Patrick Williams | f1e5d69 | 2016-03-30 15:21:19 -0500 | [diff] [blame] | 1 | Upstream-Status: Backport |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 2 | CVE: CVE-2015-7696 |
Patrick Williams | f1e5d69 | 2016-03-30 15:21:19 -0500 | [diff] [blame] | 3 | Signed-off-by: Tudor Florea <tudor.flore@enea.com> |
| 4 | |
| 5 | From 68efed87fabddd450c08f3112f62a73f61d493c9 Mon Sep 17 00:00:00 2001 |
| 6 | From: Petr Stodulka <pstodulk@redhat.com> |
| 7 | Date: Mon, 14 Sep 2015 18:23:17 +0200 |
| 8 | Subject: [PATCH 1/2] upstream fix for heap overflow |
| 9 | |
| 10 | https://bugzilla.redhat.com/attachment.cgi?id=1073002 |
| 11 | --- |
| 12 | crypt.c | 12 +++++++++++- |
| 13 | 1 file changed, 11 insertions(+), 1 deletion(-) |
| 14 | |
| 15 | diff --git a/crypt.c b/crypt.c |
| 16 | index 784e411..a8975f2 100644 |
| 17 | --- a/crypt.c |
| 18 | +++ b/crypt.c |
| 19 | @@ -465,7 +465,17 @@ int decrypt(__G__ passwrd) |
| 20 | GLOBAL(pInfo->encrypted) = FALSE; |
| 21 | defer_leftover_input(__G); |
| 22 | for (n = 0; n < RAND_HEAD_LEN; n++) { |
| 23 | - b = NEXTBYTE; |
| 24 | + /* 2012-11-23 SMS. (OUSPG report.) |
| 25 | + * Quit early if compressed size < HEAD_LEN. The resulting |
| 26 | + * error message ("unable to get password") could be improved, |
| 27 | + * but it's better than trying to read nonexistent data, and |
| 28 | + * then continuing with a negative G.csize. (See |
| 29 | + * fileio.c:readbyte()). |
| 30 | + */ |
| 31 | + if ((b = NEXTBYTE) == (ush)EOF) |
| 32 | + { |
| 33 | + return PK_ERR; |
| 34 | + } |
| 35 | h[n] = (uch)b; |
| 36 | Trace((stdout, " (%02x)", h[n])); |
| 37 | } |
| 38 | -- |
| 39 | 2.4.6 |