summary refs log tree commit diff
path: root/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/mit-krb5-CVE-2015-8629.patch')
-rw-r--r--gnu/packages/patches/mit-krb5-CVE-2015-8629.patch51
1 files changed, 0 insertions, 51 deletions
diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch b/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch
deleted file mode 100644
index a296d8cb1b..0000000000
--- a/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-Copied from Fedora.
-http://pkgs.fedoraproject.org/cgit/rpms/krb5.git/tree/krb5-CVE-2015-8629.patch?h=f22
-
-From df17a1224a3406f57477bcd372c61e04c0e5a5bb Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Fri, 8 Jan 2016 12:45:25 -0500
-Subject: [PATCH 1/3] Verify decoded kadmin C strings [CVE-2015-8629]
-
-In xdr_nullstring(), check that the decoded string is terminated with
-a zero byte and does not contain any internal zero bytes.
-
-CVE-2015-8629:
-
-In all versions of MIT krb5, an authenticated attacker can cause
-kadmind to read beyond the end of allocated memory by sending a string
-without a terminating zero byte.  Information leakage may be possible
-for an attacker with permission to modify the database.
-
-    CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
-
-ticket: 8341 (new)
-target_version: 1.14-next
-target_version: 1.13-next
-tags: pullup
----
- src/lib/kadm5/kadm_rpc_xdr.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
-index 2bef858..ba67084 100644
---- a/src/lib/kadm5/kadm_rpc_xdr.c
-+++ b/src/lib/kadm5/kadm_rpc_xdr.c
-@@ -64,7 +64,14 @@ bool_t xdr_nullstring(XDR *xdrs, char **objp)
- 		    return FALSE;
- 	       }
- 	  }
--	  return (xdr_opaque(xdrs, *objp, size));
-+	  if (!xdr_opaque(xdrs, *objp, size))
-+		  return FALSE;
-+	  /* Check that the unmarshalled bytes are a C string. */
-+	  if ((*objp)[size - 1] != '\0')
-+		  return FALSE;
-+	  if (memchr(*objp, '\0', size - 1) != NULL)
-+		  return FALSE;
-+	  return TRUE;
- 
-      case XDR_ENCODE:
- 	  if (size != 0)
--- 
-2.7.0.rc3
-