From acaacf18749b4b2d89b89d56009262e40f53a76f Mon Sep 17 00:00:00 2001 From: Ulrich Müller Date: Thu, 16 Mar 2023 22:23:30 +0100 Subject: skey: Fix length check in skeylogin.c MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ulrich Müller --- .../skey/1.1.5/16_all_skeylogin-len-check.patch | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 patchsets/skey/1.1.5/16_all_skeylogin-len-check.patch diff --git a/patchsets/skey/1.1.5/16_all_skeylogin-len-check.patch b/patchsets/skey/1.1.5/16_all_skeylogin-len-check.patch new file mode 100644 index 0000000..7db9d0e --- /dev/null +++ b/patchsets/skey/1.1.5/16_all_skeylogin-len-check.patch @@ -0,0 +1,24 @@ +From OpenBSD. + +Author: millert +Date: Wed, 15 Mar 2023 17:01:35 +0000 + + Fix the length check when computing a fake challenge for users not in + the S/Key database. If the system hostname is longer than 126 characters + this could result in NUL bytes being written past the end of a stack + buffer. There is no impact on systems with a hostname 126 characters or + less. Found by Qualys. OK deraadt@ + +--- skey-1.1.5/skeylogin.c ++++ skey-1.1.5/skeylogin.c +@@ -486,8 +486,8 @@ + for (p = pbuf; *p && isalnum((u_char)*p); p++) + if (isalpha((u_char)*p) && isupper((u_char)*p)) + *p = tolower((u_char)*p); +- if (*p && pbuf - p < 4) +- strncpy(p, "asjd", 4 - (pbuf - p)); ++ if (*p && p - pbuf < 4) ++ strncpy(p, "asjd", 4 - (p - pbuf)); + pbuf[4] = '\0'; + + /* Hash the username if possible */ -- cgit v1.2.3-65-gdbad