rpms / dovecot

Clone
Source Code
GIT

Blame SOURCES/dovecot-2.3.8-CVE_2020_12673.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   7f3edca6d99b315a64b0d4519fc5f02dab58ec94
  2.   SOURCES
  3.   dovecot-2.3.8-CVE_2020_12673.patch
Blob History Raw
5be1f1 
From 1c6405d3026e5ceae3d214d63945bba85251af4c Mon Sep 17 00:00:00 2001
5be1f1 
From: Aki Tuomi <aki.tuomi@open-xchange.com>
5be1f1 
Date: Mon, 18 May 2020 12:33:39 +0300
5be1f1 
Subject: [PATCH 2/3] lib-ntlm: Check buffer length on responses
5be1f1
5be1f1 
Add missing check for buffer length.
5be1f1
5be1f1 
If this is not checked, it is possible to send message which
5be1f1 
causes read past buffer bug.
5be1f1
5be1f1 
Broken in c7480644202e5451fbed448508ea29a25cffc99c
5be1f1 
---
5be1f1 
 src/lib-ntlm/ntlm-message.c | 5 +++++
5be1f1 
 1 file changed, 5 insertions(+)
5be1f1
5be1f1 
diff --git a/src/lib-ntlm/ntlm-message.c b/src/lib-ntlm/ntlm-message.c
5be1f1 
index 160b9f918c..a29413b47e 100644
5be1f1 
--- a/src/lib-ntlm/ntlm-message.c
5be1f1 
+++ b/src/lib-ntlm/ntlm-message.c
5be1f1 
@@ -184,6 +184,11 @@ static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer,
5be1f1 
 	if (length == 0 && space == 0)
5be1f1 
 		return 1;
5be1f1
5be1f1 
+	if (length > data_size) {
5be1f1 
+		*error = "buffer length out of bounds";
5be1f1 
+		return 0;
5be1f1 
+	}
5be1f1 
+
5be1f1 
 	if (offset >= data_size) {
5be1f1 
 		*error = "buffer offset out of bounds";
5be1f1 
 		return 0;
5be1f1 
--
5be1f1 
2.11.0
5be1f1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation