 126 characters + this could result in NUL bytes being written past the end of a stack + buffer. There is no impact on systems with a hostname 126 characters or + less. Found by Qualys. OK deraadt@ + +--- skey-1.1.5/skeylogin.c ++++ skey-1.1.5/skeylogin.c +@@ -486,8 +486,8 @@ + for (p = pbuf; *p && isalnum((u_char)*p); p++) + if (isalpha((u_char)*p) && isupper((u_char)*p)) + *p = tolower((u_char)*p); +- if (*p && pbuf - p < 4) +- strncpy(p, "asjd", 4 - (pbuf - p)); ++ if (*p && p - pbuf < 4) ++ strncpy(p, "asjd", 4 - (p - pbuf)); + pbuf[4] = '\0'; + + /* Hash the username if possible */ |