Add fix for CVE-2007-3999 #214208 by Robert Buchholz.

(Portage version: 2.2_pre5)

1 files changed, 35 insertions, 0 deletions

diff --git a/net-libs/libtirpc/files/libtirpc-0.1.7-CVE-2007-3999.patch b/net-libs/libtirpc/files/libtirpc-0.1.7-CVE-2007-3999.patch
new file mode 100644
index 000000000000..b9a7aa4f21f1
--- /dev/null
+++ b/net-libs/libtirpc/files/libtirpc-0.1.7-CVE-2007-3999.patch
@@ -0,0 +1,35 @@
+commit 3cf1a3ce1a409e647f9b8ca4497c26e6d066f293
+Author: Steve Dickson <steved@redhat.com>
+Date:   Thu Jan 24 15:01:22 2008 -0500
+
+    Protect from buffer overflow in the GSS code.
+    
+    Signed-off-by: Steve Dickson <steved@redhat.com>
+
+diff -up libtirpc-0.1.7/src/svc_auth_gss.c.orig libtirpc-0.1.7/src/svc_auth_gss.c
+--- libtirpc-0.1.7/src/svc_auth_gss.c.orig	2008-01-24 14:41:21.000000000 -0500
++++ libtirpc-0.1.7/src/svc_auth_gss.c	2008-01-24 14:59:31.000000000 -0500
+@@ -294,6 +294,15 @@ svcauth_gss_validate(struct svc_rpc_gss_
+ 	memset(rpchdr, 0, sizeof(rpchdr));
+ 
+ 	/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
++	oa = &msg->rm_call.cb_cred;
++	if (oa->oa_length > MAX_AUTH_BYTES)
++		return (FALSE);
++	
++	/* 8 XDR units from the IXDR macro calls. */
++	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
++			RNDUP(oa->oa_length)))
++		return (FALSE);
++
+ 	buf = (int32_t *)rpchdr;
+ 	IXDR_PUT_LONG(buf, msg->rm_xid);
+ 	IXDR_PUT_ENUM(buf, msg->rm_direction);
+@@ -301,7 +310,6 @@ svcauth_gss_validate(struct svc_rpc_gss_
+ 	IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
+ 	IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
+ 	IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
+-	oa = &msg->rm_call.cb_cred;
+ 	IXDR_PUT_ENUM(buf, oa->oa_flavor);
+ 	IXDR_PUT_LONG(buf, oa->oa_length);
+ 	if (oa->oa_length) {