[elinks] Resolves: #891566 - do not delegate GSSAPI credentials (CVE-2012-4545)
Kamil Dudka
kdudka at fedoraproject.org
Fri Jan 4 12:52:23 UTC 2013
commit 9a8b4ef04f750dccbbdb4203e0fd8af2ed3d61c4
Author: Kamil Dudka <kdudka at redhat.com>
Date: Mon Oct 29 16:34:48 2012 +0100
Resolves: #891566 - do not delegate GSSAPI credentials (CVE-2012-4545)
elinks-CVE-2012-4545.patch | 82 ++++++++++++++++++++++++++++++++++++++++++++
elinks.spec | 9 ++++-
2 files changed, 90 insertions(+), 1 deletions(-)
---
diff --git a/elinks-CVE-2012-4545.patch b/elinks-CVE-2012-4545.patch
new file mode 100644
index 0000000..2c872d6
--- /dev/null
+++ b/elinks-CVE-2012-4545.patch
@@ -0,0 +1,82 @@
+From ab8adc351765d28754ba2b8361e7cd9041ecabda Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka at redhat.com>
+Date: Tue, 9 Oct 2012 13:01:56 +0200
+Subject: [PATCH 1/2] http_negotiate: do not delegate GSSAPI credentials
+
+CVE-2012-4545. Reported by Marko Myllynen.
+
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ src/protocol/http/http_negotiate.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/src/protocol/http/http_negotiate.c b/src/protocol/http/http_negotiate.c
+index 470b071..271b443 100644
+--- a/src/protocol/http/http_negotiate.c
++++ b/src/protocol/http/http_negotiate.c
+@@ -188,7 +188,7 @@ http_negotiate_create_context(struct negotiate *neg)
+ &neg->context,
+ neg->server_name,
+ GSS_C_NO_OID,
+- GSS_C_DELEG_FLAG,
++ 0,
+ 0,
+ GSS_C_NO_CHANNEL_BINDINGS,
+ &neg->input_token,
+--
+1.7.1
+
+
+From a3477c8f3a4793202cfe1b2a8722b31ad48f15d8 Mon Sep 17 00:00:00 2001
+From: Kalle Olavi Niemitalo <kon at iki.fi>
+Date: Fri, 26 Oct 2012 15:20:32 +0300
+Subject: [PATCH 2/2] http_negotiate: Fix int* vs. size_t* type mismatch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+http_negotiate_parse_data passed &token->length as the int *outlen
+parameter of base64_decode_bin, which stores an int at that location.
+However, gss_buffer_desc::length is size_t in all implementations that
+I checked: MIT Kerberos Version 5 Release 1.10, libgssglue 0.4, and
+GNU GSS 1.0.2. This mismatch could cause the build to fail:
+
+.../src/protocol/http/http_negotiate.c: In function ‘http_negotiate_parse_data’:
+.../src/protocol/http/http_negotiate.c:173:2: error: passing argument 3 of ‘base64_decode_bin’ from incompatible pointer type [-Werror]
+In file included from .../src/protocol/http/http_negotiate.c:30:0:
+.../src/util/base64.h:8:16: note: expected ‘int *’ but argument is of type ‘size_t *’
+
+On 64-bit big-endian hosts, it might also cause the GSSAPI
+implementation to read too much data from memory and disclose it to
+some network server, or crash ELinks.
+
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ src/protocol/http/http_negotiate.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+diff --git a/src/protocol/http/http_negotiate.c b/src/protocol/http/http_negotiate.c
+index 271b443..aa0f755 100644
+--- a/src/protocol/http/http_negotiate.c
++++ b/src/protocol/http/http_negotiate.c
+@@ -142,6 +142,7 @@ http_negotiate_parse_data(unsigned char *data, int type,
+ {
+ int len = 0;
+ unsigned char *end;
++ int bytelen = 0;
+
+ if (data == NULL || *data == '\0')
+ return 0;
+@@ -170,7 +171,8 @@ http_negotiate_parse_data(unsigned char *data, int type,
+ if (!len)
+ return 0;
+
+- token->value = (void *) base64_decode_bin(data, len, &token->length);
++ token->value = (void *) base64_decode_bin(data, len, &bytelen);
++ token->length = bytelen; /* convert int to size_t */
+
+ if (!token->value)
+ return -1;
+--
+1.7.1
+
diff --git a/elinks.spec b/elinks.spec
index f70b9c5..d06d131 100644
--- a/elinks.spec
+++ b/elinks.spec
@@ -1,7 +1,7 @@
Name: elinks
Summary: A text-mode Web browser
Version: 0.12
-Release: 0.31.pre5%{?dist}
+Release: 0.32.pre5%{?dist}
License: GPLv2
URL: http://elinks.or.cz
Group: Applications/Internet
@@ -40,6 +40,7 @@ Patch9: elinks-nss.patch
Patch10: elinks-nss-inc.patch
Patch11: elinks-0.12pre5-js185.patch
Patch12: elinks-0.12pre5-ddg-search.patch
+Patch13: elinks-CVE-2012-4545.patch
%description
Elinks is a text-based Web browser. Elinks does not display any images,
@@ -86,6 +87,9 @@ quickly and swiftly displays Web pages.
# add default "ddg" dumb/smart rewrite prefixes for DuckDuckGo (#856348)
%patch12 -p1
+# CVE-2012-4545
+%patch13 -p1
+
# remove bogus serial numbers
sed -i 's/^# *serial [AM0-9]*$//' acinclude.m4 config/m4/*.m4
@@ -153,6 +157,9 @@ exit 0
%{_mandir}/man5/*
%changelog
+* Fri Jan 04 2013 Kamil Dudka <kdudka at redhat.com> - 0.12-0.32.pre5
+- do not delegate GSSAPI credentials (CVE-2012-4545)
+
* Mon Oct 08 2012 Kamil Dudka <kdudka at redhat.com> - 0.12-0.31.pre5
- add default "ddg" dumb/smart rewrite prefixes for DuckDuckGo (#856348)
More information about the scm-commits
mailing list