!5 [sync] PR-3: Fix CVE-2022-2469
From: @openeuler-sync-bot Reviewed-by: @starlet-dx Signed-off-by: @starlet-dx
This commit is contained in:
openeuler-ci-bot
Gitee
commit
098fd92922
28
CVE-2022-2469.patch
Normal file
28
CVE-2022-2469.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From 796e4197f696261c1f872d7576371232330bcc30 Mon Sep 17 00:00:00 2001
|
||||
From: Simon Josefsson <simon@josefsson.org>
|
||||
Date: Fri, 15 Jul 2022 16:23:58 +0200
|
||||
Subject: [PATCH] GSSAPI server: Boundary check gss_wrap token (read OOB).
|
||||
|
||||
Origin:
|
||||
https://gitlab.com/gsasl/gsasl/-/commit/796e4197f696261c1f872d7576371232330bcc30
|
||||
---
|
||||
gssapi/server.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/gssapi/server.c b/gssapi/server.c
|
||||
index 4a5dfd7..a93e454 100644
|
||||
--- a/gssapi/server.c
|
||||
+++ b/gssapi/server.c
|
||||
@@ -225,6 +225,9 @@ _gsasl_gssapi_server_step (Gsasl_session * sctx,
|
||||
FALSE, and responds with the generated output_message. The
|
||||
client can then consider the server authenticated. */
|
||||
|
||||
+ if (bufdesc2.length < 4)
|
||||
+ return GSASL_AUTHENTICATION_ERROR;
|
||||
+
|
||||
if ((((char *) bufdesc2.value)[0] & GSASL_QOP_AUTH) == 0)
|
||||
{
|
||||
/* Integrity or privacy unsupported */
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -1,11 +1,12 @@
|
||||
Name: libgsasl
|
||||
Version: 1.10.0
|
||||
Release: 1
|
||||
Release: 2
|
||||
Summary: GNU SASL library
|
||||
License: LGPLv2+
|
||||
URL: https://www.gnu.org/software/gsasl/
|
||||
Source0: https://ftp.gnu.org/gnu/gsasl/%{name}-%{version}.tar.gz
|
||||
Source1: https://ftp.gnu.org/gnu/gsasl/%{name}-%{version}.tar.gz.sig
|
||||
Patch0: CVE-2022-2469.patch
|
||||
BuildRequires: gcc krb5-devel libgcrypt-devel libidn-devel libntlm-devel pkgconfig
|
||||
%description
|
||||
The library includes support for the SASL framework
|
||||
@ -21,7 +22,7 @@ The %{name}-devel package contains libraries and header files for
|
||||
developing applications that use %{name}.
|
||||
|
||||
%prep
|
||||
%autosetup
|
||||
%autosetup -p1
|
||||
|
||||
%build
|
||||
%configure --disable-static --disable-rpath --with-gssapi-impl=mit
|
||||
@ -45,6 +46,9 @@ find %{buildroot} -name '*.la' -exec rm -f {} ';'
|
||||
%{_libdir}/pkgconfig/libgsasl.pc
|
||||
|
||||
%changelog
|
||||
* Wed Mar 27 2024 yaoxin <yao_xin001@hoperun.com> - 1.10.0-2
|
||||
- Fix CVE-2022-2469
|
||||
|
||||
* Fri Apr 28 2023 wangkai <13474090681@163.com> - 1.10.0-1
|
||||
- Update to 1.10.0
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user