[mcrypt/f17] apply fix for CVE-2012-4409 (thanks to Raphael Geissert)
Tom Callaway
spot at fedoraproject.org
Fri Sep 7 15:34:45 UTC 2012
commit 72e15fda6b241546ddf7f64d7d111195c421b6b3
Author: Tom Callaway <spot at fedoraproject.org>
Date: Fri Sep 7 11:35:22 2012 -0400
apply fix for CVE-2012-4409 (thanks to Raphael Geissert)
mcrypt-CVE-2012-4409.patch | 12 ++++++++++++
mcrypt.spec | 10 +++++++++-
2 files changed, 21 insertions(+), 1 deletions(-)
---
diff --git a/mcrypt-CVE-2012-4409.patch b/mcrypt-CVE-2012-4409.patch
new file mode 100644
index 0000000..747f428
--- /dev/null
+++ b/mcrypt-CVE-2012-4409.patch
@@ -0,0 +1,12 @@
+diff -up mcrypt-2.6.8/src/extra.c.CVE-2012-4409 mcrypt-2.6.8/src/extra.c
+--- mcrypt-2.6.8/src/extra.c.CVE-2012-4409 2012-09-07 11:00:55.906870746 -0400
++++ mcrypt-2.6.8/src/extra.c 2012-09-07 11:00:27.967858365 -0400
+@@ -242,6 +242,8 @@ int check_file_head(FILE * fstream, char
+ if (m_getbit(0, sflag) != 0) { /* if the first bit is set */
+ *salt_size = m_setbit(0, sflag, 0);
+ if (*salt_size > 0) {
++ if (*salt_size > sizeof(tmp_buf))
++ err_quit(_("Salt is too long\n"));
+ fread(tmp_buf, 1, *salt_size,
+ fstream);
+ memmove(salt, tmp_buf, *salt_size);
diff --git a/mcrypt.spec b/mcrypt.spec
index 6cbe542..57561ba 100644
--- a/mcrypt.spec
+++ b/mcrypt.spec
@@ -1,6 +1,6 @@
Name: mcrypt
Version: 2.6.8
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv3+
Group: Applications/System
Summary: Replacement for crypt()
@@ -22,6 +22,10 @@ Patch3: mcrypt-2.6.7-native-by-default.patch
# Upstream:
# https://sourceforge.net/tracker/index.php?func=detail&aid=3559099&group_id=87941&atid=584893
Patch4: mcrypt-2.6.8-manpage-typofixes.patch
+# Fix for CVE-2012-4409
+# https://bugzilla.redhat.com/show_bug.cgi?id=855029
+Patch5: mcrypt-CVE-2012-4409.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: libmcrypt-devel, mhash-devel, gettext, zlib-devel
@@ -38,6 +42,7 @@ to encrypt files or data streams without having to be cryptographers.
%patch2 -p1 -b .gaafix
%patch3 -p1 -b .native_by_default
%patch4 -p1 -b .typos
+%patch5 -p1 -b .CVE-2012-4409
%build
%configure
@@ -59,6 +64,9 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/*
%changelog
+* Fri Sep 7 2012 Tom Callaway <spot at fedoraproject.org> - 2.6.8-8
+- apply fix for CVE-2012-4409 (thanks to Raphael Geissert)
+
* Fri Aug 17 2012 Tom Callaway <spot at fedoraproject.org> - 2.6.8-7
- fix typos in manpage
More information about the scm-commits
mailing list