Fix for CVE-2011-4862 from FreeBSD When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer. This is a remote root exploit that is being actively exploited in the wild.diff -r1.3 -r1.4 pkgsrc/security/mit-krb5-appl/Makefile
(tez)
@@ -1,18 +1,18 @@ | @@ -1,18 +1,18 @@ | |||
1 | # $NetBSD: Makefile,v 1.3 2011/12/17 10:16:36 sbd Exp $ | 1 | # $NetBSD: Makefile,v 1.4 2011/12/23 16:44:24 tez Exp $ | |
2 | 2 | |||
3 | DISTNAME= krb5-appl-1.0.1 | 3 | DISTNAME= krb5-appl-1.0.1 | |
4 | PKGNAME= mit-${DISTNAME} | 4 | PKGNAME= mit-${DISTNAME} | |
5 | PKGREVISION= 2 | 5 | PKGREVISION= 3 | |
6 | CATEGORIES= security | 6 | CATEGORIES= security | |
7 | MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5-appl/1.0/ | 7 | MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5-appl/1.0/ | |
8 | DISTFILES= ${DISTNAME}-signed${EXTRACT_SUFX} | 8 | DISTFILES= ${DISTNAME}-signed${EXTRACT_SUFX} | |
9 | EXTRACT_SUFX= .tar | 9 | EXTRACT_SUFX= .tar | |
10 | 10 | |||
11 | PATCH_SITES= http://web.mit.edu/kerberos/advisories/ | 11 | PATCH_SITES= http://web.mit.edu/kerberos/advisories/ | |
12 | 12 | |||
13 | PATCHFILES= 2011-005-patch.txt | 13 | PATCHFILES= 2011-005-patch.txt | |
14 | 14 | |||
15 | MAINTAINER= tez@NetBSD.org | 15 | MAINTAINER= tez@NetBSD.org | |
16 | HOMEPAGE= http://web.mit.edu/kerberos/ | 16 | HOMEPAGE= http://web.mit.edu/kerberos/ | |
17 | COMMENT= MIT Kerberos 5 authentication system applications | 17 | COMMENT= MIT Kerberos 5 authentication system applications | |
18 | 18 |
@@ -1,10 +1,11 @@ | @@ -1,10 +1,11 @@ | |||
1 | $NetBSD: distinfo,v 1.3 2011/12/18 18:05:13 dholland Exp $ | 1 | $NetBSD: distinfo,v 1.4 2011/12/23 16:44:24 tez Exp $ | |
2 | 2 | |||
3 | SHA1 (2011-005-patch.txt) = 5e52a66b299407f54038fc287732160aabce51ff | 3 | SHA1 (2011-005-patch.txt) = 5e52a66b299407f54038fc287732160aabce51ff | |
4 | RMD160 (2011-005-patch.txt) = 780d9769e3b2661b927b26295f14a31dee314213 | 4 | RMD160 (2011-005-patch.txt) = 780d9769e3b2661b927b26295f14a31dee314213 | |
5 | Size (2011-005-patch.txt) = 2076 bytes | 5 | Size (2011-005-patch.txt) = 2076 bytes | |
6 | SHA1 (krb5-appl-1.0.1-signed.tar) = 128662c9860f61a51c9bcaf1b6217467faa12324 | 6 | SHA1 (krb5-appl-1.0.1-signed.tar) = 128662c9860f61a51c9bcaf1b6217467faa12324 | |
7 | RMD160 (krb5-appl-1.0.1-signed.tar) = ca0668b623dcf4dc5a0699fa47d86660aac5544a | 7 | RMD160 (krb5-appl-1.0.1-signed.tar) = ca0668b623dcf4dc5a0699fa47d86660aac5544a | |
8 | Size (krb5-appl-1.0.1-signed.tar) = 645120 bytes | 8 | Size (krb5-appl-1.0.1-signed.tar) = 645120 bytes | |
9 | SHA1 (patch-ab) = 4522fcdb396d2079ac6405926a64f907d94a2593 | 9 | SHA1 (patch-ab) = 4522fcdb396d2079ac6405926a64f907d94a2593 | |
10 | SHA1 (patch-gssftp_ftp_cmds_c) = 24942a2bcfc0cb0ce3045da5468d315c5b1bfadb | 10 | SHA1 (patch-gssftp_ftp_cmds_c) = 24942a2bcfc0cb0ce3045da5468d315c5b1bfadb | |
11 | SHA1 (patch-telnet_libtelnet_encrypt.c) = 26e21d72c6f5bad4af2c733c2fe63fdc65a78bf2 |
$NetBSD: patch-telnet_libtelnet_encrypt.c,v 1.1 2011/12/23 16:44:24 tez Exp $
Fix for CVE-2011-4862 from FreeBSD
When an encryption key is supplied via the TELNET protocol, its length
is not validated before the key is copied into a fixed-size buffer.
--- telnet/libtelnet/encrypt.c.orig 2011-12-23 10:14:18.191614600 -0600
+++ telnet/libtelnet/encrypt.c 2011-12-23 10:15:26.640275300 -0600
@@ -757,6 +757,9 @@
int dir = kp->dir;
register int ret = 0;
+ if (len > MAXKEYLEN)
+ len = MAXKEYLEN;
+
if (!(ep = (*kp->getcrypt)(*kp->modep))) {
if (len == 0)
return;