diff options
| -rw-r--r-- | patchsets/skey/1.1.5/16_all_skeylogin-len-check.patch | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/patchsets/skey/1.1.5/16_all_skeylogin-len-check.patch b/patchsets/skey/1.1.5/16_all_skeylogin-len-check.patch new file mode 100644 index 0000000..7db9d0e --- /dev/null +++ b/patchsets/skey/1.1.5/16_all_skeylogin-len-check.patch @@ -0,0 +1,24 @@ +From OpenBSD. + +Author: millert <millert@openbsd.org> +Date: Wed, 15 Mar 2023 17:01:35 +0000 + + Fix the length check when computing a fake challenge for users not in + the S/Key database. If the system hostname is longer than 126 characters + this could result in NUL bytes being written past the end of a stack + buffer. There is no impact on systems with a hostname 126 characters or + less. Found by Qualys. OK deraadt@ + +--- skey-1.1.5/skeylogin.c ++++ skey-1.1.5/skeylogin.c +@@ -486,8 +486,8 @@ + for (p = pbuf; *p && isalnum((u_char)*p); p++) + if (isalpha((u_char)*p) && isupper((u_char)*p)) + *p = tolower((u_char)*p); +- if (*p && pbuf - p < 4) +- strncpy(p, "asjd", 4 - (pbuf - p)); ++ if (*p && p - pbuf < 4) ++ strncpy(p, "asjd", 4 - (p - pbuf)); + pbuf[4] = '\0'; + + /* Hash the username if possible */ |