Fix when an encryption key is supplied via the TELNET protocol, its length

is not validated before the key is copied into a fixed-size buffer. Security: FreeBSD-SA-11:08.telnetd, CVE-2011-4862 Feature safe: yes
svn path=/head/; revision=288079
2011-12-26 21:38:58 +00:00 · 2011-12-26 21:38:58 +00:00 · bec162cca7 · 2021-03-31 03:12:20 +00:00
commit bec162cca7
parent 67ccc7ba0d
2 changed files with 13 additions and 0 deletions
--- a/security/krb5-appl/Makefile
+++ b/security/krb5-appl/Makefile
@ -7,6 +7,7 @@

 PORTNAME=		krb5-appl
 PORTVERSION=		1.0.2
+PORTREVISION=		1
 CATEGORIES=		security
 MASTER_SITES=		http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/
 # PATCH_SITES=		http://web.mit.edu/kerberos/advisories/
--- a/security/krb5-appl/files/patch-telnet-libtelnet-encrypt.c
+++ b/security/krb5-appl/files/patch-telnet-libtelnet-encrypt.c
@ -0,0 +1,12 @@
+--- telnet/libtelnet/encrypt.c.orig	2009-11-05 12:15:06.000000000 -0800
+++ telnet/libtelnet/encrypt.c	2011-12-26 12:59:08.261571642 -0800
+@@ -757,6 +757,9 @@
+ 	int dir = kp->dir;
+ 	register int ret = 0;
+ 
+	if (len > MAXKEYLEN)
+		len = MAXKEYLEN;
+
+ 	if (!(ep = (*kp->getcrypt)(*kp->modep))) {
+ 		if (len == 0)
+ 			return;