diff options
author | Cy Schubert <cy@FreeBSD.org> | 2022-11-26 16:27:08 +0000 |
---|---|---|
committer | Cy Schubert <cy@FreeBSD.org> | 2024-03-14 22:12:36 +0000 |
commit | f8c4316342857a4fa4a05c1cb6ab16992faddb69 (patch) | |
tree | 0a43dcc552a93577bf6e88fb0c1e0f463fdb28b0 | |
parent | 64f7f98bb61947a72001a84f06840c374b26628d (diff) | |
download | ports-f8c4316342857a4fa4a05c1cb6ab16992faddb69.tar.gz ports-f8c4316342857a4fa4a05c1cb6ab16992faddb69.zip |
security/heimdal: Fix uninitialized pointer dereference
krb5_ret_preincipal() returns a non-zero return code when
a garbage principal is passed to it. Unfortunately ret_principal_ent()
does not check the return code, with garbage pointing to what would
have been the principal. This results in a segfault when free() is
called.
PR: 267944, 267972
Reported by: Robert Morris <rtm@lcs.mit.edu>
MFH: 2024Q1
-rw-r--r-- | security/heimdal/Makefile | 2 | ||||
-rw-r--r-- | security/heimdal/files/patch-lib_kadm5_marshall.c | 31 |
2 files changed, 30 insertions, 3 deletions
diff --git a/security/heimdal/Makefile b/security/heimdal/Makefile index cdef0c697067..3508ad2f8f0c 100644 --- a/security/heimdal/Makefile +++ b/security/heimdal/Makefile @@ -1,6 +1,6 @@ PORTNAME= heimdal PORTVERSION= 7.8.0 -PORTREVISION= 7 +PORTREVISION= 8 CATEGORIES= security MASTER_SITES= https://github.com/heimdal/heimdal/releases/download/${DISTNAME}/ diff --git a/security/heimdal/files/patch-lib_kadm5_marshall.c b/security/heimdal/files/patch-lib_kadm5_marshall.c index d44311d5edbf..8e01bbe30354 100644 --- a/security/heimdal/files/patch-lib_kadm5_marshall.c +++ b/security/heimdal/files/patch-lib_kadm5_marshall.c @@ -1,6 +1,33 @@ --- lib/kadm5/marshall.c.orig 2022-09-15 16:54:19.000000000 -0700 -+++ lib/kadm5/marshall.c 2022-11-24 08:47:40.099673000 -0800 -@@ -407,10 +407,40 @@ ++++ lib/kadm5/marshall.c 2022-11-26 08:20:41.302104000 -0800 +@@ -261,9 +261,9 @@ + int i; + int32_t tmp; + +- if (mask & KADM5_PRINCIPAL) +- krb5_ret_principal(sp, &princ->principal); +- ++ if (mask & KADM5_PRINCIPAL) ++ if (krb5_ret_principal(sp, &princ->principal)) ++ return EINVAL; + if (mask & KADM5_PRINC_EXPIRE_TIME) { + krb5_ret_int32(sp, &tmp); + princ->princ_expire_time = tmp; +@@ -282,9 +282,10 @@ + } + if (mask & KADM5_MOD_NAME) { + krb5_ret_int32(sp, &tmp); +- if(tmp) +- krb5_ret_principal(sp, &princ->mod_name); +- else ++ if(tmp) { ++ if (krb5_ret_principal(sp, &princ->mod_name)) ++ return EINVAL; ++ } else + princ->mod_name = NULL; + } + if (mask & KADM5_MOD_TIME) { +@@ -407,10 +408,40 @@ ret = krb5_ret_int32(sp, &mask); if (ret) goto out; |