openpkg
/
openpkg-packages


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128
							Security patches regarding two issues discussed at
http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html

diff -Naur exim-4.43.orig/src/auths/auth-spa.c exim-4.43/src/auths/auth-spa.c
--- exim-4.43.orig/src/auths/auth-spa.c	2004-10-05 10:32:08.000000000 +0200
+++ exim-4.43/src/auths/auth-spa.c	2005-01-07 08:32:42.000000000 +0100
@@ -405,7 +405,7 @@
 }
 
 int
-spa_base64_to_bits (char *out, const char *in)
+spa_base64_to_bits (char *out, int outlength, const char *in)
 /* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */
 {
   int len = 0;
@@ -418,6 +418,8 @@
 
   do
     {
+      if (len >= outlength)
+        return (-1);
       digit1 = in[0];
       if (DECODE64 (digit1) == BAD)
        return (-1);
@@ -435,11 +437,15 @@
       ++len;
       if (digit3 != '=')
        {
+         if (len >= outlength)
+           return (-1);
          *out++ =
            ((DECODE64 (digit2) << 4) & 0xf0) | (DECODE64 (digit3) >> 2);
          ++len;
          if (digit4 != '=')
            {
+             if (len >= outlength)
+               return (-1);
              *out++ = ((DECODE64 (digit3) << 6) & 0xc0) | DECODE64 (digit4);
              ++len;
            }
diff -Naur exim-4.43.orig/src/auths/auth-spa.h exim-4.43/src/auths/auth-spa.h
--- exim-4.43.orig/src/auths/auth-spa.h	2004-10-05 10:32:08.000000000 +0200
+++ exim-4.43/src/auths/auth-spa.h	2005-01-07 08:34:06.000000000 +0100
@@ -10,6 +10,9 @@
  * Samba project (by Andrew Tridgell, Jeremy Allison, and others).
  */
 
+/* December 2004: The spa_base64_to_bits() function has no length checking in
+it. I have added a check. PH */
+
 /* It seems that some systems have existing but different definitions of some
 of the following types. I received a complaint about "int16" causing
 compilation problems. So I (PH) have renamed them all, to be on the safe side.
@@ -75,7 +78,7 @@
 #define spa_request_length(ptr) (((ptr)->buffer - (uint8x*)(ptr)) + (ptr)->bufIndex)
 
 void spa_bits_to_base64 (unsigned char *, const unsigned char *, int);
-int spa_base64_to_bits(char *, const char *);
+int spa_base64_to_bits(char *, int, const char *);
 void spa_build_auth_response (SPAAuthChallenge *challenge,
        SPAAuthResponse *response, char *user, char *password);
 void spa_build_auth_request (SPAAuthRequest *request, char *user,
diff -Naur exim-4.43.orig/src/auths/spa.c exim-4.43/src/auths/spa.c
--- exim-4.43.orig/src/auths/spa.c	2004-10-05 10:32:08.000000000 +0200
+++ exim-4.43/src/auths/spa.c	2005-01-07 08:35:39.000000000 +0100
@@ -133,7 +133,7 @@
   return FAIL;
   }
 
-if (spa_base64_to_bits((char *)(&request), (const char *)(data)) < 0)
+if (spa_base64_to_bits((char *)(&request), sizeof(request), (const char *)(data)) < 0)
   {
   DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
   "request: %s\n", data);
@@ -153,7 +153,7 @@
   }
 
 /* dump client response */
-if (spa_base64_to_bits((char *)(&response), (const char *)(data)) < 0)
+if (spa_base64_to_bits((char *)(&response), sizeof(response), (const char *)(data)) < 0)
   {
   DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
   "response: %s\n", data);
@@ -319,7 +319,7 @@
        /* convert the challenge into the challenge struct */
        DSPA("\n\n%s authenticator: challenge (%s)\n\n",
                ablock->name, buffer + 4);
-       spa_base64_to_bits ((char *)(&challenge), (const char *)(buffer + 4));
+       spa_base64_to_bits ((char *)(&challenge), sizeof(challenge), (const char *)(buffer + 4));
 
        spa_build_auth_response (&challenge, &response,
                CS username, CS password);
diff -Naur exim-4.43.orig/src/host.c exim-4.43/src/host.c
--- exim-4.43.orig/src/host.c	2004-10-05 10:32:08.000000000 +0200
+++ exim-4.43/src/host.c	2005-01-07 08:28:02.000000000 +0100
@@ -710,12 +710,18 @@
 
   if (*p == ':') p++;
 
-  /* Split the address into components separated by colons. */
+  /* Split the address into components separated by colons. The input address
+  is supposed to be checked for syntax. There was a case where this was
+  overlooked; to guard against that happening again, check here and crash if
+  there is a violation. */
 
   while (*p != 0)
     {
     int len = Ustrcspn(p, ":");
     if (len == 0) nulloffset = ci;
+    if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+      "Internal error: invalid IPv6 address \"%s\" passed to host_aton()",
+      address);
     component[ci++] = p;
     p += len;
     if (*p == ':') p++;
diff -Naur exim-4.43.orig/src/lookups/dnsdb.c exim-4.43/src/lookups/dnsdb.c
--- exim-4.43.orig/src/lookups/dnsdb.c	2004-10-05 10:32:08.000000000 +0200
+++ exim-4.43/src/lookups/dnsdb.c	2005-01-07 08:28:38.000000000 +0100
@@ -125,7 +125,7 @@
 /* If the type is PTR, we have to construct the relevant magic lookup
 key. This code is now in a separate function. */
 
-if (type == T_PTR)
+if (type == T_PTR && string_is_ip_address(keystring, NULL))
   {
   dns_build_reverse(keystring, buffer);
   keystring = buffer;