git: f8c431634285 - main - security/heimdal: Fix uninitialized pointer dereference
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 14 Mar 2024 22:12:57 UTC
The branch main has been updated by cy:
URL: https://cgit.FreeBSD.org/ports/commit/?id=f8c4316342857a4fa4a05c1cb6ab16992faddb69
commit f8c4316342857a4fa4a05c1cb6ab16992faddb69
Author: Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2022-11-26 16:27:08 +0000
Commit: Cy Schubert <cy@FreeBSD.org>
CommitDate: 2024-03-14 22:12:36 +0000
security/heimdal: Fix uninitialized pointer dereference
krb5_ret_preincipal() returns a non-zero return code when
a garbage principal is passed to it. Unfortunately ret_principal_ent()
does not check the return code, with garbage pointing to what would
have been the principal. This results in a segfault when free() is
called.
PR: 267944, 267972
Reported by: Robert Morris <rtm@lcs.mit.edu>
MFH: 2024Q1
---
security/heimdal/Makefile | 2 +-
security/heimdal/files/patch-lib_kadm5_marshall.c | 31 +++++++++++++++++++++--
2 files changed, 30 insertions(+), 3 deletions(-)
diff --git a/security/heimdal/Makefile b/security/heimdal/Makefile
index cdef0c697067..3508ad2f8f0c 100644
--- a/security/heimdal/Makefile
+++ b/security/heimdal/Makefile
@@ -1,6 +1,6 @@
PORTNAME= heimdal
PORTVERSION= 7.8.0
-PORTREVISION= 7
+PORTREVISION= 8
CATEGORIES= security
MASTER_SITES= https://github.com/heimdal/heimdal/releases/download/${DISTNAME}/
diff --git a/security/heimdal/files/patch-lib_kadm5_marshall.c b/security/heimdal/files/patch-lib_kadm5_marshall.c
index d44311d5edbf..8e01bbe30354 100644
--- a/security/heimdal/files/patch-lib_kadm5_marshall.c
+++ b/security/heimdal/files/patch-lib_kadm5_marshall.c
@@ -1,6 +1,33 @@
--- lib/kadm5/marshall.c.orig 2022-09-15 16:54:19.000000000 -0700
-+++ lib/kadm5/marshall.c 2022-11-24 08:47:40.099673000 -0800
-@@ -407,10 +407,40 @@
++++ lib/kadm5/marshall.c 2022-11-26 08:20:41.302104000 -0800
+@@ -261,9 +261,9 @@
+ int i;
+ int32_t tmp;
+
+- if (mask & KADM5_PRINCIPAL)
+- krb5_ret_principal(sp, &princ->principal);
+-
++ if (mask & KADM5_PRINCIPAL)
++ if (krb5_ret_principal(sp, &princ->principal))
++ return EINVAL;
+ if (mask & KADM5_PRINC_EXPIRE_TIME) {
+ krb5_ret_int32(sp, &tmp);
+ princ->princ_expire_time = tmp;
+@@ -282,9 +282,10 @@
+ }
+ if (mask & KADM5_MOD_NAME) {
+ krb5_ret_int32(sp, &tmp);
+- if(tmp)
+- krb5_ret_principal(sp, &princ->mod_name);
+- else
++ if(tmp) {
++ if (krb5_ret_principal(sp, &princ->mod_name))
++ return EINVAL;
++ } else
+ princ->mod_name = NULL;
+ }
+ if (mask & KADM5_MOD_TIME) {
+@@ -407,10 +408,40 @@
ret = krb5_ret_int32(sp, &mask);
if (ret)
goto out;