diff options
Diffstat (limited to 'meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch')
-rw-r--r-- | meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch new file mode 100644 index 0000000000..6d64312211 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch @@ -0,0 +1,48 @@ +From 8fb508a25a6a47289c73e3f4339352a73a396eef Mon Sep 17 00:00:00 2001 +From: Joseph Sutton <josephsutton@catalyst.net.nz> +Date: Wed, 12 Oct 2022 13:57:33 +1300 +Subject: [PATCH] gsskrb5: CVE-2022-3437 Pass correct length to + _gssapi_verify_pad() + +We later subtract 8 when calculating the length of the output message +buffer. If padlength is excessively high, this calculation can underflow +and result in a very large positive value. + +Now we properly constrain the value of padlength so underflow shouldn't +be possible. + +Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> + +Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/8fb508a25a6a47289c73e3f4339352a73a396eef] +CVE: CVE-2022-3437 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + lib/gssapi/krb5/unwrap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c +index fddb64bc53..bab30f4501 100644 +--- a/lib/gssapi/krb5/unwrap.c ++++ b/lib/gssapi/krb5/unwrap.c +@@ -124,7 +124,7 @@ unwrap_des + } else { + /* check pad */ + ret = _gssapi_verify_pad(input_message_buffer, +- input_message_buffer->length - len, ++ input_message_buffer->length - len - 8, + &padlength); + if (ret) + return ret; +@@ -289,7 +289,7 @@ unwrap_des3 + } else { + /* check pad */ + ret = _gssapi_verify_pad(input_message_buffer, +- input_message_buffer->length - len, ++ input_message_buffer->length - len - 8, + &padlength); + if (ret) + return ret; |