rpms / dovecot

Clone
Source Code
GIT

Blame SOURCES/dovecot-2.3.8-CVE_2020_12673.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   b62b43dbc2d2fe879f84f144095cc9241c660e73
  2.   SOURCES
  3.   dovecot-2.3.8-CVE_2020_12673.patch
Blob History Raw
b62b43 
From 1c6405d3026e5ceae3d214d63945bba85251af4c Mon Sep 17 00:00:00 2001
b62b43 
From: Aki Tuomi <aki.tuomi@open-xchange.com>
b62b43 
Date: Mon, 18 May 2020 12:33:39 +0300
b62b43 
Subject: [PATCH 2/3] lib-ntlm: Check buffer length on responses
b62b43
b62b43 
Add missing check for buffer length.
b62b43
b62b43 
If this is not checked, it is possible to send message which
b62b43 
causes read past buffer bug.
b62b43
b62b43 
Broken in c7480644202e5451fbed448508ea29a25cffc99c
b62b43 
---
b62b43 
 src/lib-ntlm/ntlm-message.c | 5 +++++
b62b43 
 1 file changed, 5 insertions(+)
b62b43
b62b43 
diff --git a/src/lib-ntlm/ntlm-message.c b/src/lib-ntlm/ntlm-message.c
b62b43 
index 160b9f918c..a29413b47e 100644
b62b43 
--- a/src/lib-ntlm/ntlm-message.c
b62b43 
+++ b/src/lib-ntlm/ntlm-message.c
b62b43 
@@ -184,6 +184,11 @@ static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer,
b62b43 
 	if (length == 0 && space == 0)
b62b43 
 		return TRUE;
b62b43
b62b43 
+	if (length > data_size) {
b62b43 
+		*error = "buffer length out of bounds";
b62b43 
+		return FALSE;
b62b43 
+	}
b62b43 
+
b62b43 
 	if (offset >= data_size) {
b62b43 
 		*error = "buffer offset out of bounds";
b62b43 
 		return FALSE;
b62b43 
--
b62b43 
2.11.0
b62b43

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation