Fri Dec 23 16:44:24 2011 UTC ()

Fix for CVE-2011-4862 from FreeBSD

When an encryption key is supplied via the TELNET protocol, its length
is not validated before the key is copied into a fixed-size buffer.

This is a remote root exploit that is being actively exploited in the wild.


(tez)

diff -r1.3 -r1.4 pkgsrc/security/mit-krb5-appl/Makefile
diff -r1.3 -r1.4 pkgsrc/security/mit-krb5-appl/distinfo
diff -r0 -r1.1 pkgsrc/security/mit-krb5-appl/patches/patch-telnet_libtelnet_encrypt.c

--- pkgsrc/security/mit-krb5-appl/Makefile 2011/12/17 10:16:36 1.3
+++ pkgsrc/security/mit-krb5-appl/Makefile 2011/12/23 16:44:24 1.4

 @@ -1,18 +1,18 @@
-# $NetBSD: Makefile,v 1.3 2011/12/17 10:16:36 sbd Exp $
+# $NetBSD: Makefile,v 1.4 2011/12/23 16:44:24 tez Exp $
 DISTNAME=	krb5-appl-1.0.1
 PKGNAME=	mit-${DISTNAME}
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	security
 MASTER_SITES=	http://web.mit.edu/kerberos/dist/krb5-appl/1.0/
 DISTFILES=	${DISTNAME}-signed${EXTRACT_SUFX}
 EXTRACT_SUFX=	.tar
 PATCH_SITES=	http://web.mit.edu/kerberos/advisories/
 PATCHFILES=	2011-005-patch.txt
 MAINTAINER=	tez@NetBSD.org
 HOMEPAGE=	http://web.mit.edu/kerberos/
 COMMENT=	MIT Kerberos 5 authentication system applications

--- pkgsrc/security/mit-krb5-appl/distinfo 2011/12/18 18:05:13 1.3
+++ pkgsrc/security/mit-krb5-appl/distinfo 2011/12/23 16:44:24 1.4

 @@ -1,10 +1,11 @@
-$NetBSD: distinfo,v 1.3 2011/12/18 18:05:13 dholland Exp $
+$NetBSD: distinfo,v 1.4 2011/12/23 16:44:24 tez Exp $
 SHA1 (2011-005-patch.txt) = 5e52a66b299407f54038fc287732160aabce51ff
 RMD160 (2011-005-patch.txt) = 780d9769e3b2661b927b26295f14a31dee314213
 Size (2011-005-patch.txt) = 2076 bytes
 SHA1 (krb5-appl-1.0.1-signed.tar) = 128662c9860f61a51c9bcaf1b6217467faa12324
 RMD160 (krb5-appl-1.0.1-signed.tar) = ca0668b623dcf4dc5a0699fa47d86660aac5544a
 Size (krb5-appl-1.0.1-signed.tar) = 645120 bytes
 SHA1 (patch-ab) = 4522fcdb396d2079ac6405926a64f907d94a2593
 SHA1 (patch-gssftp_ftp_cmds_c) = 24942a2bcfc0cb0ce3045da5468d315c5b1bfadb
 SHA1 (patch-telnet_libtelnet_encrypt.c) = 26e21d72c6f5bad4af2c733c2fe63fdc65a78bf2

$NetBSD: patch-telnet_libtelnet_encrypt.c,v 1.1 2011/12/23 16:44:24 tez Exp $

Fix for CVE-2011-4862 from FreeBSD

When an encryption key is supplied via the TELNET protocol, its length
is not validated before the key is copied into a fixed-size buffer.

--- telnet/libtelnet/encrypt.c.orig	2011-12-23 10:14:18.191614600 -0600
+++ telnet/libtelnet/encrypt.c	2011-12-23 10:15:26.640275300 -0600
@@ -757,6 +757,9 @@
 	int dir = kp->dir;
 	register int ret = 0;
 
+	if (len > MAXKEYLEN)
+		len = MAXKEYLEN;
+
 	if (!(ep = (*kp->getcrypt)(*kp->modep))) {
 		if (len == 0)
 			return;