Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 304769 Details for
Bug 407603
<dev-python/pypam-0.5.0-r3: NULL-byte password triggers Double Free Corruption (CVE-2012-1502)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
slightly more careful patch
pypam-0.5.0-cve-2012-1502.patch (text/plain), 1.50 KB, created by
Marien Zwart (RETIRED)
on 2012-03-10 01:24:41 UTC
(
hide
)
Description:
slightly more careful patch
Filename:
MIME Type:
Creator:
Marien Zwart (RETIRED)
Created:
2012-03-10 01:24:41 UTC
Size:
1.50 KB
patch
obsolete
>Only touch the "resp" pam_conv argument when that function succeeds. >Leaving it a dangling pointer can be harmful as some implementations >will try to free it for us. > >Patch by marienz@gentoo.org. > >--- PAMmodule.c >+++ PAMmodule.c >@@ -82,17 +82,23 @@ > Py_DECREF(respList); > return PAM_CONV_ERR; > } >- >- *resp = (struct pam_response *) malloc( >+ >+ /* pam_conv(3) says we "should not set *resp" on PAM_CONV_ERR. >+ * Some pam implementations will free it if we set it, others will not. >+ * So at the very least we need to not leave it dangling if we error out, >+ * but for robustness just only set it if we will exit successfully. >+ */ >+ >+ struct pam_response* myresp = (struct pam_response *) malloc( > PyList_Size(respList) * sizeof(struct pam_response)); > >- struct pam_response* spr = *resp; >+ struct pam_response* spr = myresp; > for (int i = 0; i < PyList_Size(respList); i++, spr++) { > PyObject* respTuple = PyList_GetItem(respList, i); > char* resp_text; > int resp_retcode = 0; > if (!PyArg_ParseTuple(respTuple, "si", &resp_text, &resp_retcode)) { >- free(*resp); >+ free(myresp); > Py_DECREF(respList); > return PAM_CONV_ERR; > } >@@ -100,7 +106,8 @@ > spr->resp_retcode = resp_retcode; > Py_DECREF(respTuple); > } >- >+ >+ *resp = myresp; > // Save this so we can free it later. > self->response_data = *resp; > self->response_len = PyList_Size(respList); >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 407603
: 304769