rpms/libtirpc/devel libtirpc-0.1.7-bufoverflow.patch, NONE, 1.1 libtirpc.spec, 1.21, 1.22

Steve Dickson (steved) fedora-extras-commits at redhat.com
Thu Jan 24 20:12:35 UTC 2008 

Author: steved

Update of /cvs/pkgs/rpms/libtirpc/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17253

Modified Files:
	libtirpc.spec 
Added Files:
	libtirpc-0.1.7-bufoverflow.patch 
Log Message:
Protect from buffer overflow in the GSS code. (bz 362121)


libtirpc-0.1.7-bufoverflow.patch:

--- NEW FILE libtirpc-0.1.7-bufoverflow.patch ---
commit 3cf1a3ce1a409e647f9b8ca4497c26e6d066f293
Author: Steve Dickson <steved at redhat.com>
Date:   Thu Jan 24 15:01:22 2008 -0500

    Protect from buffer overflow in the GSS code.
    
    Signed-off-by: Steve Dickson <steved at redhat.com>

diff -up libtirpc-0.1.7/src/svc_auth_gss.c.orig libtirpc-0.1.7/src/svc_auth_gss.c
--- libtirpc-0.1.7/src/svc_auth_gss.c.orig	2008-01-24 14:41:21.000000000 -0500
+++ libtirpc-0.1.7/src/svc_auth_gss.c	2008-01-24 14:59:31.000000000 -0500
@@ -294,6 +294,15 @@ svcauth_gss_validate(struct svc_rpc_gss_
 	memset(rpchdr, 0, sizeof(rpchdr));
 
 	/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
+	oa = &msg->rm_call.cb_cred;
+	if (oa->oa_length > MAX_AUTH_BYTES)
+		return (FALSE);
+	
+	/* 8 XDR units from the IXDR macro calls. */
+	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
+			RNDUP(oa->oa_length)))
+		return (FALSE);
+
 	buf = (int32_t *)rpchdr;
 	IXDR_PUT_LONG(buf, msg->rm_xid);
 	IXDR_PUT_ENUM(buf, msg->rm_direction);
@@ -301,7 +310,6 @@ svcauth_gss_validate(struct svc_rpc_gss_
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
 	IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
-	oa = &msg->rm_call.cb_cred;
 	IXDR_PUT_ENUM(buf, oa->oa_flavor);
 	IXDR_PUT_LONG(buf, oa->oa_length);
 	if (oa->oa_length) {


Index: libtirpc.spec
===================================================================
RCS file: /cvs/pkgs/rpms/libtirpc/devel/libtirpc.spec,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- libtirpc.spec	17 Dec 2007 19:44:33 -0000	1.21
+++ libtirpc.spec	24 Jan 2008 20:11:52 -0000	1.22
@@ -1,6 +1,6 @@
 Name:		   libtirpc
 Version:		0.1.7
-Release:		14%{?dist}
+Release:		15%{?dist}
 Summary:		Transport Independent RPC Library
 Group:		  	System Environment/Libraries
 License:		GPL
@@ -44,6 +44,7 @@
 Patch12: libtirpc-0.1.7-dgcall-iprecverr.patch
 Patch13: libtirpc-0.1.7-svc-rtaddr.patch
 Patch14: libtirpc-0.1.7-arm.patch
+Patch15: libtirpc-0.1.7-bufoverflow.patch
 
 Patch100: libtirpc-0.1.7-compile.patch
 
@@ -68,6 +69,7 @@
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
+%patch15 -p1
 
 %patch100	-p1
 
@@ -147,6 +149,9 @@
 %{_includedir}/tirpc/un-namespace.h
 
 %changelog
+* Thu Jan 24 2008 Steve Dickson  <steved at redhat.com> 0.1.7-15
+- Protect from buffer overflow in the GSS code. (bz 362121)
+
 * Mon Dec 17 2007 Steve Dickson  <steved at redhat.com> 0.1.7-14
 - Fixed typo in /etc/netconfig file (bz 414471)

More information about the fedora-extras-commits mailing list