rpms / dovecot

Clone
Source Code
GIT

Blame SOURCES/dovecot-2.3.8-CVE_2020_12673.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   1d3134d320b24d6e3bc04ffce595f8a5eeaa4604
  2.   SOURCES
  3.   dovecot-2.3.8-CVE_2020_12673.patch
Blob History Raw
1d3134 
From 1c6405d3026e5ceae3d214d63945bba85251af4c Mon Sep 17 00:00:00 2001
1d3134 
From: Aki Tuomi <aki.tuomi@open-xchange.com>
1d3134 
Date: Mon, 18 May 2020 12:33:39 +0300
1d3134 
Subject: [PATCH 2/3] lib-ntlm: Check buffer length on responses
1d3134
1d3134 
Add missing check for buffer length.
1d3134
1d3134 
If this is not checked, it is possible to send message which
1d3134 
causes read past buffer bug.
1d3134
1d3134 
Broken in c7480644202e5451fbed448508ea29a25cffc99c
1d3134 
---
1d3134 
 src/lib-ntlm/ntlm-message.c | 5 +++++
1d3134 
 1 file changed, 5 insertions(+)
1d3134
1d3134 
diff --git a/src/lib-ntlm/ntlm-message.c b/src/lib-ntlm/ntlm-message.c
1d3134 
index 160b9f918c..a29413b47e 100644
1d3134 
--- a/src/lib-ntlm/ntlm-message.c
1d3134 
+++ b/src/lib-ntlm/ntlm-message.c
1d3134 
@@ -184,6 +184,11 @@ static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer,
1d3134 
 	if (length == 0 && space == 0)
1d3134 
 		return TRUE;
1d3134
1d3134 
+	if (length > data_size) {
1d3134 
+		*error = "buffer length out of bounds";
1d3134 
+		return FALSE;
1d3134 
+	}
1d3134 
+
1d3134 
 	if (offset >= data_size) {
1d3134 
 		*error = "buffer offset out of bounds";
1d3134 
 		return FALSE;
1d3134 
--
1d3134 
2.11.0
1d3134

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation