rpms / dovecot

Clone
Source Code
GIT

Blame SOURCES/dovecot-2.3.8-CVE_2020_12673.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   58a6b244880045df857c07b86802fa1fc7f09d9b
  2.   SOURCES
  3.   dovecot-2.3.8-CVE_2020_12673.patch
Blob History Raw
7bc0c9 
From 1c6405d3026e5ceae3d214d63945bba85251af4c Mon Sep 17 00:00:00 2001
7bc0c9 
From: Aki Tuomi <aki.tuomi@open-xchange.com>
7bc0c9 
Date: Mon, 18 May 2020 12:33:39 +0300
7bc0c9 
Subject: [PATCH 2/3] lib-ntlm: Check buffer length on responses
7bc0c9
7bc0c9 
Add missing check for buffer length.
7bc0c9
7bc0c9 
If this is not checked, it is possible to send message which
7bc0c9 
causes read past buffer bug.
7bc0c9
7bc0c9 
Broken in c7480644202e5451fbed448508ea29a25cffc99c
7bc0c9 
---
7bc0c9 
 src/lib-ntlm/ntlm-message.c | 5 +++++
7bc0c9 
 1 file changed, 5 insertions(+)
7bc0c9
7bc0c9 
diff --git a/src/lib-ntlm/ntlm-message.c b/src/lib-ntlm/ntlm-message.c
7bc0c9 
index 160b9f918c..a29413b47e 100644
7bc0c9 
--- a/src/lib-ntlm/ntlm-message.c
7bc0c9 
+++ b/src/lib-ntlm/ntlm-message.c
7bc0c9 
@@ -184,6 +184,11 @@ static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer,
7bc0c9 
 	if (length == 0 && space == 0)
7bc0c9 
 		return TRUE;
7bc0c9
7bc0c9 
+	if (length > data_size) {
7bc0c9 
+		*error = "buffer length out of bounds";
7bc0c9 
+		return FALSE;
7bc0c9 
+	}
7bc0c9 
+
7bc0c9 
 	if (offset >= data_size) {
7bc0c9 
 		*error = "buffer offset out of bounds";
7bc0c9 
 		return FALSE;
7bc0c9 
--
7bc0c9 
2.11.0
7bc0c9

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation